Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Leopard Has More Holes than Spots



 By: Lisa Vaas
2007-10-30
Article Rating:starstarstarstarstar / 12


There are 1 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Leopard Has More Holes than Spots
  2. ' Leopard Has More Holes '

Rate This Article:
Poor Best
Leopard Has More Holes than Spots
( Page 1 of 2 )

Updated: Leopard's firewall is a mess, say researchers, shutting off by default and allowing connections even under "block all."Security has slipped backwards on the evolutionary ladder in Apples latest Mac OS X release, security researchers say, with Leopards firewall having more holes than its namesake cat has spots.

"The short answer is the Leopard firewall is ... ugly and a step backwards from 10.4," said Rich Mogull, an independent security consultant and founder of Securosis.

The first security hole is that Leopards firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.

Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application, and that it completely hides the firewall rules in a black box that isnt user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of "block all" does anything but that—meaning that the firewall essentially cant be trusted.

Resource Library:
To view an eWEEK slideshow of eWEEK Labs walk-through of MacOS X Leopard.

Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line.

"I installed Leopard over the weekend and lets just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard," Mogull said.

Heise Securitys Jürgen Schmidt on Oct. 29 posted an appraisal of Leopards firewall that concluded that "initial functional testing has already uncovered cause for concern," in spite of the fact that "Apple is using security in general and the new firewall in particular to promote Leopard."

"The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks," Schmidt wrote in the posting. "But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."

"Only Apple can explain what precisely is going on here," Schmidt wrote with regards to the firewalls failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan.

Perhaps Apple could explain, but the company chooses not to.

Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company "takes security very seriously," that it has "a great track record of addressing potential vulnerabilities before they can affect users," and that it always welcomes feedback on how it can make security better on the Mac.

Regarding the firewalls allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based.

