toggle

AAPL Stock: 493.42 ( + 0.25 )

MacNN News

Users "can't rely" on Leopard firewall

updated 06:10 pm EDT, Tue October 30, 2007

Leopard firewall flaw

Security experts have analyzed Apple's Mac OS X 10.5 Leopard firewall, and have declared the feature unreliable, according to heise Security. Firewalls are designed to prevent unwanted traffic -- such as denial of service attacks -- from entering a secured network, and are configured to prevent unauthorized access by intruders. The firewall in Mac OS X Leopard, however, comes pre-configured to allow all incoming connections and even deactivates previously-enabled firewalls when upgrading to Leopard. What's more, even when configured to deny all incoming connections the firewall still allowed incoming connections in one test.

"A number of peculiarities emerged in the course of testing. A newly booted MacBook refused time synchronisation - only to permit it a few moments later for no apparent reason without any changes to the security settings having been made. Further, it is not clear at what point Mac OS X starts which services, or how it decides which of these should be accessible and which should not."

The results mean Mac users can't rely on the firewall included with Mac OS X Leopard, according to the experts, because even if users choose to block all incoming connections potential attackers can continue to communicate with system services like the time server.

"Both system services run as root and do not appear to be supported by Leopard's new sandbox functions. If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system - with all the consequences this entails, right up to mass distribution via a worm."

by MacNN Staff

(25)

TAGS :

Apple

Share the Article

Facebook Twitter Delious Slash Dot Digg

toggle

Comments

mgpalma
Fresh-Faced Recruit

Joined: Sep 2000

0

10/30, 06:54pm | report spam | close Reply |
Disclaimer

"If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system - with all the consequences this entails, right up to mass distribution via a worm."

Which, of course, cannot be done. I love these guys...

jameshays
Fresh-Faced Recruit

Joined: Mar 2003

0

10/30, 07:13pm | report spam | close Reply |
More...

Can you tell us why this cannot be done?

MiMiC
Fresh-Faced Recruit

Joined: Jun 2007

0

10/30, 08:42pm | report spam | close Reply |
Secure or Arrogant?

I've read quite a bit on Apple's security and how good it is (UNIX), but my concern is Apple becoming arrogant about it. Being this is a HUGE reason why people switch (the number one reason people give me), this should be front and center at all times so as to not get the M$ image.

People don't understand usability as they know nothing other than Windozz. Yes i have to tell people there are other OSes out there. 8 out of 10 don't even know what that means. BUT they do know what viruses are and Hackers! To tell them that Macs don't suffer from these makes for rather interesting conversation.

If Apple slacks on this, even for a moment, they will lose one of their top talking points.

Rich

cblackmo
Fresh-Faced Recruit

Joined: Nov 2006

0

10/30, 08:50pm | report spam | close Reply |
hmmm,

Seeing that the vast moajority of users have little to no problems with security issues on Macs, wouldn't unpredictable firewall behavior be more a problem for hostile attackers trying to predict holes in security?

normang
Fresh-Faced Recruit

Joined: Feb 1999

0

10/30, 09:10pm | report spam | close Reply |
Even If....

This is the initial release, if there really really really is a serious problem, it will be fixed in 10.5.1. which could show up any day now. And even if it doesn't show up for a month or more, your still more secure on OSX than you will ever be on any version of Windows.

ClevelandAdv
Fresh-Faced Recruit

Joined: Jul 2004

0

10/30, 09:20pm | report spam | close Reply |
Firewall

The built-in firewall is the last line of defense in any secure system. I hope that this security expert found some isolated bug and not a widespread problem. I expect when I close a port via a firewall - it is closed!

If this is turns out to be a real bug, Apple needs to fix it.

BelugaShark
Fresh-Faced Recruit

Joined: Aug 2007

0

10/30, 09:36pm | report spam | close Reply |
router

Firewalls are best when used through your router. Unfortunately many users aren't technical enough to use that route, even OS firewall for that matter.

note: Having both the OS firewall and a router's firewall creates better security.

mgpalma
Fresh-Faced Recruit

Joined: Sep 2000

0

10/30, 09:53pm | report spam | close Reply |
re: disclaimer

All of of our exposure to the numerous "serious" security threats that exist have been of 'the sky is falling' sort. While 'proof of concepts' abound none, yes none, have surfaced in the wild and no consumer Mac users have had there Macs compromised. No one should be lax about security but I am a little tired of "oh the Macs are terrible and shouldn't be trusted" propaganda. As a Network Admin I am on the receiving end of more than my share of 'Macs are inferior' type of nonsense. When listening to these experts I am often reminded of the say, "It is better to keep silent and appear stupid, than to open your mouth and remove all doubt." Clearly, that is not a wildly held belief. That being said, like I tell all of my users/people, keep your systems patched and pay attention. We run ClamX av on all of our Macs and Windows machines. Ciao, Michael

alderplank
Fresh-Faced Recruit

Joined: Oct 2007

0

10/30, 10:07pm | report spam | close Reply |
Whom do you trust?

