Security update seems to be an missing important fix
updated 03:40 pm EDT, Fri August 1, 2008
Security update incomplete
Last night Apple released security update 2008-005 although even after the update it would seem that one of the most voiced issues still has not been addressed. This update was supposed to bring port randomization to make it more difficult to spoof the DNS response. However, in nCircle's test it seems as though this is not the case. nCircle found that even after installing the patch the client libraries in an OS X 10.4.11 still do not randomize the source port. A comparison of a patched FreeBSD 6.3 system and OS X 10.4.11 was given and here are the results:
FreeBSD 6.3
08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)
08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)
08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)
OSX 10.4.11
08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)
08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)
08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)
According to nCircle, the above makes it clear that the client libraries have remained un-patched, even after the community spoke so clearly to Apple to update them.
can't nCircle read?
08/01, 04:16pm reply
Apple clearly stated that they only patched the BIND name server, not the client libraries.
fds
Fresh-Faced Recruit
Joined: Sep 2004
and...
08/01, 04:38pm reply
they're just making sure that everyone knows that the client libraries are unpatched.
testudo
Fresh-Faced Recruit
Joined: Aug 2001
and...
08/01, 04:40pm reply
That is a problem why? Because they wanted it changed?
Also, they don't make it clear. They didn't need to 'test' it as it was stated.
dscottbuch
Fresh-Faced Recruit
Joined: Sep 2000
Better than Ubuntu 7.0
08/01, 06:45pm reply
I just applied the patch to Ubuntu 7.0. The DNS client uses the same port for all DNS queries, whereas the Mac [even in its unpatched state, by the way] at least increments the source port.
Dez
Fresh-Faced Recruit
Joined: Jul 2002
As good as Windows XP
08/01, 06:56pm reply
With the MS08-037 patch on XP, the DNS client also only increments the source port.
Dez
Fresh-Faced Recruit
Joined: Jul 2002
Editing - PLEASE?
08/02, 04:23am reply
The title of the article indicates "…to be an missing important fix".
Is that English?
Is the security update a "missing important fix" (with the wrong article - "an" vs. "a" - used)? Or, perhaps it was intended to indicate that the security update seems "…to be MISSING AN important fix"?
BDLatimer
Fresh-Faced Recruit
Joined: Aug 2005
And
08/02, 01:41pm reply
"This update was supposed to bring port randomization to make it more difficult to spoof the DNS response."
Security by obscurity: almost as good as no security at all!
The problem is that DNS requests go to the DNS socket, the source socket can be ignored. If I was looking to mess with DNS, I'd work with the destination of inbound queries, not the source of them.
I guess the issue is the mDNS "server" that Bonjour uses to provide stub DNS responses on a local area network.
dimmer
Mac Enthusiast
Joined: Feb 2006
Windows does random port
08/02, 06:22pm reply
Dez,
I think you're wrong about Microsoft's patch. It does randomize the source ports. That is why ZoneAlarm killed connections on XP; their firewall never thought DNS requests would come from any random port.
Amdahl
Fresh-Faced Recruit
Joined: Apr 2007