Apple issued patches for 17 vulnerabilities in Mac OS X on Thursday, including one meant to fix a critical bug in the Internet's traffic cop, the Domain Name System (DNS).
The DNS patch, however, didn't actually patch anything, at least on the client side of the aisle, researchers said Friday.
"The difficult news this morning is that we thought we were getting a patch, but we haven't gotten anything," said Andrew Storms, director of security operations at nCircle Network Security.
Storms' tests confirmed that even after Apple's update was applied, systems running the client version of Mac OS X were still incrementing ports, not randomising them, as should have been the case if the fix had addressed the flaw.
That's not good. Last week, after speculation about the DNS vulnerability essentially confirmed its technical details, exploit code appeared. This week, attacks began against unpatched DNS servers, with at least one confirmed case reported.
"Essentially, we're at the same place as we were yesterday before Apple released the patch," Storms said.
Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, reported the same findings earlier on Friday in an alert posted to the ISC site. "So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness," Frantzen said.
Neither Storms nor Frantzen were able to test a patched version of Mac OS X Server to verify whether the update fixed the problem on servers running Apple's operating system.
Apple integrates BIND (Berkeley Internet Name Domain), the popular open-source DNS software maintained by the Internet Software Consortium, into its operating system. In the security advisory that accompanied Thursday's update, Apple spelled out what versions of BIND it used to patch both Mac OS X 10.4 (Tiger) and Mac OS X 1.5 (Leopard), and claimed that the fix randomised source ports.
"This update addresses the issue by implementing source port randomisation to improve resilience against cache poisoning attacks," Apple said. "For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1."
Both versions cited by Apple were first released on July 8. Dan Kaminsky, the researcher who uncovered the flaw in February, had helped organise a multivendor patch effort that kicked off that day when the consortium and others, including Microsoft and Cisco Systems, issued fixes.
Apple, however, did not patch then. Last week, it was criticised for its sluggish response.
Storms wasn't sure what happened on Apple's end to produce the non-patch patch, but he took a stab at the possibilities. "Is Apple modifying the BIND distributions from ISC, and somehow didn't realise this repercussion? Or is there some kind of configuration file that they forgot to change? It must be one of those two," he said.
Storms also said he rechecked nCircle's DNS servers running BIND, just to make sure that the patches he had deployed weeks ago really randomised the source ports. They did. "If you take the BIND distribution from ISC and patch your system on a Linux box, you're patched," he said. "I don't know what happened to Apple's."
Apple did not immediately respond to questions about the DNS patch.
The security update, dubbed 2008-005, also plugged 16 other holes in Mac OS X, including one in Remote Desktop Agent (ARDAgent), part of the operating system's Remote Management component. The ARDAgent vulnerability was remarkable because it had been exploited by an in-the-wild Trojan horse reported six weeks ago.
Security Update 2008-005 can be downloaded from the Apple site, or installed using Mac OS X's integrated update service. The update weighs in between 65MB and 180MB, depending on the version of Mac OS X to be patched.