Leopard Has More Holes than Spots

Updated: Leopard's firewall is a mess, say researchers, shutting off by default and allowing connections even under "block all."

Security has slipped backwards on the evolutionary ladder in Apples latest Mac OS X release, security researchers say, with Leopards firewall having more holes than its namesake cat has spots.

"The short answer is the Leopard firewall is ... ugly and a step backwards from 10.4," said Rich Mogull, an independent security consultant and founder of Securosis.

The first security hole is that Leopards firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.

Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application, and that it completely hides the firewall rules in a black box that isnt user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of "block all" does anything but that—meaning that the firewall essentially cant be trusted.

28571.gif

To view an eWEEK slideshow of eWEEK Labs walk-through of MacOS X Leopard.

Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line.

"I installed Leopard over the weekend and lets just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard," Mogull said.

Heise Securitys Jürgen Schmidt on Oct. 29 posted an appraisal of Leopards firewall that concluded that "initial functional testing has already uncovered cause for concern," in spite of the fact that "Apple is using security in general and the new firewall in particular to promote Leopard."

"The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks," Schmidt wrote in the posting. "But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."

"Only Apple can explain what precisely is going on here," Schmidt wrote with regards to the firewalls failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan.

Perhaps Apple could explain, but the company chooses not to.

Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company "takes security very seriously," that it has "a great track record of addressing potential vulnerabilities before they can affect users," and that it always welcomes feedback on how it can make security better on the Mac.

Regarding the firewalls allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based.

Page 2: Leopard Has More Holes than Spots