Apple misses mark on DNS patch

Security researchers are claiming that Apple has failed to fully patch the high profile DNS cache poisoning error.

The company issued the patch last week as part of a larger security update. The so-called Kaminsky flaw (named after its discoverer, Dan Kaminsky) has sent vendors scrambling to patch what is said to be a fundamental vulnerability in the DNS system.

According to Andrew Storms, director of security operations for network security firm nCircle, Apple's patch doesn't quite do the job. Storms found that the update doesn't force source port randomisation for client libraries, an essential fix for preventing the spooking attack.

Storms said that while the server component of the error is fixed, client machines remain vulnerable.

"For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use," he noted.

"The bottom line is that despite this update, it appears that the client libraries still aren't patched."

Storms was not the only person to note Apple's oversight. Sans researcher Swa Frantzen also noticed the flaw. Frantzen pointed out that a fully patched Leopard system still uses incrementing ports, making port selection predictable and allowing an attacker to still perform the cache-poisoning exploit.

"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," said Frantzen.