toggle

AAPL Stock: 100.96 ( -0.83 )

Printed from http://www.macnn.com

Security update seems to be an missing important fix

updated 03:40 pm EDT, Fri August 1, 2008

Security update incomplete

Last night Apple released security update 2008-005 although even after the update it would seem that one of the most voiced issues still has not been addressed. This update was supposed to bring port randomization to make it more difficult to spoof the DNS response. However, in nCircle's test it seems as though this is not the case. nCircle found that even after installing the patch the client libraries in an OS X 10.4.11 still do not randomize the source port. A comparison of a patched FreeBSD 6.3 system and OS X 10.4.11 was given and here are the results:

FreeBSD 6.3
08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)
08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)
08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)

OSX 10.4.11

08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)
08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)
08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)

According to nCircle, the above makes it clear that the client libraries have remained un-patched, even after the community spoke so clearly to Apple to update them.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. fds

    Joined: Dec 1969

    +2

    can't nCircle read?

    Apple clearly stated that they only patched the BIND name server, not the client libraries.

  1. testudo

    Joined: Dec 1969

    -5

    and...

    they're just making sure that everyone knows that the client libraries are unpatched.

  1. dscottbuch

    Joined: Dec 1969

    +1

    and...

    That is a problem why? Because they wanted it changed?

    Also, they don't make it clear. They didn't need to 'test' it as it was stated.

  1. Dez

    Joined: Dec 1969

    +2

    Better than Ubuntu 7.0

    I just applied the patch to Ubuntu 7.0. The DNS client uses the same port for all DNS queries, whereas the Mac [even in its unpatched state, by the way] at least increments the source port.

  1. Dez

    Joined: Dec 1969

    +2

    As good as Windows XP

    With the MS08-037 patch on XP, the DNS client also only increments the source port.

  1. BDLatimer

    Joined: Dec 1969

    +1

    Editing - PLEASE?

    The title of the article indicates "…to be an missing important fix".

    Is that English?

    Is the security update a "missing important fix" (with the wrong article - "an" vs. "a" - used)? Or, perhaps it was intended to indicate that the security update seems "…to be MISSING AN important fix"?

  1. dimmer

    Joined: Dec 1969

    0

    And

    "This update was supposed to bring port randomization to make it more difficult to spoof the DNS response."

    Security by obscurity: almost as good as no security at all!

    The problem is that DNS requests go to the DNS socket, the source socket can be ignored. If I was looking to mess with DNS, I'd work with the destination of inbound queries, not the source of them.

    I guess the issue is the mDNS "server" that Bonjour uses to provide stub DNS responses on a local area network.

  1. Amdahl

    Joined: Dec 1969

    0

    Windows does random port

    Dez,

    I think you're wrong about Microsoft's patch. It does randomize the source ports. That is why ZoneAlarm killed connections on XP; their firewall never thought DNS requests would come from any random port.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Autodesk Smoke 2015

Since May of this year, Autodesk has been shipping the highly anticipated update to its high-end post-production video editing suite, ...

Crucial MX100 256GB SATA-3 SSD

While the price-per-gigabyte ratio for magnetic platter-based hard drives can't be beat, the speed that a SSD brings to the table for ...

Narrative Clip

With the advent of social media technology, people have been searching for new ways to share the events of their daily lives -- be it ...

toggle

Most Commented