Apple's Security Update 2008-005: DNS workaround finally included
Last Updated: 2008-08-01 20:06:50 UTC
by Swa Frantzen (Version: 3)
Apple released their patch overnight (depending on your timezone of course).
Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at www.php.net on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code.
Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice, you'll want to PATCH NOW.
A quick packet dump of my fully patched Leopard machine (OS X 10.5.4) shows it is -as a DNS client- still using incrementing ports.
12:31:43.611624 IP [MAC].49514 > [SERVER].53: 41963+ A? www.google.com. (32)
12:31:43.623700 IP [SERVER].53 > [MAC].49514: 41963 5/7/7 CNAME www.l.google.com.,[|domain]
12:32:04.235692 IP [MAC].49515 > [SERVER].53: 44651+ A? www.yahoo.com. (31)
12:32:04.259856 IP [SERVER].53 > [MAC].49515: 44651 2/9/5 CNAME[|domain]
12:32:12.771820 IP [MAC].49516 > [SERVER].53: 25701+ A? www.ask.com. (29)
12:32:12.902074 IP [SERVER].53 > [MAC].49516: 25701 4/9/9 CNAME[|domain]
For the record: the traffic was generated with ping to some search engines, but dig e.g. uses exactly the same pattern. /etc/resolv.conf contained nothing but a domain and [SERVER] as the nameserver. The machine did reboot to complete the patch installation. There is no named running on [MAC], just the client libraries are used.
So Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness.
Andrew Storms blogged about the same issue with the OS X 10.4 (Tiger) version of the update.
Swa Frantzen -- Section 66