The Kaminsky flaw, which was named after its discoverer IOActive's Dan Kaminsky, was first identified earlier this year and Kaminsky worked with a number of vendors including Microsoft and Cisco to develop a patch, which was released in July. However Apple was slow to follow suit and only issued its fix last week.
Andrew Storms, director of security operations for network security firm nCircle, said in a blog that the update doesn't include forcing randomisation of the query ID and the source port, which stops the ability to spoof the DNS response.
"For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched," he added.
"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," he said.