|
|
|
Leopard Has More Holes than Spots
By: Lisa Vaas
2007-10-30
Article Rating:  / 12
There are 1 user comments on this Network Security & Hardware story.
Leopard Has More Holes than Spots (
Page 1 of 2 ) Updated: Leopard's firewall is a mess, say researchers, shutting off by default and allowing connections even under "block all."Security has slipped backwards on the evolutionary ladder in Apples latest Mac OS X release, security researchers say, with Leopards firewall having more holes than its namesake cat has spots.
"The short answer is the Leopard firewall is ... ugly and a step backwards from 10.4," said Rich Mogull, an independent security consultant and founder of Securosis.
The first security hole is that Leopards firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.
Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application, and that it completely hides the firewall rules in a black box that isnt user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of "block all" does anything but that—meaning that the firewall essentially cant be trusted.
 To view an eWEEK slideshow of eWEEK Labs walk-through of MacOS X Leopard.
Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line.
"I installed Leopard over the weekend and lets just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard," Mogull said.
Heise Securitys Jürgen Schmidt on Oct. 29 posted an appraisal of Leopards firewall that concluded that "initial functional testing has already uncovered cause for concern," in spite of the fact that "Apple is using security in general and the new firewall in particular to promote Leopard."
"The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks," Schmidt wrote in the posting. "But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."
"Only Apple can explain what precisely is going on here," Schmidt wrote with regards to the firewalls failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan.
Perhaps Apple could explain, but the company chooses not to.
Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company "takes security very seriously," that it has "a great track record of addressing potential vulnerabilities before they can affect users," and that it always welcomes feedback on how it can make security better on the Mac.
Regarding the firewalls allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based.
Page 2: Leopard Has More Holes than Spots
|
|
�������x}v۶x�]ٻHV,ٖ�ږMK"!5Ejm/qu_>�/}P9q$�0���+�?{{$rhiȥc,J�{TwI�,ޫW}m���UQ!�5[(�S�f�f#ѩS7�
�mGx6b)^��D&�/�hԞhT�a@Y2hdDj�jw{� %RMWJzaߨ+Q!kRqja�5=�3�-i�*GH,'IL~6zvEzw'797bٚXC�j�=��Ίgxo[-:nn/9nWg.9ܐևiљN�0@q'3j__[r�\߃-�<�$L�,.z��p-@hz�@5�&:H�)5?�*�1gUa�l&XJp;�=3X��U���q,E]�dLK�'o�#.��iFT�B(��PHQ��~�(llN<ٹ6hjYYV'*daeIUiwaO
