Apple's patch fails to fix DNS flaw, researchers claim
Mac OS X clients still at risk, situation on servers unknown
The DNS patch, however, didn't actually patch anything, at least on the client side of the aisle, researchers said today.
"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director of security operations at nCircle Network Security Inc.
Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw.
That's not good. Last week, after speculation about the DNS vulnerability essentially confirmed its technical details, exploit code appeared. This week, attacks began against unpatched DNS servers, with at least one confirmed case reported.
"Essentially, we're at the same place as we were yesterday before Apple released the patch," Storms said.
Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, reported the same findings earlier today in an alert posted to the ISC site. "So Apple might have fixed some of the more important parts for servers, but is far from done yet, as all the clients linked against a DNS client library still need to get the work-around for the protocol weakness," Frantzen said.
Later today, Storms posted test results that compared source port randomization of a patched FreeBSD machine with a just-updated Mac. The former randomized the source ports, the comparison showed, but the Mac did not. "It appears that Apple forgot something," Storms said.
Neither Storms nor Frantzen was able to test a patched version of Mac OS X Server to verify whether the update fixed the problem on servers running Apple's operating system.
Apple integrates BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium, into its operating system. In the security advisory that accompanied Thursday's update, Apple spelled out what versions of BIND it used to patch both Mac OS X 10.4 (Tiger) and Mac OS X 1.5 (Leopard), and claimed that the fix randomized source ports.
"This update addresses the issue by implementing source port randomization to improve resilience against cache-poisoning attacks," Apple said. "For Mac OS X v10.4.11 systems, BIND is updated to Version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to Version 9.4.2-P1."
Both versions were first released on July 8. Dan Kaminsky, the researcher who uncovered the flaw in February, had helped organize a multivendor patch effort that kicked off that day when the consortium and others, including Microsoft Corp. and Cisco Systems Inc., issued fixes.
Apple, however, did not patch then. This week, it was criticized for its sluggish response.
Storms wasn't sure what happened on Apple's end to produce the nonpatch patch, but he took a stab at the possibilities. "Is Apple modifying the BIND distributions from ISC, and somehow didn't realize this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two," he said.
Storms also said he rechecked nCircle's DNS servers running BIND, just to make sure that the patches he had deployed weeks ago really randomized the source ports. They did. "If you take the BIND distribution from ISC and patch your system on a Linux box, you're patched," he said. "I don't know what happened to Apple's."
Apple did not immediately respond to questions about the DSN patch.
The security update, dubbed 2008-005, also plugged 16 other holes in Mac OS X, including one in Remote Desktop Agent (ARDAgent), part of the operating system's Remote Management component. The ARDAgent vulnerability was remarkable because it had been exploited by an in-the-wild Trojan horse reported six weeks ago.
Security Update 2008-005 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. The update weighs in between 65MB and 180MB, depending on the version of Mac OS X to be patched.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!