Apple's patch fails to fix DNS flaw, researchers claim
Mac OS X clients still at risk, situation on servers unknown
The DNS patch, however, didn't actually patch anything, at least on the client side of the aisle, researchers said today.
"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director of security operations at nCircle Network Security Inc.
Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw.
That's not good. Last week, after speculation about the DNS vulnerability essentially confirmed its technical details, exploit code appeared. This week, attacks began against unpatched DNS servers, with at least one confirmed case reported.
"Essentially, we're at the same place as we were yesterday before Apple released the patch," Storms said.
Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, reported the same findings earlier today in an alert posted to the ISC site. "So Apple might have fixed some of the more important parts for servers, but is far from done yet, as all the clients linked against a DNS client library still need to get the work-around for the protocol weakness," Frantzen said.
Later today, Storms posted test results that compared source port randomization of a patched FreeBSD machine with a just-updated Mac. The former randomized the source ports, the comparison showed, but the Mac did not. "It appears that Apple forgot something," Storms said.
Neither Storms nor Frantzen was able to test a patched version of Mac OS X Server to verify whether the update fixed the problem on servers running Apple's operating system.
Apple integrates BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium, into its operating system. In the security advisory that accompanied Thursday's update, Apple spelled out what versions of BIND it used to patch both Mac OS X 10.4 (Tiger) and Mac OS X 1.5 (Leopard), and claimed that the fix randomized source ports.
"This update addresses the issue by implementing source port randomization to improve resilience against cache-poisoning attacks," Apple said. "For Mac OS X v10.4.11 systems, BIND is updated to Version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to Version 9.4.2-P1."
Both versions were first released on July 8. Dan Kaminsky, the researcher who uncovered the flaw in February, had helped organize a multivendor patch effort that kicked off that day when the consortium and others, including Microsoft Corp. and Cisco Systems Inc., issued fixes.
Apple, however, did not patch then. This week, it was criticized for its sluggish response.
Storms wasn't sure what happened on Apple's end to produce the nonpatch patch, but he took a stab at the possibilities. "Is Apple modifying the BIND distributions from ISC, and somehow didn't realize this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two," he said.
Storms also said he rechecked nCircle's DNS servers running BIND, just to make sure that the patches he had deployed weeks ago really randomized the source ports. They did. "If you take the BIND distribution from ISC and patch your system on a Linux box, you're patched," he said. "I don't know what happened to Apple's."
Apple did not immediately respond to questions about the DSN patch.
The security update, dubbed 2008-005, also plugged 16 other holes in Mac OS X, including one in Remote Desktop Agent (ARDAgent), part of the operating system's Remote Management component. The ARDAgent vulnerability was remarkable because it had been exploited by an in-the-wild Trojan horse reported six weeks ago.
Security Update 2008-005 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. The update weighs in between 65MB and 180MB, depending on the version of Mac OS X to be patched.
Read more about Security in Computerworld's Security Topic Center.
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!