We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Apple's DNS patch missing vital element

Researcher says it won't fix cache poisoning error

Apple's DNS patch, which was released last week, doesn’t fix the high profile DNS cache poisoning error, according to security researchers.

The Kaminsky flaw, which was named after its discoverer IOActive's Dan Kaminsky, was first identified earlier this year and Kaminsky worked with a number of vendors including Microsoft and Cisco to develop a patch, which was released in July. However Apple was slow to follow suit and only issued its fix last week.

Andrew Storms, director of security operations for network security firm nCircle, said in a blog that the update doesn't include forcing randomisation of the query ID and the source port, which stops the ability to spoof the DNS response.

"For Apple, it matters most that they patch the client libraries since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched," he added.

Storms wasn't alone in noticing the vitial missing element of the patch. Swa Frantzen, a researcher at The Sans Institute, also noted the absence in his blog.

"So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," he said.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV setup advice: Apple TV hacks to help you create the ultimate Apple TV hub in your home