Apple’s patch fails to fully protect against DNS flaw

Apple finally addresses a major DNS flaw that could leave its servers open to phishing attacks but experts have said it ignores Mac clients.

Apple's recent patch which was supposed to protect its servers against a serious Domain Name System (DNS) flaw does not completely solve the problem, according to experts.

The patch was meant to address a vulnerability which could let attackers secretly link browsers to malicious sites. However, according to nCircle's director of security operations Andrew Storms, although it works for Mac OSX servers, the patch doesn't fix Mac clients, as in its laptops and desktops, which make up the vast majority of Mac systems in the market.

Storms says in his blog that the patch fails to randomise source ports for OSX client libraries, which is necessary to completely fix the problem.

"For Apple, it matters most that they patch the client libraries", Storms says, "since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched."

The flaw was originally found by security expert Dan Kaminsky in March, and he gave the opportunity for technology giants like Cisco, Google, Yahoo and Microsoft the chance to fix the bug before the attack code could be circulated online.

The DNS acts as the net's address system, which enables computers to translate the website names people use into the numerical equivalent used by machines. If the flaw was exploited it would enable hackers to direct people to fake sites even if the correct address was written.

Apple had been noticeably slower in creating a patch than its rivals, with the patch released after a practical exploit had become available online on July 23.

Apple has already explained that it was unlikely to comment on strategic planning matters, such as the release of security updates.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19
Security

DeviceSHIELD combats rising cyber attacks and online fraud amid COVID-19

24 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020
WAPDropper malware hooks you up to premium telecoms services
Security

WAPDropper malware hooks you up to premium telecoms services

24 Nov 2020
VMware sounds alarm over zero-day flaws in multiple products
Security

VMware sounds alarm over zero-day flaws in multiple products

24 Nov 2020

Most Popular

macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
How computing has revolutionised Formula 1
Sponsored

How computing has revolutionised Formula 1

11 Nov 2020