Page 2: Leopard Has More Holes than Spots





  Reader Comments: Leopard Has More Holes than Spots
>>> Post your comment now!
Where are all the comments?
This web article is more than a year old. Why are there no comments at all?
Posted At: 12-24-08
By: A Poster
>>> Post your comment now!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xr8(ViW1EeT!rYST宎/BA6EjHK8Nܗx3pBI^˖0Hd&D?;;~$rH5g6%E]"I~x(`\˩IZNڶ? }~mkruz>;|9|ALTadL8iwdD|ϨDQ_FܨY:`&`1Z4lR j9i?xi-'@IR(CѺ(Dߵ-m: ]'|+*7܉x8ѽ/DeOXHQIMbBy85F ;zVq;L 18`TKp@kMmWVekV*6^@^jc\ȁY{74&lwrDFL$HIp'z:pm3k N\#53' 螥{ɧ5u5I u1 ߙecfy 3?b Jw3D~ /Wק'O׭uvIsEV@|ˤd6L2Tch^ԩ#5ǯ-iVV5V z[SĿ G/<@'LY1p3Z&j9T23=jMHk 3!RBʼĿIK _VPJB-)\D7h+ԌTwIQQ#{̌_"ʥec^IcFs^ 4l.k\GBtʢ9QY + \M흙޼G=-*<Oާ ^v.nvMxXnvZM( 8ǹ:on:jr56k_)Aa^Tr{hc2ud8԰:AG:ڴ;\gVc4!Dhap{4ڭl= KpI}xXOk9 &ztmP``#eg! uK ΝdrkoMC?Ft zt t,/G`\@8)Hpy E]ub3B[>ȁ=woMou &QsfPBԁ.q<ɜK) D@H@t"AђF *4 gs#X"K"'GAwW;.VKŤ\*y"JM':ݑWKRx&,S,BV-KᗄPf%i2mlƲń(VFNl(0Vn)ƈMGs{wD` [q37oj7ab#C[l~pe l4T fFfO ~5lwfB9\O,{t?GcNEi[Jι/7N)j`ޗJ7v2gNP/h|WY 3EDVhdF!Z! = \P-T)w^IY䞅T_9YX X` ,R?v'6I Xh8G/C4jU24-%ւfkh@r6ҞvaXZ @-ĿEi la-W0k^. )-P|U$"6XRvӱ ’al`cy!Csz QIjOMu>{j -j&[?&TYOLYV<~ISʡUb1vn g%A qsGIjJirir68u>)MKϵ("ݩ{zl>qGlcp6hBJmHw:v'J[Y*b=)4u_ՖL-F*|( +)#NWɅk?L/,{ isqMّ.R\|zlN BrShfh:l<}:8Hy¬5ѝ_φRP՘Iڏ9&_G5 k^ˣ6Wеm.2躢΍Ʊ4St%ҶY4h_ESk@b8"T2paLHa0] elaؼ/kьV4:E80ef+ꭦT+7wAQ K1kM8vهE1G{E[ :7a/S" @4hÀ<>B SL@r~q1 b (h bAzp (|X7,@ХCkz]W9(#߭%hh<^H+~%&ZYUKâZTpWt~UQ@HSj@'p/q8^~b-0,~Q}zMM{] \μ + '3E<& {H[eX|x%_(ƤOMqс,u`MUpn`{y~t=GXqD ҀJ ^ƙd)2ݝ'(R~-hoZYPYf0`l*{~Ie(f~KkJ$XS 1j>Lk}\SJuuRXY:چHiw3 9f5N+ivnF*ϛ=G$1*@7Z E4 O"lGIpR|9~->s)7poj)O@?(1ɧMC 7PɕGf/fIC{EY(..%uP*jIIz$`wE礠vdi&x9LLfl'P`P(c&jDmRx*+nQ/ew> Q? &i^IW:+y*1`2J8[G knqۇ:a{F*ݔY`'\KZa OsGF:Lpz]zߍ uRԣ{{+7}óA"wS[UuMg\Դ"hw ĶRs?'}DږiBq=C HQ=Y rvrYdPHb.XO}+tSZ1wOX]dK!OWƒ"Eq D~|8ZƇ&?pȾYMw$(Xtcs'q/gzVDl/''6|v<2CHv4|uNqu!>w!Cr޺hJIcxΥx\NC{R‥G!hUHf*<bSڌ7M ,#Z]>0swMT/!mE@I}\48`\5c-ɅH'ຟUc z E0Wvq0fU,yy~ïU2k~  I+trc}E9 k@JA=o8iu/_i%D( 1t}ES)Q\(hIsL G)_(o0[LӷoHWY;D_q-sz4~\2Z9ntL:{dNlp j`ySrg4/3_{QZinyz}@ƖiR'DZ3pu*h hw?m-~=`rvBC:DHA2S1 F]nĖ9)ŔN yr4 AGJ脊bye5))e3O5NRMLC]OC/$$;+B:zs gaM6mn3gjn_"=O&8v\d0G`qk7É@P VްG[(ŤYGJ^KjpVKU^4@ : 3eZ& 3Z;Uj"ı0@k#O. tnx7Ć+^@)s^XL2k-x+gY6/t0w>_z|oQM2Gz1?nQtvzN` s {cAO[uvp߁؁ ?O.yrorW&Nk uovV8}_OJowؽsܶ<850Nd$4P$yUZ¶/VU $]te%FpZx>2M#}l%3 wD/ Z{.V's:ǘL//$;Z(T_DdhEURB &WLΩnbD;Dv繞G!0 B~jщ5`!OY[F`/H1hab q=A\лXѥZ&7WFcv6m(wt0=P͠FPle~yh5R~-d%ƨpBt?_#r^zƗs=omJ}ыMaKvF3 @^v ;҂:G.