.}ױGVuFםn�.[nm�8%gk�, ]ezb�c\\�ԶW�Q:o6�)AbVʑ~�8ʕ�/76n!S[�ö@�S&
:fӼ㛙?{�贎�;mB�ɴ'0g@׀�}�
Q�mP�>xg>6 @�
T�N`� 8�+���KszLA
�>�0��}sBi=?��=H�P7�ZЉ�׃�j#ɦM&B:���ǽ�ښ@��(Q�ͻ�iyy1�&C��բw�O�ڡ̀Y4�ʺ�]y����XS��tv60-P���3�86tq�0x�zD�Х��G�!"�5i]N�P@B�r68��-;�4rr2����(#!bTk�'9Tv{B#�9}Tz,�QύfR1b -xkb��d6g�2KILI�]W-&D7rB��L/G��7Mᙚ6Z5oY,*|\�[�Zác�]=3̴�҄%�LlA�i2Ԑ(|N`9�ʏ\�s��TĿێ#]Ǻd���fV̚3)A\^x�P�aN=]7mQhĴa861 0�|Ch�2�j0�UYc2#o55�K�tıa|�d�Nk'`=m~|�CrT�fЬ||�I2��X*MmE�c7�˅L8�kV*H(ALY3�b-y6y�[�2+sM&WRV�y|W*[N�VT�V3(Q2}k=u}ӣ菝 E+)q�:�X-h�Om�CjlYo%,JoI��J`iX�Z @-��2$��@HQٖk�,�:+}:JK�_i��HH*�6@\X1,C��%C�/Љ0Z��u»>j�ab�E�3��W�C�h�#�'j)+$جX=wl d��A�qF�NdHg >��[�elp�u:S@�ꇮc�;u�5Mg>�M��{8!2D3�;^3
c6,���p��y61�b uߓq�X0d}IߝO�:p��k>:],�aGjJ�Ws8LGME8`
�Dz!�2��F�4áiH5ϴ�զ㎍WK.Z"Af2,Fq?�|���2,e(,g@@re9�A�ٜs�84Sj%ri3�p�p[ss@l4$T2Pa�;r�M
eaàzNfQmGwB
Dw<�U��Jm�[L��ڥ��o�gdQIBnA�:�E)Lj!A�6a ��dj>Gxo'<>CP�u�N.Db�����$6��\P`�t>*
:WDX00n) hRU∛&ZD^nv�Z��KIڶkl��ThBR�7ݏ�P1gxyd{�.�3IR-���ft˪ZԊjR9
�>ㆾ�2�<ƛR�:wC~y6�on{7zpQ9[J/>v��^9Z3�:?.y?j�V�?fA�@=&�%OMOw�r�5�t!YPP +�ȣ�Y ~� U%��+;ߝ?�F���#hE}萰�⢉�#H���E��&pӜ��= �=:WԴ'*���0L�j7:p~mN)D{u&~WD�ȟT�_[Yg�E7{kf��#R�@
�k��8}G(,?c�C,�笠>_}X@ƿl
7�B+E?e$�ߌcc
�*Rgڽ-jdקW�R4m&-f]�{m�x3ux8#(k{J�}6U�k[; Uȭ6Θ2nIQ:��u"z�w]KZP<�Fd&*T~�!\ =+RgP֛X[`MugwzT4FW0p�L'{�T>�UmG*|�&�vi�wgN),��3!�!kX�5vgfGyc2
0�97&>ӥr�
3�e�Eݗ�uyf3�9nؠGuH�R>Џ`^��;��㊟}XM-�6+0�w5.�и|)*�a�^f&=YFL'SimmKU>}+#�
ʌ)QEoS Y-iq#4�.҄Vߵ�N31fEl�?/c�q�)T�$�NXNMs�7)u
JU-t?rz�
,�~:r5c`'�cJEd"I?Y� �Quvd*�+ZRbb>�+�r9+ nbɨe0M�Jpf�X$$�\ �\c3Ή��dЍ(QQ�C}\� 3a/pdg>]:�Q�G�3.!7Wc�5�ć�u�R�Am+J9SnO;a&�ri���5��#�GtHt27\�'�xWeR8P3A������6B�s:~-L6M�ya!49Reo&k
hr~e$ $"Z��U�%ap�Nd+�,��y88&,1_U��%����l�l*=r!D�Nn}8�hA4W�%コm�BŞwzy}�ϱ�0q�sf{Nkw �3ok߾g{4}cr m4
mUj_~9&�oo:Τem�q�߲g�2/�f�B�,
F8�5bvmSnJ7�mu���.o�d�hPu.�xIsѹj}Ւ⭎:ע�!5vy~{u�yU8B�"DEy�{hq\3nmG�'��L=Z=�IקKwDC5��)-ssֺĂ�q*D|=x[6πa6(zmm7c)ފCS�^aݪ�,$"0�~��
*U:q��AQj��@�R`OH�[%#qRfp4{"Z��B4�X
1t��"�(BR.IH�§,uڹirs�lo�}A��sᷘo9�?Oů1O&o8��~ ɮP=8uph縵zY�\��~<)}B�-93ѳF�tN/)���nn�"dU��c26
!�*rښS)Z@csKi�P:p�8hhN1z�lNܡM]暭kց�f-ȔbB�49uP#%dB%fy�e5 a5m^�� e!>beOvIBhIw�鳎|>.EY-VY��ڇᑿ9Z�c:I��i��9&rQC=?V��U$Mݙئ?s!iz3��Ɲ|/#�h�e֩Ҋ&h�l�4gk�@
\:d���[ıpW߆
ة�/G.y9r��NQD$&�=`�י2놣ݮ��q">�3��GÙh]�H!ͫw I�W�]F{(��\G9�a�.P]�Qz AEvo4qst�rD�p?{m�ؒ�M~oO)+e�{m;¾"CSq�[:�`*Y8�HH�!Hr;�w7=o9ʜ9%++xst/a�'CQ/�o�%(P2�Y:pKҠEc�Ù}dW]M3C\^dg=A�/.=,Aszq![bٿ�oB&ov|}gYjIU�9e�9���S]e--^RR\D+��%U뀞�h h�0KY�{+�&bi8V3�YTԵ?\mr�S����װO Z�;w2o��7B!?�}�la{ƙC3���J6��wkVp�N
v_�!O�"%�JJL�ץa�l�@|Րٲ/�h]Z0i��aj}Z�8\l��ulE;/'Ɏ?eMr��s2i�1*)�&%ŗ`x�pN�U{r+p������^=zʸ�.Ydc%F=��d�8�7xtbڰJ{~NK5ݓ�W�|F-K+�HΊr�1s7/8c�C��0)M�\�?�dgy{3xi
s(8{+:.
