Apple’s patch fails to fully protect against DNS flaw

Apple's recent patch which was supposed to protect its servers against a serious Domain Name System (DNS) flaw does not completely solve the problem, according to experts.

The patch was meant to address a vulnerability which could let attackers secretly link browsers to malicious sites. However, according to nCircle's director of security operations Andrew Storms, although it works for Mac OSX servers, the patch doesn't fix Mac clients, as in its laptops and desktops, which make up the vast majority of Mac systems in the market.

Storms says in his blog that the patch fails to randomise source ports for OSX client libraries, which is necessary to completely fix the problem.

"For Apple, it matters most that they patch the client libraries", Storms says, "since there are so few OSX recursive servers in use. The bottom line is that despite this update, it appears that the client libraries still aren't patched."

The flaw was originally found by security expert Dan Kaminsky in March, and he gave the opportunity for technology giants like Cisco, Google, Yahoo and Microsoft the chance to fix the bug before the attack code could be circulated online.

The DNS acts as the net's address system, which enables computers to translate the website names people use into the numerical equivalent used by machines. If the flaw was exploited it would enable hackers to direct people to fake sites even if the correct address was written.

Apple had been noticeably slower in creating a patch than its rivals, with the patch released after a practical exploit had become available online on July 23.

Apple has already explained that it was unlikely to comment on strategic planning matters, such as the release of security updates.