Leopard Has More Holes than Spots

By Lisa Vaas  |  Posted 2007-10-30 Print this article Print

Updated: Leopard's firewall is a mess, say researchers, shutting off by default and allowing connections even under "block all."

Security has slipped backwards on the evolutionary ladder in Apples latest Mac OS X release, security researchers say, with Leopards firewall having more holes than its namesake cat has spots. "The short answer is the Leopard firewall is ... ugly and a step backwards from 10.4," said Rich Mogull, an independent security consultant and founder of Securosis. The first security hole is that Leopards firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.
Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application, and that it completely hides the firewall rules in a black box that isnt user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of "block all" does anything but that—meaning that the firewall essentially cant be trusted.
To view an eWEEK slideshow of eWEEK Labs walk-through of MacOS X Leopard. Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line. "I installed Leopard over the weekend and lets just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard," Mogull said. Heise Securitys Jürgen Schmidt on Oct. 29 posted an appraisal of Leopards firewall that concluded that "initial functional testing has already uncovered cause for concern," in spite of the fact that "Apple is using security in general and the new firewall in particular to promote Leopard." "The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks," Schmidt wrote in the posting. "But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally." "Only Apple can explain what precisely is going on here," Schmidt wrote with regards to the firewalls failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan. Perhaps Apple could explain, but the company chooses not to. Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company "takes security very seriously," that it has "a great track record of addressing potential vulnerabilities before they can affect users," and that it always welcomes feedback on how it can make security better on the Mac. Regarding the firewalls allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based. Page 2: Leopard Has More Holes than Spots

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel