ZDNetAsia : Printer Friendly - Apple patch fails to address DNS flaw, say experts

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Apple patch fails to address DNS flaw, say experts

By Tom Espiner
Tuesday, August 05 2008 07:01 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62044519,00.htm

Apple's Domain Name System patch for Mac OS X systems is not completely effective, according to security experts.

The patch was brought out by Apple on Friday for its Tiger and Leopard operating systems, to address a critical Domain Name System (DNS) flaw that could let attackers secretly redirect browsers to malicious sites. The vulnerability, which was made public by security researcher Dan Kaminsky, affects software from multiple vendors.

However, although the Apple patch works for OS X servers, it fails to randomize source ports for OS X client libraries, according to security vendor nCircle.

"The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomization of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response," nCircle's director of security operations, Andrew Storms, wrote in a blog. "However, it appears that Apple forgot something. The client libraries on my OS X 10.4.11 system, post patch install, still does not randomize the source port."

While the patch is effective for OS X servers, Storms wrote on Friday that it is more important for Apple to patch client libraries, as there are "so few OS X recursive servers in use".

"The bottom line is that, despite this update, it appears that the client libraries still aren't patched," Storms added.

Security experts from security training organization the Sans Institute also criticized Apple's DNS patch. Sans Institute incident handler Swa Frantzen wrote on Friday that, following the patch, OS X 10.5.4 was still using incremental ports. This meant workarounds would have to be applied.

"Apple might have fixed some of the more important parts for servers but is far from done yet, as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," Frantzen wrote.

An Apple representative was not able to immediately comment on the issue on Monday.

Meanwhile, some networking vendors have reported that their products that strip out port randomization could interfere with DNS fixes from other software vendors that rely on this method. Cisco wrote in an advisory last week that various Cisco products would negate port-randomization patches by some third parties.

"In these cases, the network device performing PAT [port address translation] uses a predictable source-port allocation policy, such as incremental allocation, when performing the layer 4 rewrite operation that is necessary for PAT," stated the advisory.

According to a U.S.-CERT advisory regarding the DNS vulnerability, firewalls from Juniper Networks could also be affected.