Apple's patch fails to fix DNS flaw, researchers claim

Computerworld - Apple Inc. issued patches for 17 vulnerabilities in Mac OS X yesterday, including one meant to fix a critical bug in the Internet's traffic cop, the Domain Name System (DNS).

The DNS patch, however, didn't actually patch anything, at least on the client side of the aisle, researchers said today.

"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director of security operations at nCircle Network Security Inc.

Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomizing them, as should have been the case if the fix had addressed the flaw.

That's not good. Last week, after speculation about the DNS vulnerability essentially confirmed its technical details, exploit code appeared. This week, attacks began against unpatched DNS servers, with at least one confirmed case reported.

"Essentially, we're at the same place as we were yesterday before Apple released the patch," Storms said.

Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, reported the same findings earlier today in an alert posted to the ISC site. "So Apple might have fixed some of the more important parts for servers, but is far from done yet, as all the clients linked against a DNS client library still need to get the work-around for the protocol weakness," Frantzen said.

Later today, Storms posted test results that compared source port randomization of a patched FreeBSD machine with a just-updated Mac. The former randomized the source ports, the comparison showed, but the Mac did not. "It appears that Apple forgot something," Storms said.

Neither Storms nor Frantzen was able to test a patched version of Mac OS X Server to verify whether the update fixed the problem on servers running Apple's operating system.

Apple integrates BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium, into its operating system. In the security advisory that accompanied Thursday's update, Apple spelled out what versions of BIND it used to patch both Mac OS X 10.4 (Tiger) and Mac OS X 1.5 (Leopard), and claimed that the fix randomized source ports.

"This update addresses the issue by implementing source port randomization to improve resilience against cache-poisoning attacks," Apple said. "For Mac OS X v10.4.11 systems, BIND is updated to Version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to Version 9.4.2-P1."

Both versions were first released on July 8. Dan Kaminsky, the researcher who uncovered the flaw in February, had helped organize a multivendor patch effort that kicked off that day when the consortium and others, including Microsoft Corp. and Cisco Systems Inc., issued fixes.

Apple, however, did not patch then. This week, it was criticized for its sluggish response.

Storms wasn't sure what happened on Apple's end to produce the nonpatch patch, but he took a stab at the possibilities. "Is Apple modifying the BIND distributions from ISC, and somehow didn't realize this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two," he said.

Storms also said he rechecked nCircle's DNS servers running BIND, just to make sure that the patches he had deployed weeks ago really randomized the source ports. They did. "If you take the BIND distribution from ISC and patch your system on a Linux box, you're patched," he said. "I don't know what happened to Apple's."

Apple did not immediately respond to questions about the DSN patch.

The security update, dubbed 2008-005, also plugged 16 other holes in Mac OS X, including one in Remote Desktop Agent (ARDAgent), part of the operating system's Remote Management component. The ARDAgent vulnerability was remarkable because it had been exploited by an in-the-wild Trojan horse reported six weeks ago.

Security Update 2008-005 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. The update weighs in between 65MB and 180MB, depending on the version of Mac OS X to be patched.