Did Apple forget to patch something?

Less than 24 hours after Apple (belatedly) released a patch for the DNS cache poisoning vulnerability, there are reports circulating that the DNS client on the OSX 10.4.11 distribution still has not been patched.

According to nCircle's Andrew Storms, the client libraries on a fully patched OSX 10.4.11 system still does not implement source port randomization, which is the recommended to help improve resilience against DNS cache poisoning attacks.

Storms provided a comparison between a patched FreeBSD 6.3 system and a patched OSX 10.4.11 system:

FreeBSD 6.3

•     08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)
•     08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)
•     08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)

OSX 10.4.11

•     08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)
•     08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)
•     08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)

This clearly shows no source port randomization happening on OS X 10.4.11.

For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched.

Apple does not respond to media queries about security issues.

ALSO SEE:

* Microsoft joins ‘patch DNS now’ chant; Apple patch missing

* Vulnerability disclosure gone awry: Understanding the DNS debacle