Apple finally rolled out a software update to fix the much-heralded Domain Name System (DNS) security flaw, but it seems the celebration may have been premature.
The Cupertino, Calif.-based vendor rolled out Security Update 2008-005, a fix that Apple said plugs several security holes, including its implementation of the BIND (Berkeley Internet Name Domain) server, which left users of its Mac OS X operating system susceptible to the DNS flaw disclosed earlier this month.
However, several security researchers Friday said Apple's DNS patch doesn't actually fix the problem and that Mac users are still at risk.
"Did Apple forget to patch something? By the look of things, the DNS client on the OSX 10.4.11 distribution still has not been patched," said security researcher Andrew Storms, director of security operations at Ncircle Network Security, in a blog post.
Apple's update was supposed to introduce port randomization to help block cache poisoning attacks, a threat exposed by the DNS flaw. But even after installing the patch, Storms said his system still was not randomizing the source port.
"The bottom line is that despite this update, it appears that the client libraries still aren't patched," Storms said.
Another security researcher, Swa Frantzen of the SANS Institute found the same problem with Apple's software patch.
"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," Frantzen said in a blog post.
The DNS problem was discovered by security researcher Dan Kaminsky, who planned to disclose the threat at next week's Black Hat USA 2008 in Las Vegas. But two researchers last week leaked details of the flaw and how to exploit it, leaving equipment from several vendors open to attack.
Several vendors moved immediately to issue patches that addressed the flaw, but Apple held back, drawing criticism for its slow response.
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
|
10 Security Predictions For 2012 CRN looks into its crystal ball and sees Android, hactivisim and cyber-espionage as some of the top 10 security threats in 2012. |
|
10 Biggest Security Breaches Of 2011 The Top 10 Security Breaches of 2011 show hackers were relentless in their pursuit of profit, compromising computer systems of universities, video-game makers and the largest banks. |
 More
Slide Shows |
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
- Remote Management and IT Security: Building Profits While Reducing Costs
