11/03/2007, 1:20pm, EDT
Saturday, November 3rd
Firm questions Leopard's firewall, security
Apple's Mac OS X Leopard operating system was designed be more secure, but industry professionals are saying that the OS has some serious security flaws that should be priority for the Mac OS team. Heise Security has discovered several vulnerabilities that may cause trouble for users, including a large flaw in the firewall: Leopard's firewall is deactivated by default, but even when it is present, it is said to allow all incoming connections – trusted or not – which eliminates the point of a firewall almost entirely.
"In contrast to, for example, Windows Vista," Jurgen Schmidt writes, "the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."
Heise recommends activating the firewall, and enabling the option to "Set access to specific services and programs", allowing Leopard to automatically enter information pertinent to a user's shared resources. The security company believes, however, that this option could lead to a trojan setting up residence in the system, providing a "back door" of sorts into the OS.
The article describes everything that Heise discovered over the course of their testing, outlining various security flaws that are inherent in Leopard.
Filed under: troubleshooting
,
, 20
,
,
,
,
,
,

subscribe to comments
for this article
And if I leave the door open to my house with a sign that says "come in and smash up my computer" and I leave for 2 weeks something bad may happen.
The "company" (used in quotes because all of these seem to be scam artists and not legitimate businesses) that shows me that MAC that is 1/1000 as vulnerable as a Windows machine will have my undying and deep-pocketed loyalty.
When it comes to "your machine may not be as safe as you think" - ask who will benefit from you believing this?
Doofuses.
It's nearly as bad as the simple exploit in 10.2 that allowed anyone to recover the file vault password with the help of a simple shell script.
Apple could do better.
However, Heise is a well-respected company, they usually know what they do, so I really wonder how they got different results. It's not entirely clear from their article.
Someone else will have to confirm or disconfirm this story.
They are certainly right in claiming that in comparison to other Unix systems, OS X updates open source components less often. It's indeed a security problem.
Everyone comes from the idea that the firewall *must* be on for your computer to be safe. Well if there are no open ports, how the heck can someone "get in"? It's as painfully simple as that.
The firewall is not the end-all solution to security. There's user education, the platform in which you're talking about, and plenty of other topics. Why do Windows users still get viruses even with their precious firewall turned on?
It's FUD people, meant to grab headlines, sell products, or the like. Simple fact, don't turn on services, you'll win half the battle.
On the flip side, Leopard's firewall is too simplified. At least in Windows I can set specific port ranges, address ranges, etc. The technology is right in OS X, it's just not in the GUI unless you're talking about OS X Server, which it is. Add in the granularity that 'Server provides and I think that'd squash a lot of the crying.
You can test your firewall yourself by using some of the free online port scanners.
By the way, I can confirm that after installing Leopard, the firewall is switched off, even if it is an upgrade install and the firewall was previously switched on. You've got to turn it on again manually.
Please, no more same BS.
Although the firewall is off by default, there are NO SERVICES RUNNING (no ports open).
Compare to windows xp which has ports open AND no firewall (or vista asking for permission so much that people don't really care about what they allow), by default Mac OS X is definitely more secure than Windows, because NO PORTS ARE OPEN in OS X by default.
But, then, it must be nice to live in a world where you trust every piece of software on your computer, including the OS, to not open a port to listen on.
The point here is, just because 'no ports are open', doesn't mean no ports will become open.
But, hey, why argue any of these points, when its much easier to either talk up Window's issues, deride the report as being an MS-funded FUD report, or claim its an attempt to just sell services.