Apple?

Or some security "experts" who deem Vista as more secure?

If there is a problem, Apple's history says they will get to it in a timely manner. On the other hand, Vista's security issues were inherited from xP, which were inherited from (ad infinitum). I hear that someday Windows will be secure. I'll bet I'm dead and long gone before it happens, if ever.

Meanwhile, this "issue" seems to be just more of the usual "innocent 3rd party" c*** that tries to pass itself off as "legitimate" information. I wonder who is their major source of funding for such "research".

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

10/30, 11:02pm | report spam | close Reply |
Re: whom do you trust

Apple?

Or some security "experts" who deem Vista as more secure? Um, neither. Apple's not in the business to protect your data/computer. They're in the business to sell you computers. And past experience has shown that they have issues.

And this isn't new, BTW. Its been reported in previous versions of OS X, along with Apple's pro apps, that they will bypass your firewall settings so they can ping all other computers on your network to see if the same app is installed with the same activation keys. So even if you say "Block everything!" it gets through.

If there is a problem, Apple's history says they will get to it in a timely manner.

Just like the issues with 10.4.10 where it disabled USB web cams, not to mention drop-out problems with Airport on MBPs? Or maybe the 'security' issues they fix quickly, except for that one reported a year ago that was found to still be open on the iPhone?

On the other hand, Vista's security issues were inherited from xP, which were inherited from (ad infinitum). I hear that someday Windows will be secure. I'll bet I'm dead and long gone before it happens, if ever.

Guess you didn't hear the news that Vista was mainly rewritten at one point, rather than just an upgrade of the underlying code from XP. Thus, the security issues in XP wouldn't be inherited. Not saying there aren't new ones, but if there are, there's a lot fewer of them then XP has.

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

10/30, 11:05pm | report spam | close Reply |
Re: router

Firewalls are best when used through your router. Unfortunately many users aren't technical enough to use that route, even OS firewall for that matter.

Many users don't have a router, so the OS firewall is necessary for them.

And does Apple turn the firewall on by default in x.5? It never was previously.

JackWebb
Fresh-Faced Recruit

Joined: Aug 2007

0

10/31, 12:06am | report spam | close Reply |
Not following this

Just for laughs I thought I'd try some of the things they tried. I wasn't able to reproduce anything, problem or otherwise so maybe I'm missing something about their testing procedures. Seems a bit murky to me. Seems like they are doing some things locally and others remotely but I don't know which when.

I did try some easy ones myself like turning AFP on and turning the firewall on and off and everything works as expected.

For a bit of clarity: Firewall is off after installing Leopard fresh. I'm really surprised Apple doesn't appear to be using ipfw for the client firewall. They do for the server in Tiger. I confirmed that ipfw list is unchanged regardless of firewall settings in System Preferences:Security.

I'd like an explanation from Apple on this one. What kind of firewall is this really supposed to be? What are we supposed to expect?

BelugaShark
Fresh-Faced Recruit

Joined: Aug 2007

0

10/31, 02:15am | report spam | close Reply |
jack� your the man

while where in here arguing about this ambiguous report, you went ahead and put it to the test, great job, we all should do that more often.

ViktorCode
Fresh-Faced Recruit

Joined: Jan 2006

0

10/31, 05:39am | report spam | close Reply |
Leopard is hot topic

So why don't we, self-proclaimed security experts, being as incompetent as we are (who else would use words like "Further, it is not clear at what point Mac OS X starts which services, or how it decides which of these should be accessible and which should not.") won't write some kind of security report on Leopard security? It better be a negative one, this way it surely will end in headlines of MacNN and the likes.

About real exploits and proofs... who cares about it these days, people are paranoid about security, and many will likely believe to anything "security experts" are going to say, no matter what their credibility is.

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

10/31, 07:14am | report spam | close Reply |
firewall

I'd like an explanation from Apple on this one. What kind of firewall is this really supposed to be? What are we supposed to expect?

I think its supposed to be similar to Little Snitch (or ZoneAlarm for you PC geeks). But I just assumed it was still using ipfw. If not that, what software is it using? Is it another open-source firewall or a in-house solution?

