Apple patches DNS vulnerability, sort of

  • Cupertino (CA) – Apple has issued a security patch that promises to fix a DNS vulnerability recently discovered by security researcher Dan Kaminsky, but it appears the fix doesn’t actually fix anything.  This leaves Apple computers still vulnerable to DNS spoofing attacks which can redirect web surfers to malware-laden or phishing sites.

    Kaminsky discovered DNS vulnerability by playing around with server ports and transaction IDs.  He found that some implementations of DNS don’t sufficiently randomize the standard port 53.  Many servers were incrementing the ports with each request, something that makes it easy for hackers to access.  Also the DNS protocol uses a 16-bit transaction ID (replaying the ID back to the server could allow someone to insert data) which gives 32768 combinations for a hacker to guess, however some DNS services use fewer bits for the ID number.

    Kaminsky was initially criticized for not releasing details of the vulnerability, but other security researchers quickly reversed their skepticism after talking with Kaminsky.  Kaminksy is scheduled to detail the vulnerability at next week’s Black Hat conference in Las Vegas.

    Fellow security researcher HD Moore created exploit code that can change the DNS cache of vulnerable servers.  Basically the code tricks the servers into replacing legitimate entries with ones of the hacker’s choosing.  Some people have already modified the code to multiple large groups of addresses.

    Before announcing his work, Kaminsky worked with security vendors to help patch up their systems.  Several companies including Cisco and Microsoft have already fixed their servers.  Many Linux distributions have also been patched for a few weeks.  Conspicuously absent was Apple.

    Desktops are possibly vulnerable to this exploit because they also cache DNS requests from servers.  Apple issued a patch yesterday in a package of other security and bug fixes, but security researchers say it doesn’t work.  According to the SANS Institute, patched copies of Mac OS X 10.5 are still vulnerable and exhibit incrementing port numbers.