Apple DNS patch not complete

Apple's Domain Name System patch for Mac OS X systems is not completely effective, according to security experts.
Written by Tom Espiner, Contributor

Apple's domain name system patch for Mac OS X systems is not completely effective, according to security experts.

The patch was brought out by Apple last week for its Tiger and Leopard operating systems, to address a critical DNS flaw that could let attackers secretly redirect browsers to malicious sites. The vulnerability, which was made public by security researcher Dan Kaminsky, affects software from multiple vendors.

However, although the Apple patch works for OS X servers, it fails to randomise source ports for OS X client libraries, according to security vendor nCircle.

"The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomisation of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response," nCircle's director of security operations, Andrew Storms, wrote in a blog. "However, it appears that Apple forgot something. The client libraries on my OS X 10.4.11 system, post patch install, still does not randomise the source port."

While the patch was effective for OS X servers, Storms wrote that it was more important for Apple to patch client libraries, as there were "so few OS X recursive servers in use."

"The bottom line is that, despite this update, it appears that the client libraries still aren't patched," Storms added.

Security experts from security training organisation the Sans Institute also criticised Apple's DNS patch. Sans Institute incident handler Swa Frantzen wrote on Friday that, following the patch, OS X 10.5.4 was still using incremental ports. This meant workarounds would have to be applied.

"Apple might have fixed some of the more important parts for servers but is far from done yet, as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," Frantzen wrote.

An Apple representative was not able to immediately comment on the issue.

Meanwhile, some networking vendors have reported that their products that strip out port randomisation could interfere with DNS fixes from other software vendors that rely on this method. Cisco wrote in an advisory last week that various Cisco products would negate port-randomisation patches by some third parties.

"In these cases, the network device performing PAT [port address translation] uses a predictable source-port allocation policy, such as incremental allocation, when performing the layer 4 rewrite operation that is necessary for PAT," stated the advisory.

According to a US-CERT advisory regarding the DNS vulnerability, firewalls from Juniper Networks could also be affected.

Editorial standards