^TE-1Դ,rj�8�
kq0�븦'�V�c�#��9k��x��F9R��_�x�k\Wp$W!:?t:A=f�ј�B6^�ދ ��9u�aX VaYtBӨRG�FF[bwz��Z?)z
y2���_v@q�)!N$1 'j6P�TկA�~6^��".SKE�CQ0�Vҁ̲b���,q]p�qѝFCC͂�)pyY�`zBЮͼ1r8���Qhشaۄ�ECE#��6�N2h`(��$sGFJ�
.1R,��)�b86ynxp$^Y"`O����C}zma̤0K?Zؔ,�^pc'�"���۴,VbnjE�$}^8�'ym�BѕY�]S!�nx�t9|�83_t T(�9P1��(U�z��/�ʃ�G�
RT(*Ԇ1t<;D�f.�uCjM
T(JBJ!ĬG�Be I��_�Q=���*v~c"O
RXםc�BqAOMm\0Z��%a_Z�pv�HKmjR��a_PL�J(f^vVwSxi}hn�PR^ 5隺> =Rl�!�RX9Z3ck X��HP�y j a
y
_$Bt��/�eKJ|1$HYmc g=3=�A-P�Omϥ i���(po4!L��L�<"F@qk;G,j�"DT�GMy$�\DE`�y�ֺw�ϠCD@A
ͬuc[RBs��-CZJ?�&|�UW�G~Zt�� B$!D�� H"�!~=TYе@OOP��=^�J"q�Svn�~ҕ|���rC*BF������tn��ᐈ(S/��;!Ku6Wq&wSffffʭ��_U�/\�6V7t8@Yb&j]o.i�.A+�uk,̔]�،�,��`��c���h|�0E�nƎ�1�Ez>W-��;y»R��XYDXy�ſ�صAecl_t�ۼ�k*|�Fߘޝ +��!�@�����"o{m6���]65
AO�aՉz�J$%arNoicS/mKH6$]: КP͒a��TӐ{E;܍W �� C:gN)�.�7v-Mx��xnX:e��C�7�:
6qS�B!�
A(qWp�%إj(�K�6tLC� nh,/wty+9_)=KxoJܳ[�VA�]]R2
E\25yd
+CS�3!'㶊#w[3:F��0\�^����b��FfER3�߶@>sPZ�Tq&�2;:x�O
hգ�6�,饱g9N{� -b9
n83=6ˡi�Zl?]�I��f-0kĚVA-q�iql2?W9�3V c4�{�Rf�Y5�H�`�P�Ed�Гj.t1avγYb��>;@RhżʿH[�XT[ݶ(P68̳ѧ��$~kc&ʹŅ,hMHm!^�x~1OC�zy�RY(�=¹�-䗝Og�S{cl!4q,{�o�> "h�|P�ln(�|V
R<9xHv��u#��Z�(F%!i3OoQ'ZŰ/bAs�@�a]I�jD)LS�Z;T7�T0�3�/0Q[�n]7�C�vTw{*{s2u\_w{
,ɯ0�&��]cJ��ûJ��@M>s|�x�Uk�@;�%(�ߛf|'+QYуZ3ʑu1V}mc8B4n�.�DX4ֱ�
ە'y�#nZI@boByu~�r,�%�m;�SDp��vT|@Yn�2=���4�!-(�-ntn�aIz�K*r$r9��auEbNPm�@`bW�'$|��c@�_��^�a)~c�)@�ˉ>^G� "�K��q%y3�N4kAà>'FS�Y�hY�icl9�ח+ʑs\�� { ]J1xy��[=MNֈ0p*B GYٜt� tJ5���/�*�R!V(�}0*:�@7V�y^ULX��F�Lϫw�X�e\L;W��Tc]8_q�=o7ݙ�B gnuƂf�KV\c���uQa�a sa,kH\�L-���YK`miX�!z>H�'̪B��9�8q�f[�jRZrZ�wHi1{�7=yj5Tբ
jKu_V0ߚX�x9ڥ9�<��L�QOu(vy1깽RX�=oi5'MÙ9�X*AE�L�iHϜ@0Y飏bi'�
�
