Leopard Has More Holes
than Spots"> In other words, in 10.4, when a user turned on the firewall, he or she was presented with a box that allowed enabling and disabling of network services such as file sharing, a Web server, or SSH (Secure Shell) access. "Not perfectit lacked application or outbound controlbut reasonable," Mogull said. "There was also a setting to block UDP [User Datagram Protocol].""Reading the help files and looking at the dialog window, the labels dont match and its hard to figure out whats going on," Mogull said. "The dialog window says, Set access for specific services and applications and appears to list currently active network services in the bottom, with a + and - button to add and remove applications. The help file calls this, Limit incoming connections to specific services and applications (emphasis mine) which makes more sense." To read more about the arrival of Leopard, the new desktop OS predator, click here. But if a user chooses that setting, Mogull said, it appears to allow all network services that have been turned on, and the ability to modify settings disappears. "When you add an application, you can choose allow or deny all, but not for services that you activate from the sharing preferences pane," he said. Also, Apple has no warnings for configuration conflicts. For example, Mogull enabled file sharing but had "deny all" selected. "My other Mac could see the one sharing (via Bonjour), but couldnt connect," he said. "If deny all was set it shouldnt be broadcasting itself on my LAN, and I should get a warning that the service wouldnt allow connections." It goes beyond confusion and lack of choice, however. Heises Schmidt was dismayed to find that choosing the option to block all incoming connections does not in fact stop connectionsa finding that means users "cant rely on the firewall," he said. Specifically, Schmidt found that ports for previously discovered system services are still accessible after choosing "block all," and that even with this firewall configuration its still possible to communicate via Internet connection with the ntpd (Network Time Protocol daemon) server, which sets and maintains system time of day in sync with the time server. If activated by the operating system, the NetBIOS name serverwhich is automatically activated in wired local networkscan also be accessed, regardless of the firewalls configuration, Schmidt found. "Even if users select Block all incoming connections, potential attackers can continue to communicate with system services such as the time server and possibly with the NetBIOS name server," he said. Its hard to pin down how much of a threat Leopards quirky firewall present, Schmidt said. Whats worrisome is that Apple is using a version of ntpd4.2.2with a number of known and documented bugs, instead of the current version, 4.2.4. Ditto for Samba, Schmidt said, with Apple using 3.0.25b-apple; releases 3.0.25c and 3.0.26a contained "numerous bug fixes," he noted. Its not clear whether the bugs are relevant or if Apple has back-ported fixes, Schmidt said, but the worst-case scenario could have serious consequences, given that both Samba and ntpd run as root and dont appear to be supported by new sandbox functions in Leopard. "If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the systemwith all the consequences this entails, right up to mass distribution via a worm," Schmidt said in his posting. Other researchers are taking the firewall warnings with a grain of salt, however. "It may depend on how you upgrade," Tom Ptacek, founder of Matasano, told eWEEK. "Users effectively have four choices: Install over Tiger, without removing any files; Archive, which replaces Tiger but makes a copy of your old Tiger install; Erase, which clears everything else off and reinstalls from scratch; [and] Erase-and-Migrate, where you take a backup of your system, erase, and then run Migration Assistant to copy your old settings over." But Schmidt told eWEEK that, in order to make sure he was testing Leopard rather than "any leftovers from Tiger or old beta versions of Leopard," he conducted a complete install from scratch, completely removing all partition data from the drive and creating new partitions during the installation process. He has not, however, tested any of the migration paths as yet. At any rate, theres debate regarding whether Leopards firewall is in fact new. On one hand, Ptacek said that OS Xs firewall "has always been lax compared to aftermarket firewalls" and that the latest Leopard findings dont particularly groundbreaking. Schmidt disagrees, however, saying that the firewall is "completely new." "It has nothing to do with the one in Tiger," he said. "The latter is based on ipfw; [whereas] the firewall in Leopard does application filteringwhatever this turns out to be." With "Sharing" settings at their default values, Ptacek said, Leopard exposes few services. "It does not expose SSH or Windows File Sharing (Samba/SMB) by default, though it does expose a related service that makes Leopard show up on the Network Neighborhood on Windows networks," he said. Ptacek also questioned whether or not the services Leopards firewall exposes in "block all" configuration are hotspots for security vulnerabilities, with the exception of Bonjour. Being able to query the Netbios Name Serverpart of the Samba packagethats activated upon connection to a wired LAN despite "block all" configuration is enough to worry about, Schmidt said. "Think of a scenario where you connect your MacBook to the network of the company you are visiting," he said. "Everybody there can talk to your Netbios Name Servereven if you set the firewall to Block everything." In addition, Schmidt found that if he chose "Set access to specific services and programs" he could then connect to a simple backdoor he created with netcat, a networking utility for connecting on TCP or UDP, over the Internet. There were no Sharing settings active at the time, he said, nor did he authorize the netcat connection. Therefore, he says, any Trojan can "easily" install a backdoor reachable from the outside"even if you think your firewall is protecting you." Although Leopards new Sandboxing feature serves as an additional layer of security around such services, Schmidt said that not all services are protected. Bonjour is, but the time server ntpd is not, he said, which can be checked in the startup script for ntpd in /System/Library/LaunchDaemon. The script activates a program called ntp-wrapper which is in fact a shell script that calls /usr/sbin/ntpd without sandbox, he noted. Editors Note: This story was updated to include input from Tom Ptacek and Jürgen Schmidt.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
In 10.5, the conversion to "allow all, deny all, or select applications" is both limiting and confusing.