If you’ve updated to MacOS High Sierra (OSX 10.13), this is not good news. Although Apple released a bug fix, it should really give security conscious users some pause.
There are some good overviews of how to harden MacOS/OSX, but I haven’t seen an updated guide that specifically addresses this latest problem (researchers just haven’t had time to investigate the underlying problems and the full extent of what Apple changed and what is affected. Despite that gap, reviewing a hardening guide and applying relevant procedures is still a good practice. Here’s a couple references to get you started.
Additionally, here’s a link to a good description of the root account security bug and a manual procedure which hardens the system against this problem. Conversations in the SecKC community and other security community confirmed the vulnerability and confirmed this manual config appears to address the problem.
Unfortunately this manual approach probably isn’t for most home/casual consumer users. It requires using the Terminal and some advanced features most users never interact with. And it introduces a security configuration which would probably complicate future updates and changes for many people.
Bottom line. Apple really messed up.
So what should you do? If you’re a security conscious person with system administrator skills, you should spend the time it takes to harden your system (and test that hardening). If your not a sys admin, update update update. And keep checking for more updates over the next days and weeks.
Previously I described using “dscacheutil -cachedump” as a means of flushing your local cache and forcing OS X to query your configured DNS servers.
I’ve since learned the combination of “sudo killall -INFO mDNSResponder” and “sudo killall -HUP mDNSResponder” are a better solution for clearing out the DNS cache on Mac OS X 10.7 Lion.
Since Snow Leopard, Apple has made additional changes to their DNS processes and the previous suggestion no longer works for most OS X Lion users. Some of us who upgraded over previous installations may still having a working version of this utility; or it may still be present, but do nothing at all.
The mDNSResponder system process handles DNS related task in OS X, and there are two terminal commands which can be useful regarding the status of your DNS cache.
The first command, “sudo killall -INFO mDNSResponder” sends a SIGINFO signal to the process. This will cause the process to dump a snapshot summary of the internal state to /var/log/system.log.
The second command, “sudo killall -HUP mDNSResponder” sends a SIGHUP signal to the process. This will cause the process to purge its cache. Upon successful completion, /var/log/system.log will be sent the message, “PM mDNSResponder: SIGHUP: Purge cache”
The “-INFO” command is quite verbose and provides a way of confirming the contents of your DNS cache before and after the purge.
- The mDNSResponder first appeared in Mac OS X 10.2 (Jaguar) and has provided features for MultiCast DNS and Bounjour.
- dns-sd appeared in OS X 10.4 (Tiger) and provides a Library API for applications to interact with the mDNSResponder process. Some command line options are available, but the command line arguments are still subject to change and should not be relied upon for permanent shell scripts.
- The command line “scutil –dns” will display your current OS X 10.7 DNS configuration.