Apple Reacts to Spoof Threats, Issues DNS Hotfix

• By Jabulani Leffall
• 08/04/08

Apple Inc. took action Friday to address the infamous Domain Name System (DNS) problem. And none too soon.

Last week saw a DNS server exploit divert AT&T Internet service users in Austin, Texas. The DNS trouble, which caused users to be sent to a bogus Web page, occurred more than a week after Microsoft issued its own warning about the dangers of a weak DNS framework.

In response to the threat, Apple released Security Update 2008-005, saying that its latest hotfix protects open scripting architecture libraries from certain vulnerabilities. If left unfixed, a hacker or internal enterprise user might leverage the exploit to "execute commands with elevated privileges."

On the whole, the patch addresses the DNS issue by implementing what the company calls "source port randomization to improve resilience against [DNS] cache poisoning attacks."

The patch is for Mac OS X Server 10.4 and 10.5, as well as for Mac OS X 10.4.11 and 10.5.4 operating systems.

For Mac OS X v10.4.11 systems, the Berkeley Internet Name Domain (BIND) is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. The hotfix also closes the script-based local privilege escalation vulnerabilities in the MAC for Windows programs.

Apple responded to one of this year's most controversial security issues in issuing the hotfix, but there is already some push back. Security researcher Swa Frantzen, who works at the SANS Internet Storm Center, asserted that the hotfix is incomplete. Apple's fix hasn't quite done the trick.

"Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the [Internet] Protocol weakness," Frantzen wrote in a blog post on Friday.

The issue appears to be that, despite Apple's patch, BIND under OS X is incrementing the ports it uses to communicate DNS information in a predictable instead of random pattern.

Andrew Storms of San Francisco-based IT consultancy nCircle, says that Apple, like Microsoft, may have rushed the patch and let the buzz around the vulnerability dictate its actions instead of vice versa.

"We know with Microsoft that there were a few problems even installing their DNS patch," he said. "Now, with Apple, we're seeing that the current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomization of the query ID and the source port."

Storms said it's evident that many are spooked by an increasing pervasive vulnerability that few people know much about as of yet.

"The issue is that [DNS spoofing] is a silent killer," he said. "You usually won't know until it's over and it's more complex because it involves coding behind the spoofing and once you're redirected to what looks like a legit site, most of the hacker's work is done already."