Apple Patches DNS Flaw…. What Took Them So Long? [UPDATED x2]

The much talked about DNS flaw in OS X is now patched. Apple released Security update 2008-005 late last night and recommends it for the following systems:

Alternately, you can grab this via Software Update.

It should be noted that this fixes a bunch of other security issues. You can read this for the 411. One key thing it does address is the ARDAgent.app exploit that I’ve talked about previously.  My question is, why did it take so long given the severity of the DNS issue? Not to mention the ARDAagent.app issue that is serious as well?

Given Apple’s level of secrecy, we’ll likely never know for sure. But at least the patch is finally out.

UPDATE: Reports have surfaced in multiple places that this patch for the DNS issue doesn’t implement one key feature. That is port randomization on requests. Mac OS X machines doggedly issue DNS requests on sequential ports, making them far more vulnerable to spoofing. No word from Apple on this, and you won’t likely hear anything as they don’t respond to requests for comment on security issues. In any case, Apple might have dropped the ball this time and needs to fix this NOW if this is true.

UPDATE #2: This might be a non-issue. Here’s why from Apple’s security advisory (I’ve bolded the key point):

“The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue.”

So, since BIND is not enabled on OS X clients, OS X might be secure with this patch. Can anybody confirm this?

Leave a Reply

%d bloggers like this: