AAPL Stock: 109.5 ( -1.28 )

Printed from

Firm questions Leopard's firewall, security

updated 01:20 pm EDT, Sat November 3, 2007

Leopard security holes

Apple's Mac OS X Leopard operating system was designed be more secure, but industry professionals are saying that the OS has some serious security flaws that should be priority for the Mac OS team. Heise Security has discovered several vulnerabilities that may cause trouble for users, including a large flaw in the firewall: Leopard's firewall is deactivated by default, but even when it is present, it is said to allow all incoming connections - trusted or not - which eliminates the point of a firewall almost entirely.

"In contrast to, for example, Windows Vista," Jurgen Schmidt writes, "the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."

Heise recommends activating the firewall, and enabling the option to "Set access to specific services and programs", allowing Leopard to automatically enter information pertinent to a user's shared resources. The security company believes, however, that this option could lead to a trojan setting up residence in the system, providing a "back door" of sorts into the OS.

The article describes everything that Heise discovered over the course of their testing, outlining various security flaws that are inherent in Leopard.

by MacNN Staff



  1. Macola

    Joined: Dec 1969



    Didn't we hear this already?

  1. bobolicious

    Joined: Dec 1969


    Double Doh!

    ...if true this is pretty hard to believe...

  1. robttwo

    Joined: Dec 1969


    Bull Schmidt

    Enough already.

    And if I leave the door open to my house with a sign that says "come in and smash up my computer" and I leave for 2 weeks something bad may happen.

    The "company" (used in quotes because all of these seem to be scam artists and not legitimate businesses) that shows me that MAC that is 1/1000 as vulnerable as a Windows machine will have my undying and deep-pocketed loyalty.

    When it comes to "your machine may not be as safe as you think" - ask who will benefit from you believing this?


  1. DocZ

    Joined: Dec 1969


    a disaster

    I'm shocked about this news. The fact alone that the firewall is switched off by default after an upgrade even if it was switched on in Tiger is a scandal.

    It's nearly as bad as the simple exploit in 10.2 that allowed anyone to recover the file vault password with the help of a simple shell script.

    Apple could do better.

  1. DocZ

    Joined: Dec 1969


    but is this true?

    Before I contribute to some FUD, allow me to correct my previous post. I've done some tests with publicly available port scanners, and found no problems with the most standard ports. When the firewall was active, all were closed or didn't respond at all when stealth mode was selected.

    However, Heise is a well-respected company, they usually know what they do, so I really wonder how they got different results. It's not entirely clear from their article.

    Someone else will have to confirm or disconfirm this story.

    They are certainly right in claiming that in comparison to other Unix systems, OS X updates open source components less often. It's indeed a security problem.

  1. InfraredAD

    Joined: Dec 1969



    Why oh why do I need to worry about a Firewall if there are no ports open on my Mac....??? How can a "firm" accurately report this kind of rubbish?

    Everyone comes from the idea that the firewall *must* be on for your computer to be safe. Well if there are no open ports, how the heck can someone "get in"? It's as painfully simple as that.

    The firewall is not the end-all solution to security. There's user education, the platform in which you're talking about, and plenty of other topics. Why do Windows users still get viruses even with their precious firewall turned on?

    It's FUD people, meant to grab headlines, sell products, or the like. Simple fact, don't turn on services, you'll win half the battle.

    On the flip side, Leopard's firewall is too simplified. At least in Windows I can set specific port ranges, address ranges, etc. The technology is right in OS X, it's just not in the GUI unless you're talking about OS X Server, which it is. Add in the granularity that 'Server provides and I think that'd squash a lot of the crying.

  1. DocZ

    Joined: Dec 1969


    not that lame

    You should worry about your firewall if the claims in original article are correct. It's not apparent from the macnn article, but in the original article they claim that the default install according to their tests left services running, no matter what you did from the GUI, and left their ports open. If that's true, it's definitely a huge security problem, as you cannot switch off these services from the GUI. (That's what they claim.) My own quick tests did not confirm this, though. At least the standard ports were closed by the firewall as they should have been. However, as I said, Heise is a well-respected company, and no, they don't sell any Macintosh security products. They publish a a relatively serious, engineering-oriented PC magazine, publish books, and run a free firewall test site among other things. So I really wonder what they did to get those results. My guess is they used a test machine with which they had previously messed around and not a clean install.

    You can test your firewall yourself by using some of the free online port scanners.

    By the way, I can confirm that after installing Leopard, the firewall is switched off, even if it is an upgrade install and the firewall was previously switched on. You've got to turn it on again manually.

  1. ViktorCode

    Joined: Dec 1969


    Heise Security

    could have been respected company before, but not anymore. For my eyes they are just incompetent. You can find the proof in comments for previous Leopard firewall related news on MacNN.

    Please, no more same BS.

  1. dliup

    Joined: Dec 1969



    Ok, if anyone actually used Leopard, here is the deal.

    Although the firewall is off by default, there are NO SERVICES RUNNING (no ports open).

    Compare to windows xp which has ports open AND no firewall (or vista asking for permission so much that people don't really care about what they allow), by default Mac OS X is definitely more secure than Windows, because NO PORTS ARE OPEN in OS X by default.

  1. testudo

    Joined: Dec 1969


    open ports

    I love the comments about how OS X has "NO PORTS OPEN". Whether ports are "open" is a matter of a firewall, not the OS. What I think you mean is that "NO DAEMONS ARE RUNNING THAT LISTEN TO ANY PORTS". Its by turning on different services do ports become 'open'.

    But, then, it must be nice to live in a world where you trust every piece of software on your computer, including the OS, to not open a port to listen on.

    The point here is, just because 'no ports are open', doesn't mean no ports will become open.

    But, hey, why argue any of these points, when its much easier to either talk up Window's issues, deride the report as being an MS-funded FUD report, or claim its an attempt to just sell services.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented