DNS security problem: new patches and omissions
The Internet Systems Consortium (ISC) has issued the promised second patch – P2 – for its BIND name server to eliminate the cache poisoning vulnerability from recursive name servers. P2 is intended to fix the performance degradation observed in heavily loaded systems patched with P1, the first patch to be issued. Even during the development and testing of P1, it was noticed that the patch caused marked slowdown in recursively resolving servers handling more than 10,000 enquiries per second. Because of the urgency, however, it was decided first to cure the security problem and issue a further update later to deal with the performance problem. Only testing by ISPs will show whether the new patch really does fix the problem. P2 is available for BIND 9.5.0, BIND 9.4.2 and BIND 9.3.5.
There are now reports from the ISC and from nCircle, a security services provider, that with its latest security update Apple has forgotten to update the client function libraries, in order to make them, as well as the servers, immune to cache poisoning attacks. Although the clients – "stub resolvers" – are not at the moment being targeted by the attacks, unanimous opinion has it that they are, in principle, just as vulnerable as the name servers themselves. Microsoft, all the big Linux distributors, and the BSD derivatives have already secured their clients and their patches ensure that the source port for a query is randomised. Under Tiger and Leopard, however, Apple's client resolver continues to increment the source port by one for each query.
Andrew Storms of nCircle says that the fact that Apple has evidently forgotten the clients, is all the more serious in that virtually no name servers operate on the basis of Mac OS X, and so the objective of protecting customers has not been achieved. Misleadingly, the Apple update note suggests that the client has also been updated.
- Apple DNS Patch Fails To Randomize - Users Still At Risk, blog entry by Andrew Storms
- Apple's Security Update 2008-005: DNS workaround finally included, SANS Internet Storm Cemter (SANS ISC) diary entry by Swa Frantzen
For background information on the Domain Name System security problem, see:
- Apple eliminates DNS server vulnerability under Mac OS X
- Patches for DNS vulnerability put the brakes on servers
- DNS hole - no patch yet from Apple
- DNS vulnerability exploits released
- DNS security problem details released
- Massive DNS security problem endangers the internet