m�(9,�s}�%�yo{ �l9�|棾m5d_#)hҵDŽq8�P v7�:Xx%5Bo[q{e
�d1'�%!gt|юTݺD5n͌�t� 6A�0OyX~m2� e~40L۾%Ux[jdo�wQf'1q8��@fk���t$4 ꦆ�ڊs__ CGQF[Q{R�@t?�Š,Ti�rˇیh%9�ר��S�Rۑ8Έ�T�T"Э�B1MM;oP}3Y?d=pa
��zX�g/VH*كZl+�Z75�� Ui_8AnIix��ߟ|BG��{�/ }
6r�t`�wGrX�� ѝ��G/�t�X�1+b=�-�#k�d�. �{z�̤�7d?< FN��9}iǝ�<�a-Xnh@*>In�$%�H|"] �YC�`�xJ>(F�
�zh/U{Z7]�d"ϝ�k�`"Xȝh`6'qL����y����d��0W ^*!+�[:ps\vc�f+�I jw}ٛ
0nhÎo9fkH0bCD9҄Yoz盫r�Ѝ�QݾJ!?ч��f@�6L-;nqAX#�hb��GCOs3M˸Zg1�45`B���\N�}s\�xE%mDRPa��}?x�֭��cSt�� ',h/uz��@8$�:k/Px�,�[{GǙ9fR�stؾ<�y��X
htM\���"@J��>S�|Ӡ6hP؞�b?pm�Ʀ\Ibu�s3��N?v@�:�0<(�[�]ĝ?]�wqɴ�Ƹ+N'����l01}րk3~�tx́Q(b8&��$�Bc�|EWoVR%P
~+�>g�ޕa)�kbg/(^�;ele$��-ɕ@��ZA��ϐ!;�
Y7ux��u�1ƚ}ןcԇGr!Mr~jM\E�7a]+��|lSsN:g�O;�WU/876z;�'*u^h+�iOgq/@_5/[LOQ�ʉhQ{ĥ,<�%
E
*w�o"8l��MO|ݻ)e;̋��L�M��)oݴ|:\[�Aq�Yώ|vWsJN�#EEu_k1 mzQe
p�!Bv[��\2@bE�EJϐsJkJ
߬O?m�6S;IIGJO?��RO!t}9<�?ooS=_ikOoe�th_;}hi_C)iMI��ק_��05.S�K��{Ke
~.)�LK�D�J�H�ߥ�~ )0W){�s?W0~W)ׁwR�I?�/�r
qB�P:
M
tݔwݔz)�Y�}
}}�iп�)�[HMK�M[6[�u2�Az3Ϛpz~="9II/e�')R*H+_�~JK%yJ�ȳ�)�+F'^˰Nsi3e_7ˀQ^\J�}}9+ƥ&W�*WiKKD3cTo%i:Hv�B__0�𖫫qL�w%,_YnƊ6sL�qϜ�OW0GY�!i�(�9�|,��|֥�cFtKY�wT+SiKy>Ј{��+�=��qU4s�n��x���3%<`
K}>�.nm;yp=�]�;X�;Yo�%P.���Is�geiN}:/����O� +WY\�n-J��ǡ�8Н�\ʹ=FyƃVV�q3Nlcmi>[�=usռ_7߶G{6�ؓ��i,��B8�W�EjnRh�s)ŁS�
�wC-�`26UB`
81C�=b��è[FWWp E��!Х#�oOuba"Jj�"��nQ͍p^'Wv�ŀ�"G0�~;P`�K8؞;�z^�,%�+뛞7ޢ{I�2ؐ�VzA�[Rg軥@:佷�d�ȝ_OiǝaFr�4AA?v��i {=*x�q}2mJN+gL=�[�gtM�F.i<�&�3!�Uť{�oTxx e*��kM-���E�j�Nؒ1$�1$QEE�dHd�i��21sH.�P,e�C}5+½0p;���AWÄ.ҡ���ȱ0.��FbƠe�@脸�pމ�ƍac5]M&cDʣn0>EZx_Yx3S!I�U/
��R�c,i
bFrb9)�GU�j}�09Yq6�3nwZN\ikp}.$x��M|Jq}6dB:HO,ms�grl��k::jnԙ%<͋_|y
