When a group of software makers and network-infrastructure vendors announced a fix for a major flaw in the domain-name system in early July, Apple was conspicuous in its absence from the list of companies.
On Friday, following confirmed attacks on name servers, the Mac maker finally produced a patch for the domain-name service (DNS) security issues publicized by researcher Dan Kaminsky. The patch, which fixes 16 other vulnerabilities as well, closes the security hole by implementing a recommended workaround in the Berkeley Internet Name Domain (BIND) server software shipped with Mac OS X.
"A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks," the company said in the advisory released on Friday. "As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source-port randomization to improve resilience against cache poisoning attacks."
However, while the patch appears to fix the issues for Mac OS X systems used as domain-name servers, the update does not appear to fix the issue for the vast majority of Macs in use as client systems, according to independent reports from security firm nCircle and the SANS Institute. Both Mac OS X 10.4.11 and 10.5.4 appear not to randomize the source ports created by Mac software, the groups said.
The patch comes more than three weeks after Dan Kaminsky, director of penetration testing for security firm IOActive, announced a coordinated patch for serious issues in the way domain-name lookups are handled by existing name-server software. Kaminsky's attack put a new spin on a well-known issue in the domain name system: spoofing domain names by poisoning the DNS cache. For thirteen days, details of the flaw were a matter of speculation, until a series of escalating disclosures painted a detailed portrait of Kaminsky's proposed attack last Monday. Within 48 hours of the details being released, Metasploit founder HD Moore and another programmer created modules to turn the theoretical attack into a serious worry for many system administrators.
The Mac OS X update also patches five issues in the open-source PHP Web development language as well as vulnerabilities in the Open Scripting Architecture and Apple's code libraries for handling graphics. Users can patch by turning on the operating system's automatic update feature or by selecting "Software Update..." from the Apple menu.
An Apple spokesperson declined to comment on the issue beyond the information in the advisory.
UPDATE: The article was updated to reflect tests by nCircle and the SANS Institute which indicate the patch would not block potential DNS attacks against Mac clients.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos