DNS patched? Not so fast, say researchers
August 1st 2008
When Apple released the Security Update 2008-005 yesterday, a collective sigh of relief echoed around the world--the long-standing DNS vulnerability, along with 16 other issues, had been patched.
Today, relief has turned to consternation as ComputerWorld reports Apple's DNS patch didn't actually patch anything on the client side, leaving issue exactly as it had been yesterday.
"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director, security operations, nCircle Network Security. "Essentially, we're at the same place as we were yesterday before Apple released the patch."
Testing performed by Storms, as well Swa Frantzen at SANS Institute's Internet Storm Center, confirmed that the client version of Mac OS X was still incrementing ports, not randomizing them, as should have been the case if the issue had actually been fixed.
Editor's note: Some heads are gonna roll...