Problems With DNS Flaw Patches
August 05, 2008 | by Christopher Nickson
Apple's DNS flaw patch isn't completely effective, according to some experts, while Cisco reports other problems.
The Domain Name System (DNS) flaw discovered by Dan Kaminsky appeared to have been patched, thanks to some rare industry-wide co-operation. But, it seems, that might not be quite the case.
ZDNet has reported that security company nCircle has reported problems with the Apple fix for its OS X operating systems, as it fails to randomize ports for client libraries. Their director of security operations, Andrew Storm, blogged:
"The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomisation of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response. However, it appears that Apple forgot something. The client libraries on my OS X 10.4.11 system, post patch install, still does not randomize the source port."
And the Sans Institute reported that OS X 10.5.4 was still using incremental ports. There was no comment from Apple.
However, the bad news isn’t limited to Macs. Cisco’s put out an advisory saying some that of its products would negate third-party port randomization, and US-CERT has issued its own advisory stating Juniper Networks firewalls could also be affect by the port randomization issue.
Post Your Comment...Comments
Comment on this article
Please keep your comments relevant to this article. Email addresses are not displayed, they are only required to verify you are human.
When you submit your comment, an email will be sent to your email address with a confirmation link. Once you have clicked on that confirmation link your comment will be posted.
HTML is not allowed.
RSS Feed
clowe1243 on Aug 5th, 2008 at 7:56 AM:
Yet another reason why Microsoft sales go up, MAC sales are up and down, and Linux sales, well, it's free, steady download rate.
"In a world without fences and walls, who needs Gates and Windows?"