��Gl7�"3cwn2&.�.'18<���,�~#�pމi�`g+� 0MH+faԠ2.ty _]ŀlK]v�`;@Mx��E!Ä�LYRem�^#%�a�e{ I�~�ؚ-2b53$O�$E�'�_!9�a�<�9"Z�gARD~kB]&*P�=eZ�O��n,��/qk=Gmk[Ve�Ʉ�!lz.Ҳ$
�� L*��!#R�.ؐ�F�{R�a�s.yⲁE"= s
�wfc�C��~X��f�xٱq1abZ!q��F`�ӧ�7ޓ5Z@��K"�C2�<�wخ;��qV'�t#��9e5
oѵ1�/.{H}�nH��U֧j2�:�ж��U7`m�-I�U`j�oAVn�V?Y~��r@]Pa߂g�`�cwDl�.��*菓YF
pWa+e76MPxO3
EA)
3/�&U@NDrg˫@y
Vs6�N`^q=˼+AѮY�nwl`x%kF:M`Wp�ۂ{iW���RpCV)�tnOK�]苰��BNx3N7�s,^��rX�ٽ&琸8N�Rjã
$cv)<��Xè�+�7q;3�[h__90�|:,�l�p+>o&燸[�00cxN'^=g[�KY'}d&
,�$(jVI�{{:7�&�iy-#cC�v_ʈvph;߃��A� wVǰ�YD!Ƨ۹;�O�Ч�U�-\`�}{M_;9LoḜ:93E~ᱦ��#%ժαЩ[k^٢�C�<O18��Y ~F�ل6�sq�ȃkz�`��^����cW�
X�-�1!Dt9)~Qoh&P?f8�هl~H&!�,[+�ЃDB68#�/ahɡ�>s�A�TNxN=�Sf}-s)SL_ћ�]̑?��[Z=>|E]O�Τ=d��'�ս�+sHWx �'uG?q� �t7�ﳗx9@,&P�ւz'Vw^>Md`{E- r�H
YA2�'��(cf�g��#+C�ӌ�B��ىR;BpX�1-Ɨ?EO�V)�_�z`,�}�sufP"�̟~B�8}��ξK+�zd�x���U�u�
_ϱb>o�r�}g(3�� H0\"=,�}e>2(CT}U͗2�8�L�i;+,Htj�d}dJ�Ӗu��zî`o#,GSwZrA���]72&�at�kR5M3!�7xE�GjX�Co=��b�Y$;V�EI�_�\�JmohZ @AE}Tb?`~�}ߙtf*ތ}ÅypAZ
x�_PžŔ�v?�؏}en�ӂVC+C V`6FM$EBT1�P"ح=Sd 0[⍏,"c=~�Up7Y�4s"ӛ�n b$QܔV.b(6Z9^i�O+1�:k{IjaW1�j/h#wԁ!�Jú���q,�1�L�[s�T�0{քf#8x=��M�C��k����?Xp,|x��@GfS��]D�d~�R�/�}7�yZl&,Xt-8E�}&�+��/Tb��&l2n�cK�ga�@Rq}�9F��a38$�q}5G>5Ovߛ�nOf=mCs
� L�MمnӖoհu(a+�=..�5�b
뻴T�GB��vu��9e_�i`kЛ�O �)aoH]=
�i�>;��`�W2b�I{xv�(�r�ʲ�)SИפcjx^pz�z;dPٶNLX[��
gi=Na�)_=��S*mࡋ�N�em�BA��r<叽�[:?�Q�e O\�d"�?�m��H�&�9h~�+mI�?Z$d<�2ZX�p
��hռ @����|>cj�M�xp�HfBþ@�*t7O6㪦}ܶix]Λm2n��ڍw∀8��"_bL�xE/
x�m%
jaA*Ej
"9�_fWqc�
Ӄ% �,T.Xpp
D' 0��~_w{�/Z+�Pf狃UO:o^/>��\}��M�=]�=�m�� >.(~w"sѹ9N(;N'ӟt_IAF�tNq#Xܜ �
+,u}6�Z��Zfo�\0 �
;,D�V>C1@jbĿ�b(�B-�@'%֒#X-`t1%Bb{m;A8r�l&v�3[)��U[2C�UC{!�n.&r,1�v�~̬pQN66�l&WE��qy6{Y$V�$>��
|
Network Security & Hardware 
