Stephen Withers
Monday, 04 August 2008 12:49
Opinion and Analysis
Page 1 of 2
Security Update 2008-005 for Mac OS X 10.4.11 and 10.5.4 includes a newer version of BIND to overcome the DNS poisoning flaw. But questions are being asked about whether the update really does protect against this issue.
Swa Frantzen of the SANS Internet Storm Center
asserts that a patched installation of 10.5.4 still uses incrementing port numbers for DNS resolution, one of the characteristics that makes the attack feasible.
"Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," wrote Frantzen.
nCircle's Andrew Storms makes the
same observation about 10.5.4.
"The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomization of the query ID and the source port," he wrote.
"Essentially, making it all the more difficult to spoof the DNS response. However, it appears that Apple forgot something. The client libaries on my OSX 10.4.11 system, post patch install, still does not randomize the source port."
Both researchers appear to have only tested the normal 'client' version of Mac OS X. But according to some experts, the fix is really only significant for the server versions of Apple's operating system. For example, "patching BIND is really not a worry on most Mac installs,"
wrote an unidentified member of the Rixstep team.
So what's going on? The story continues on
page 2.