Tanker10a
Fresh-Faced Recruit

Joined: Jan 2003

0

10/31, 08:55am | report spam | close Reply |
Re: whom do you trust

We live in the "Blame Game" environment through lawsuits. No one wants to be accountable for ANYTHING. If you trust Apple or MSFT to totally safeguard your computer for you, then it's too late. I have been using OS-X since it's been released and I have never enabled my Firewall from the Sharing System Preferences to date. In fact I have never used an Anti Virus since Virex. But If something was to happen to my macs, it's not Apple's fault. It's mine. So regardless what all these "security experts" have to say, you are not going to catch them all. The user HAS to take the initiative. Also, we should be greatful that the people at 1 Infinite Loop typically acknowledges when there is something SIGNIFICANTLY wrong in terms of security and they take corrective actions... Whom do you trust? Your computing habit is what you should trust!

Tanker10a
Fresh-Faced Recruit

Joined: Jan 2003

0

10/31, 08:56am | report spam | close Reply |
Re: whom do you trust

We live in the "Blame Game" environment through lawsuits. No one wants to be accountable for ANYTHING. If you trust Apple or MSFT to totally safeguard your computer for you, then it's too late. I have been using OS-X since it's been released and I have never enabled my Firewall from the Sharing System Preferences to date. In fact I have never used an Anti Virus since Virex. But If something was to happen to my macs, it's not Apple's fault. It's mine. So regardless what all these "security experts" have to say, you are not going to catch them all. The user HAS to take the initiative. Also, we should be greatful that the people at 1 Infinite Loop typically acknowledges when there is something SIGNIFICANTLY wrong in terms of security and they take corrective actions... Whom do you trust? Your computing habit is what you should trust!

horvatic
Fresh-Faced Recruit

Joined: Apr 2002

0

10/31, 10:14am | report spam | close Reply |
How many Macs have been

How many Macs in the real world have been remotely compromised? Answer NONE! ZERO, ZILCH, NADA! There's a real security flaw with that alright compared to Windows, hundreds of thousands of times with big companies losing millions in data loss if not billions. Believe me I would trust the Macs firewall as it has not been compromised to date which is 7 years running in the real world.

hayesk
Professional Poster

Joined: Sep 1999

0

10/31, 10:35am | report spam | close Reply |
Compromised services

The firewall may not be on, but neither are most of the services. Until someone compromises NTP, is there really anything to worry about?

Does it need to be fixed? Sure. But I'd rather these security articles simply present the facts and consequences rather than try to inject personal opinions.

TheSnarkmeister
Fresh-Faced Recruit

Joined: Jun 2007

0

10/31, 10:46am | report spam | close Reply |
Never trust...

When a media outlet starts quoting unnamed "experts" you know they are fluffing. Any expert worth the name is most certainly willing, indeed proud, to have their name attached to his work. Unnamed experts are by definition either hacks, or invited whole from the reporter's pen.

hokizpokis
Fresh-Faced Recruit

Joined: Jan 2007

0

10/31, 11:49am | report spam | close Reply |
knee jerk reaction

before jumping out of airplane:

1. unbuckle safety belt 2. remove cocktail from kungfoo tighting grip 3. confirm silk parachute is tighly secured around neck 4. jump 5. configure ipfw 6. jump 7. wait for landing 8. else fails 9. disable ipfw (NOT) (!)

errr.... does anyone take this !@#$%^& seriously

robttwo
Fresh-Faced Recruit

Joined: Nov 2005

0

10/31, 12:38pm | report spam | close Reply |
Real Flaw, no kidding

I have discovered a serious and crucial flaw in the OXS operating system, which can be exploited easily and will destroy all of your data within seconds of a malicious attack.

All you have to do is buy my services and I will fix it for you.

Doofuses.

macs4all
Fresh-Faced Recruit

Joined: Aug 2003

0

10/31, 01:11pm | report spam | close Reply |
Already Debunked as False

Over on slashdot.org, where their readership is mainly Linux geeks, many of whom also love OS X, they have already "outed" the shoddy and even outright dishonest techniques employed by the Heise people. Sorry to crosspost, but here is a snippet from one of the commenters to the slashdot article on the Heise report:

"I notice in their report that they complain about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt. The TCP spec says if a port isn't open the client should get an ICMP error, so Nmap knows that there's something there even if access to it's being blocked. If this is any indication of the quality of this "analysis", we can discount the article."

'Nuff said!

fubar_this
Fresh-Faced Recruit

Joined: Jul 2006

0

10/31, 08:46pm | report spam | close Reply |
Firewall explanation

The firewall in Leopard does not use ipfw,it uses a new socket firewall that works on the application level (/usr/libexec/ApplicationFirewall).

