Leopard Firewall Update Closes (Most) Holes
Apple's Nov. 15 update to the Leopard firewall is good news, with security researchers happy that Apple didn't take the easy way out and simply rename the "Block all incoming connections" option. Instead, Apple "significantly" changed the way the firewall works, fixing most of the issues raised by Heise Security's Jürgen Schmidt.
"Every process that runs with root privileges used to be accessible and therefore attackable from the outside. They changed that. Now in the setting 'Allow only essential services' only a very limited set of services for the network infrastructure are reachable," Schmidt told me.
In particular, the time service that Schmidt criticized in his articles is not reachable any more.
"I really appreciate the fact that Apple did not choose to implement only the smallest possible solution to change the name from 'Block all' to 'Allow only essential' but also drastically reduced the attack surface by allowing only a limited number of documented services to be reached," Schmidt said.
The update wasn't 100 percent perfect, though. One thing Schmidt says he'd like to have seen was a strengthening of the option "Set access for specific services and applications."
Apple tweaked that option so the firewall will ensure that services running as "root" won't be accessible if the user blocks them. What would have been better would be if Apple were to have made all applications not explicitly specified as exceptions also inaccessible from the Internet, Schmidt says.
As Schmidt said in a Nov. 16 posting:
With this setting active the time server by default remains accessible from the outside world, despite not being included in the list. A simple demo server such as
nc -l 1414
is still accessible from the outside world on port 1414 with, for example, telnet, without the user having set up a rule for the server. Precisely because such services are not included in any list, it will not generally occur to the user to set up explicit blocking rules. Unsigned applications, by contrast, cause the user to be asked whether he wishes the service to be accessible. However, an application can get around this by using the universal network tool netcat, for example, to carry out its communications.
Rich Mogull also had some qualms about the firewall changesin his case, the signing of applications:
I've tested the update and the application firewall still signs applications, but instead of just failing to launch modified applications, we're now prompted to allow access manually again if they change. Code signing can be rough because of issues like this, and I think the prompt is a reasonable solution. However, I would prefer it to say, "This application has been modified since its last use; please click to allow network access" so we know that it's a real change to the application and not just a random prompt to approve again.
Back to the plus side, the Leopard update also fixes problems with Skype and World of Warcraft.