macnn
08/01/2008, 3:40pm, EDT
Friday, August 1st
Security update seems to be an missing important fix
Last night Apple released security update 2008-005 although even after the update it would seem that one of the most voiced issues still has not been addressed. This update was supposed to bring port randomization to make it more difficult to spoof the DNS response. However, in nCircle's test it seems as though this is not the case. nCircle found that even after installing the patch the client libraries in an OS X 10.4.11 still do not randomize the source port. A comparison of a patched FreeBSD 6.3 system and OS X 10.4.11 was given and here are the results:
FreeBSD 6.3
08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? www.yahoo.com. (34)
08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? www.yahooooo.com. (35)
08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? www.www.net. (29)
OSX 10.4.11
08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? www.cnn.com. (29)
08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? 21.91.236.64.in-addr.arpa. (43)
08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? www.cnn.com. (29)
According to nCircle, the above makes it clear that the client libraries have remained un-patched, even after the community spoke so clearly to Apple to update them.
, 
, 9
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
can't nCircle read?
Apple clearly stated that they only patched the BIND name server, not the client libraries.
and...
they're just making sure that everyone knows that the client libraries are unpatched.
and...
That is a problem why? Because they wanted it changed?
Also, they don't make it clear. They didn't need to 'test' it as it was stated.
Better than Ubuntu 7.0
I just applied the patch to Ubuntu 7.0. The DNS client uses the same port for all DNS queries, whereas the Mac [even in its unpatched state, by the way] at least increments the source port.
As good as Windows XP
With the MS08-037 patch on XP, the DNS client also only increments the source port.
Editing - PLEASE?
The title of the article indicates "…to be an missing important fix".
Is that English?
Is the security update a "missing important fix" (with the wrong article - "an" vs. "a" - used)? Or, perhaps it was intended to indicate that the security update seems "…to be MISSING AN important fix"?
And
"This update was supposed to bring port randomization to make it more difficult to spoof the DNS response."
Security by obscurity: almost as good as no security at all!
The problem is that DNS requests go to the DNS socket, the source socket can be ignored. If I was looking to mess with DNS, I'd work with the destination of inbound queries, not the source of them.
I guess the issue is the mDNS "server" that Bonjour uses to provide stub DNS responses on a local area network.
Windows does random port
Dez,
I think you're wrong about Microsoft's patch. It does randomize the source ports. That is why ZoneAlarm killed connections on XP; their firewall never thought DNS requests would come from any random port.