AAPL Stock: 111.52 ( -0.82 )

Printed from

Security update seems to be an missing important fix

updated 03:40 pm EDT, Fri August 1, 2008

Security update incomplete

Last night Apple released security update 2008-005 although even after the update it would seem that one of the most voiced issues still has not been addressed. This update was supposed to bring port randomization to make it more difficult to spoof the DNS response. However, in nCircle's test it seems as though this is not the case. nCircle found that even after installing the patch the client libraries in an OS X 10.4.11 still do not randomize the source port. A comparison of a patched FreeBSD 6.3 system and OS X 10.4.11 was given and here are the results:

FreeBSD 6.3
08:49:58.405934 IP [BSD].64328 > [SERVER].domain: 39741+ A? (34)
08:50:02.708123 [BSD].51023 > [SERVER].domain: 45758+ A? (35)
08:50:07.625034 IP [BSD].50648 > [SERVER].domain: 23806+ A? (29)

OSX 10.4.11

08:05:47.741385 IP [OSX].49193 >[SERVER].domain: 55613+ A? (29)
08:05:48.207547 IP [OSX].49194 >[SERVER].domain: 1106+ PTR? (43)
08:05:51.717245 IP [OSX].49195 >[SERVER].domain: 27650+ A? (29)

According to nCircle, the above makes it clear that the client libraries have remained un-patched, even after the community spoke so clearly to Apple to update them.

by MacNN Staff





  1. fds

    Joined: Dec 1969


    can't nCircle read?

    Apple clearly stated that they only patched the BIND name server, not the client libraries.

  1. testudo

    Joined: Dec 1969



    they're just making sure that everyone knows that the client libraries are unpatched.

  1. dscottbuch

    Joined: Dec 1969



    That is a problem why? Because they wanted it changed?

    Also, they don't make it clear. They didn't need to 'test' it as it was stated.

  1. Dez

    Joined: Dec 1969


    Better than Ubuntu 7.0

    I just applied the patch to Ubuntu 7.0. The DNS client uses the same port for all DNS queries, whereas the Mac [even in its unpatched state, by the way] at least increments the source port.

  1. Dez

    Joined: Dec 1969


    As good as Windows XP

    With the MS08-037 patch on XP, the DNS client also only increments the source port.

  1. BDLatimer

    Joined: Dec 1969


    Editing - PLEASE?

    The title of the article indicates "…to be an missing important fix".

    Is that English?

    Is the security update a "missing important fix" (with the wrong article - "an" vs. "a" - used)? Or, perhaps it was intended to indicate that the security update seems "…to be MISSING AN important fix"?

  1. dimmer

    Joined: Dec 1969



    "This update was supposed to bring port randomization to make it more difficult to spoof the DNS response."

    Security by obscurity: almost as good as no security at all!

    The problem is that DNS requests go to the DNS socket, the source socket can be ignored. If I was looking to mess with DNS, I'd work with the destination of inbound queries, not the source of them.

    I guess the issue is the mDNS "server" that Bonjour uses to provide stub DNS responses on a local area network.

  1. Amdahl

    Joined: Dec 1969


    Windows does random port


    I think you're wrong about Microsoft's patch. It does randomize the source ports. That is why ZoneAlarm killed connections on XP; their firewall never thought DNS requests would come from any random port.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...

MSI Geforce GTX 970 100ME

When Nvidia announced a new line of video cards in September 2014, many people thought things would continue to be business as usual i ...


Most Commented