-1xmfp'!a@ܜo##WȼhD1s8 L,Ob9â13u;A8Nb xQ)"S# :2cs[-&5M1 /#3mpeFqp lCx; ӊأweODsyVdA~wI wR{JY,ܣLɒ+v>oWHJ!H4X& 4AJXG'''\9ӵ Hru@L_ "5=Li-i_Q R rqH$-b\MXX} i8z|)aMK&2Ew XyKQg)^J疁7G#W}QU^ P€2aMH__/pk#bySn,>7&+rvT+uԑ]#W0YzBJtM0^=97J6ܩc LYLZh|8ub;e)eO}IF;kClBDύWXH8&ߐ} ](VP.SR $ AUpb׷~Vy.ki}0&XRAb/mܥczeJg5%/bѥ#OjRB!pLllR٢#—YH'Ulr=v+Ix@ܚ%%%%b&䧻cU^[bxSbvd暤ՌIVk>`u=_R j$qi@0I6AўX>ԓGаz3 2IB{EnΦ~#{NB%hԟVzik)&dRW [3_wkDH@^PÛyx/FE.|O!6EoѴkN1>fs{<`?,($5W2(b1cS[<\t:z|BaṁDO ATt 8dW-Tʯ? sЁPfh,µ0sNuϜ6w! I9WaVO~d*^vTo·vF5 x|v=эe+_g2^Oآ믆'uzYߨڷvF}6.`ZO\+˿1XSF B|/}i_> ̦)-7I&oatϣNi}]ouLi6$]Pi`s3<*%30Áq~5lՎwE HC#3HSoGߪm]}\}g{ Ǜtć3>t_ȟװ]7 Ie{/]_g+^5e=6 c K@Sn{M\ ūOh1T+wŷqj4 @d4++ozs"TRZ3h~9lV&6S#{M_ro&`fljVX'EQZO0m-mYޣ.{UrZZN nn9n}6]yG¡YIj|!"YJD:`7|SSD 2sJf6p7LAh` >d6,'? .\ޮb>U&ܺF:?_7u/= ^Fxљ#q1˼ Xful;hO;8#b1D b@/j S]w>}L-̈zD7 &?E͝~Ke! ű߱yxȜ^){`܀*ZWqUBZP_'"~?~TO2 qRfSx)k f?f:u&/[zωX#? KH)PG%ݫC~&S t'8q'y'&>y|`'㷈5DCঀ:~*PH .Lvxrwe9? X-+F=t];=Ub~[71W8M-Vz8=겆&:Ba{D0‡솝ECg*׶'NtMg-F 7a%0mgcWF%5z J 0~AX^qV1&r~6Cu6_/[a0T1VO'p.d%ˋ}AE!Lj7^Pl&N{a˰>FSYh9Ei!11\RkkRUK.>%9؋ӊ,ƻ.c 2[S!1cTA9-)j"(- jD fxOkp)Xۜ>3-iM13bmCym+=umm;bk+mLxo\8Ow| 􄼥޼vgO%YձHlݹYmEth pKߧ#qEVi d&TRӰp-$|ri?NRe!sq*1̦a{J~bGt}c}MhE5"G9^׶F|z`!&"c"^Gl;kz^*i~9aS<K’5 0Y>GV$(%vYM|،}PH '0eˡ}h}cKk)qM`.#~Q$ճ^Rc"WVc -|29rB' vl"m]%IwKTwf|IoH$4O]U# `xN(z~hE{W] d!?32JCߑ7MSiq:!'vQ]Q sT<ϩ.cbVZ؟ ްn?EpV%A1HO)1jW]0/%u~̀ Z0Y1F2*mG{/W.nrl$[ք ၰ 5" Y cCϝF$pH1fxtװÞ1;l{ӵ5A{su%9ߺHA W|8s =J<rٗ`;_ H" p)PNEEt0w j![C|l71js#9xtB AuA"\dzwX<>126LS@%NfldaQ({b8M t߃3,ȏKlݜ(8ó1I(tCK/Hzsjaedtay\ -×Y7AaPZ  +z+jE)OBz_} !2,j)q_(OJoYh?X30M蕴B9^Ȑq/ٷ4 }:>1ƺs1Wo\^!+ W&~:_.{9jw pi|ԭ9|9\~9m]4/Z\#|j%<ח6/*˙ΒQ9hNQʉ~oSgĵ,% y}< /89-{[I2}:c|e$2/&e^>&c˼$=)>w槤I8r{%])rXѧaw/=Ś/J̙Ym}LkdžȾI1{ %Y!ό]#=Dze?|[a[G8QB=PW.v뻸)ss%| SG0U75iq[~|^.jX,.g /(@#غ7M{%}C7<8fȳRLq u+k % P1=:kǬ*ۼx`Tثގe@7 Jw;SŨـD@Sϝ}gxeUƪ1iR  {{[0gWډe:'|q8ӄY Dühlգ{h9đr(9P J[SA.|#m}t .LySz~;68,_bYd ?ǺP~bvQYfY'lybb)m+Hrt[961wHP,CV}ޣ (luy1<k.hpzxA# " n#QeLZDAۀY ❾8d)1B6 3IrH DLfe~GOf@L @zq>h|1h_u8|5V$G1x_&05%xlӍg-3۪M:~ چ/EkP3xOĕ.ӳNm(b enǝ)ZKus5 D 9bX>& LjSO"cx`&<\aϖ$|Ŷ/GK;I'[qEN =v{Dw郧rS+γĠ3>gG4WB&2 Up&\J#:4m_ "s k!׶:K2=ju".I׵g98$Y0D00 #TF\gȌaitS4D7KESXNA}F垓$g'_6b Fi&b3@tg^l(VxRBN-)KPRJVr.Q ?fFwUcTx/ē_| .uK,sD;06ϒezLU"z̴5:Dl=Yz'Oޒ{ƾ( ;C~EE3`A^|eD$zЧsm#gTt73󠶓S;˖ȵ-s(ŬBSd=)O?7G[nA5y`1v4`eW1 n=ձ]w `7G}޴]2|? Oe Lwt0=n0kn>Q$L{yݟG/7~~ r@b]TQO]&\f\j_&H.Ѯ\TvbbqY9gIΠ 2 G8"U][x9kԋO'0xmҥhWɬnqt6-%/#Ǟ':K$~Al=bu-Wr1e~8Şi#|@ ](ۊnfة"%`y @44 8ǩk[mx4;~;ݾg f+KTXg{,U\M(X5l-*l XGڦJ Qa[~j`Pq2 hTx뤝9m@>1[>܋ϑ[g_qxN|L/ة9:ˇtg)d̅FdagZ.2?‚g' Q\F$30(ylHK9a,Glu K(t&0 'Ɣ ϰO"- smxDh\3E~1Zr*U9sm jWW6xozc|>[z0XjPw.<̳(`,Lv"V7rsh;h3THهl*~&l{k+НTnxFK-^P?Q> χ"@TNENE<<Sf}')VSL_Xџ_<|:T+`!ani߄;l| n%96L]_[ P?,