However this does cause problems because Apple wants to allow the built-in system daemons like ntpd and mDNSResponder. You should know, both have been shown to have remotely-exploitale vulnerabilities, as recently as August (http://www.securityfocus.com/bid/24159, http://www.securityfocus.com/bid/24924). So obviously some users would want to block access to those applications, especially enterprise IT, but they must resort to using ipfw from the command line in Leopard. However, it is important this is no different in Tiger, where the GUI for the firewall automatically allowed all traffic on ports 5353 and 123. So Leopard isn't better or worse in that area.

Where Leopard's firewall does fail is its limited options. For example: 1) On computer A set the firewall in Leopard to "Set access for specific services and applications" 2) On the command line from computer A, type "nc -l 5000" 3) On computer B, from the command line, type "nc 5000" and hit return 4) Type "Foobar" from computer B. You'll see "Foobar" echoed on Computer A, meaning you connected to computer A successfully, without the firewall ever alerting you.

It would seem that the firewall does not work. However this is not the case. The firewall is actually allowing nc automatically because it is installed with OS X and has the Apple codesigning signature. It's not really desirable to let nc just start listening on any port it wants however because any malware could simply fork/exec nc (or use a shell script), pipe its output into a new file descriptor, and use that to communicate and bypass the firewall.

IMHO this is an unusable firewall, and Apple needs to (a) clarify how it works and (b) make it better before it's considered an actual security mechanism and not just a marketing feature.

horvatic
Fresh-Faced Recruit

Joined: Apr 2002

0

11/01, 12:32pm | report spam | close Reply |
Turn on Stealth mode

Turn on the Firewall In security settings and then click on the advanced button. Turn on Stealth mode. I ran a complete port check at Steve Gibson's security site Shields Up which tests your systems security and firewall settings. In Stealth mode on leopard my Mac achieved a perfect score with no ports open to be compromised. The firewall setting needs to be turned on, that's obvious for most users. I think this story is over blown and OSX's security speaks for itself 7 years running without being compromised in the real world. Turning on Stealth mode will ensure that will continue.

Show More Comments

Login Here

toggle

Network Headlines

02/12	Google said building huge facilities...
02/10	Apple sells scaled-back 13-inch MacBook...
02/10	Apple sues Motorola over alleged Qualcomm...
02/10	Leaks: whole MacBook Pro line to drop...
02/10	Jobs did serve on Bush export council...

Show All

02/12	Google said building huge facilities...
02/10	Apple sues Motorola over alleged Qualcomm...
02/10	Leaks: whole MacBook Pro line to drop...
02/10	Amazon could have Kindle Fire 9-inch...
02/09	Google said making self-branded wireless...

Show All

02/09	Apple explores environment-sensitive...
02/08	Paul McCartney to perform live concert...
02/06	Microsoft prepping Dynamics CRM apps...
02/03	iBooks Author update clarifies EULA...
02/02	Bug in iTunes Match may switch 'explicit...

Show All

02/10	$380 off refurbished 2.8GHz Mac Pro...
02/09	iHome Dual Alarm Clock for Apple iPod...
02/08	Save 69% on SanDisk Cruzer 32GB USB...
02/07	Refurb. Olympus 14MP Digital Camera...
02/06	17-inch, 2.2GHz MacBook Pro, cut to...

Show All

toggle

Users "can't rely" on Leopard firewall

updated 06:10 pm EDT, Tue October 30, 2007

Leopard firewall flaw

Disclaimer

More...

Secure or Arrogant?

hmmm,

Even If....

Firewall

router

re: disclaimer

Whom do you trust?

Re: whom do you trust

Re: router

Not following this

jack� your the man

Leopard is hot topic

firewall

Re: whom do you trust

Re: whom do you trust

How many Macs have been

Compromised services

Never trust...

knee jerk reaction

Real Flaw, no kidding

Already Debunked as False

Firewall explanation

Turn on Stealth mode

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace

Users "can't rely" on Leopard firewall

updated 06:10 pm EDT, Tue October 30, 2007

Leopard firewall flaw

Related Articles

Recent Articles

Disclaimer

More...

Secure or Arrogant?

hmmm,

Even If....

Firewall

router

re: disclaimer

Whom do you trust?

Re: whom do you trust

Re: router

Not following this

jack� your the man

Leopard is hot topic

firewall

Re: whom do you trust

Re: whom do you trust

How many Macs have been

Compromised services

Never trust...

knee jerk reaction

Real Flaw, no kidding

Already Debunked as False

Firewall explanation

Turn on Stealth mode

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace