Problems With DNS Flaw Patches

The Domain Name System (DNS) flaw discovered by Dan Kaminsky appeared to have been patched, thanks to some rare industry-wide co-operation. But, it seems, that might not be quite the case.

ZDNet has reported that security company nCircle has reported problems with the Apple fix for its OS X operating systems, as it fails to randomize ports for client libraries. Their director of security operations, Andrew Storm, blogged:

"The current countermeasure to this DNS cache poisoning vulnerability is to introduce increased entropy by forcing randomisation of the query ID and the source port. Essentially, making it all the more difficult to spoof the DNS response. However, it appears that Apple forgot something. The client libraries on my OS X 10.4.11 system, post patch install, still does not randomize the source port."

And the Sans Institute reported that OS X 10.5.4 was still using incremental ports. There was no comment from Apple.
However, the bad news isn’t limited to Macs. Cisco’s put out an advisory saying some that of its products would negate third-party port randomization, and US-CERT has issued its own advisory stating Juniper Networks firewalls could also be affect by the port randomization issue.