Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Clients Still Vulnerable After DNS Patch

Posted by kdawson on from the try-try-again dept.

Glenn Fleishman sends word that SANS Institute testing indicates that, even after installing Apple's latest patch for the DNS vulnerability, Leopard desktops (not servers) are still vulnerable — or at least perpetuate risky behavior that makes exploitation easier. This matters because "With servers rapidly being patched worldwide, it's likely that the low-hanging fruit disappears, and vectors [will be] designed to attack massive numbers of clients on ISP networks."

3 of 94 comments (clear)

  1. This exploitation, so far seems extremely unlikely by Space+cowboy · · Score: 5, Informative

    ... the title is the start of the second paragraph. Perhaps Glen didn't read TFA...

    From later on in TFA...

    These clients pass their requests along, and it seems unlikely that they could be attacked directly unless an attacker had a computer on the same local network segment as the exposed system. In that case, the attacker would have a panoply of other network information poison available, and could disrupt DNS in a more efficient manner

    [sigh] even the article title is "DNS Clients Have Small Vector of Risk after Patch" ,,, where is the word 'small' in the /. title... ?

    Simon.

    --
    Physicists get Hadrons!
  2. Rarer than hen's teeth... by Anonymous Coward · · Score: 5, Informative

    Also, by default, BIND is disabled in OS X clients.

    From Apple's security advisory:

    "The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue."

    The original \. article (http://it.slashdot.org/article.pl?sid=08/08/01/1215209&tid=172) neglected to include the first few sentences of the above.

  3. Re:What's the exposure? Where's the hole? by gatekeep · · Score: 5, Informative

    The problem is this;
      How does lookupd really KNOW it's talking to it's upstream nameserver?

    The answer is, because it's replies match the query info and the transaction ID, and come to the right port from the right IP.

    Spoof the IP, brute force the transaction number, and get the client to perform lookups for names you already know, and you can convince it that YOU are the upstream server.

    That's really no different than how this attack works against servers.