Apple misses mark on DNS patch

Security researchers are claiming that Apple has failed to fully patch the high profile DNS cache poisoning error.

The company issued the patch last week as part of a larger security update. The so-called Kaminsky flaw (named after its discoverer, Dan Kaminsky) has sent vendors scrambling to patch what is said to be a fundamental vulnerability in the DNS system.

According to Andrew Storms, director of security operations for network security firm nCircle, Apple's patch doesn't quite do the job. Storms found that the update doesn't force source port randomisation for client libraries, an essential fix for preventing the spooking attack.

Storms said that while the server component of the error is fixed, client machines remain vulnerable.

"For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use," he noted.

"The bottom line is that despite this update, it appears that the client libraries still aren't patched."

Storms was not the only person to note Apple's oversight. Sans researcher Swa Frantzen also noticed the flaw. Frantzen pointed out that a fully patched Leopard system still uses incrementing ports, making port selection predictable and allowing an attacker to still perform the cache-poisoning exploit.

"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," said Frantzen.

See also:

Firefox gets security tune-up

Flaws patched for versions 2 and 3  18 Jul 2008

Microsoft reissues June security fix

Redmond takes second crack at Bluetooth flaw  21 Jun 2008

Twin Trojans attack Macs

Malware spotted in the wild  21 Jun 2008

Apple issues Safari for Windows update

3.1.2 update addresses four security vulnerabilities  20 Jun 2008

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!