After taking some heat from tech media sources (including this one), Apple has finally release a patch for its OS X operating system that will address the Kaminsky DNS flaw. Apple Inc. is the last of the major vendors to release a fix for the DNS issues, and patched several other things as well in its latest security push.
Apple pushes out DNS patch. (IMG:Apple)
The patch that is going to get the most attention is the one for CVE-2008-1447, better known as the DNS flaw that was recently discovered by researcher Dan Kaminsky.
Kaminsky discovered issues in various DNS implementations that allows remote attackers a chance to perform DNS cache poisoning attacks. The BIND patch is available for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.4, and Mac OS X Server v10.5.4.
Other noteworthy patches include Open Scripting Architecture, where a design issue exists in the OSA libraries. Cupertino-based Apple has said that the attack centers on sending scripting addition commands to a privileged application, which may allow the execution of arbitrary code with those privileges.
On May 01, PHP released new source code for its application, version 5.2.5, which was included in today’s Apple patch. Other patches include, Rsync, OpenSSL, and OpenLDAP.
Swa Frantzen of SANS ISC pointed out his opinions on the late patching by Apple, raising some interesting points in the process: “Seems we all need to urge Jobs' gang to release patches significantly faster: it's the price to pay to base parts of your system on open-source code,” he offered.
On the issue of the belated DNS patch delivered by Apple, there are still some issues that need to by looked at, according to Frantzen. “So Apple might have fixed some of the more important parts for servers, but [it] is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness.”
Frantzen, a Mac user, ran a DNS test and discovered that its DNS client was still using incrementing ports. “For the record: the traffic was generated with ping to some search engines, but dig e.g. uses exactly the same pattern. /etc/resolv.conf contained nothing but a domain and [SERVER] as the nameserver. The machine did reboot to complete the patch installation. There is no named running on [MAC], just the client libraries are used,” he said.
Was Apple’s patch incomplete? Likely not, the odds are that it addresses the exact area that is needed in order to resolve the Kaminsky flaw. The problem is that the Kaminsky DNS vulnerability can be exploited on several levels, and the recent attacks on AT&T were discovered to have used attack vectors not known to other researchers familiar with the complete exploit.
AT&T is said to be working on a patch, but at the time of the attack on its DNS server, it was still unpatched. Other ISPs are working to install patches, but are still failing various DNS tests.
Apple users can get the newest security update with Software Update or direct from Apple Downloads.
Add your comment (no registration required)
page: 1
i luv aaplAug 4th, 2008 - 14:24:55
FIRST!!!!!!!!!!!!!!!!!!!
Report this comment
Advertising
i luv aaplAug 4th, 2008 - 14:24:55
FIRST!!!!!!!!!!!!!!!!!!!
Report this comment