Saturday, August 2, 2008

Apple DNS Security Patch Flawed, Leaves Users At Risk

Apple (NSDQ:AAPL) finally rolled out a software update to fix the much-heralded Domain Name System (DNS) security flaw, but it seems the celebration may have been premature.

The Cupertino, Calif.-based vendor rolled out Security Update 2008-005,
a fix that Apple said plugs several security holes, including its
implementation of the BIND (Berkeley Internet Name Domain) server,
which left users of its Mac OS X operating system susceptible to the DNS flaw disclosed earlier this month.

However, several security researchers Friday said Apple's DNS patch doesn't actually fix the problem and that Mac users are still at risk.

"Did Apple forget to patch something? By the look of things, the DNS
client on the OSX 10.4.11 distribution still has not been patched,"
said security researcher Andrew Storms, director of security operations
at Ncircle Network Security, in a blog post.

Apple's update was supposed to introduce port randomization to help block cache
poisoning attacks, a threat exposed by the DNS flaw. But even after
installing the patch, Storms said his system still was not randomizing
the source port.

"The bottom line is that despite this update, it appears that the client libraries still aren't patched," Storms said.

Another security researcher, Swa Frantzen of the SANS Institute found the same problem with Apple's software patch.

"So Apple might have fixed some of the more important parts for
servers, but is far from done yet as all the clients linked against a
DNS client library still need to get the workaround for the protocol weakness," Frantzen said in a blog post.

The DNS problem was discovered by security researcher Dan Kaminsky, who
planned to disclose the threat at next week's Black Hat USA 2008 in Las
Vegas. But two researchers last week leaked details of the flaw and how
to exploit it, leaving equipment from several vendors open to attack.

Several vendors moved immediately to issue patches that addressed the
flaw, but Apple held back, drawing criticism for its slow response.

From :