Apple DNS Security Patch Flawed, Leaves Users At Risk

The Cupertino, Calif.-based vendor rolled out Security Update 2008-005, a fix that Apple said plugs several security holes, including its implementation of the BIND (Berkeley Internet Name Domain) server, which left users of its Mac OS X operating system susceptible to the DNS flaw disclosed earlier this month.

However, several security researchers Friday said Apple's DNS patch doesn't actually fix the problem and that Mac users are still at risk.

"Did Apple forget to patch something? By the look of things, the DNS client on the OSX 10.4.11 distribution still has not been patched," said security researcher Andrew Storms, director of security operations at Ncircle Network Security, in a blog post.

Apple's update was supposed to introduce port randomization to help block cache poisoning attacks, a threat exposed by the DNS flaw. But even after installing the patch, Storms said his system still was not randomizing the source port.

"The bottom line is that despite this update, it appears that the client libraries still aren't patched," Storms said.

Another security researcher, Swa Frantzen of the SANS Institute found the same problem with Apple's software patch.

"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," Frantzen said in a blog post.

The DNS problem was discovered by security researcher Dan Kaminsky, who planned to disclose the threat at next week's Black Hat USA 2008 in Las Vegas. But two researchers last week leaked details of the flaw and how to exploit it, leaving equipment from several vendors open to attack.

Several vendors moved immediately to issue patches that addressed the flaw, but Apple held back, drawing criticism for its slow response.