Apple patches for DNS flaw

Share this article:

After waiting since the beginning of July, Apple has put out a patch for the DNS cache poisoning flaw discovered by security researcher Dan Kaminsky.

The patch fixes Apple's version of the Berkeley Internet Name Domain (BIND) DNS server in Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4 and Mac OS X Server v10.5.4.

The Berkeley Internet Name Domain (BIND) server, which provides translation between host names and IP addresses, is distributed with Mac OS X, and is not enabled by default.

According to the statement that accompanied the patch, “A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information.”

The update implements greater source port randomization to improve the odds against cache poisoning attacks.

Cisco, Microsoft, Sun Microsystems and many Linux versions put out a fix for the flaw on July 8, when it was first disclosed. Apple had taken some heat when it did not release its patch then, too.

Andrew Storms, director of security operations for nCircle, said in a blog post that some of the patches for components in Apple's systems are incomplete.

“For Apple, it matters most that they patch the client libraries since there are so few OS X recursive servers in use,” he wrote in the blog post. “The client libraries on my OS X 10.4.11 system, post patch install, still does not randomize the source port...despite this update, it appears that the client libraries still aren't patched.”

In addition to the DNS fix, Apple shored up some 16 other vulnerabilities in Mac OS X.

 

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.