Apple's patch fails to fix DNS flaw, researchers claim
Mac OS X clients still at risk, situation on servers unknown
The DNS patch, however, didn't actually patch anything, at least on the client side of the aisle, researchers said today.
"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director of security operations at nCircle Network Security Inc.
Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw.
That's not good. Last week, after speculation about the DNS vulnerability essentially confirmed its technical details, exploit code appeared. This week, attacks began against unpatched DNS servers, with at least one confirmed case reported.
"Essentially, we're at the same place as we were yesterday before Apple released the patch," Storms said.
Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, reported the same findings earlier today in an alert posted to the ISC site. "So Apple might have fixed some of the more important parts for servers, but is far from done yet, as all the clients linked against a DNS client library still need to get the work-around for the protocol weakness," Frantzen said.
Later today, Storms posted test results that compared source port randomization of a patched FreeBSD machine with a just-updated Mac. The former randomized the source ports, the comparison showed, but the Mac did not. "It appears that Apple forgot something," Storms said.
Neither Storms nor Frantzen was able to test a patched version of Mac OS X Server to verify whether the update fixed the problem on servers running Apple's operating system.
Apple integrates BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium, into its operating system. In the security advisory that accompanied Thursday's update, Apple spelled out what versions of BIND it used to patch both Mac OS X 10.4 (Tiger) and Mac OS X 1.5 (Leopard), and claimed that the fix randomized source ports.
"This update addresses the issue by implementing source port randomization to improve resilience against cache-poisoning attacks," Apple said. "For Mac OS X v10.4.11 systems, BIND is updated to Version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to Version 9.4.2-P1."
Both versions were first released on July 8. Dan Kaminsky, the researcher who uncovered the flaw in February, had helped organize a multivendor patch effort that kicked off that day when the consortium and others, including Microsoft Corp. and Cisco Systems Inc., issued fixes.
Apple, however, did not patch then. This week, it was criticized for its sluggish response.
Storms wasn't sure what happened on Apple's end to produce the nonpatch patch, but he took a stab at the possibilities. "Is Apple modifying the BIND distributions from ISC, and somehow didn't realize this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two," he said.
Storms also said he rechecked nCircle's DNS servers running BIND, just to make sure that the patches he had deployed weeks ago really randomized the source ports. They did. "If you take the BIND distribution from ISC and patch your system on a Linux box, you're patched," he said. "I don't know what happened to Apple's."
Apple did not immediately respond to questions about the DSN patch.
The security update, dubbed 2008-005, also plugged 16 other holes in Mac OS X, including one in Remote Desktop Agent (ARDAgent), part of the operating system's Remote Management component. The ARDAgent vulnerability was remarkable because it had been exploited by an in-the-wild Trojan horse reported six weeks ago.
Security Update 2008-005 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. The update weighs in between 65MB and 180MB, depending on the version of Mac OS X to be patched.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts