Hefty Apple Patch Set Tackles Leopard Firewall Issues

Apple has released an enormous set of patches for Mac OS X, Safari and the Leopard firewall.

Apple issued an enormous set of patches on Nov. 14, with 41 fixes for Mac OS X and Safari vulnerabilities that attackers can exploit to hijack systems, trigger denial-of-service and jack up their privileges.

If thats not enough, Apple capped it off on Nov. 15 with three fixes to Leopards firewall, to solve the issue of Leopards firewall not blocking all connections when configured to do so.

One of the Leopard firewall issues was simply a misleading description of the firewall setting, "Block all incoming connections." That setting actually allows any process running as root to receive incoming connections and also allows mDNSResponder to receive connections.

Apples fix was simple: Change the name of the option to "Allow only essential services" and continue to allow a small, fixed set of system services to accept connections: configd (for Dynamic Host Configuration Protocol and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec).

The other two Leopard firewall fixes were to functions themselves. One issue was that processes running as root couldnt be blocked when the firewall was directed to "Set access for specific services and applications," even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections." This could lead to network services being exposed unexpectedly. Apples update corrects the problem, making sure that any executable marked as blocked is in fact blocked.


To why experts say that Leopard has more holes than spots, click here.

Another Leopard firewall glitch is that changes to certain settings dont take effect until restart. A user would expect the changes to take effect immediately and might thus leave their system exposed to network access. The update causes such settings to take effect immediately.

That takes care of the big issues security researchers had with the Leopard firewall, said Andrew Storms, director of security for nCircle. "They nailed all the big three problems that people had talked about," he said.

A number of the updates put out on Nov. 14 represent upgrades to third-party applications. Its good to finally see the fixes out, Storm said, given that the third-party applications typically are open-source projects, such as the Bzip2 data compressor and Kerberos, the network authentication protocol.

With change logs open to the world, flaws in open-source applications are easy to pick apart to create an exploit, Storm said.

Thats precisely what happened when H.D. Moore used a Libtiff vulnerability and Charlie Miller used WebKit bugs to exploit the iPhone, Storm said.

Its encouraging to see Apple bring out these fixes for critical vulnerabilities that impact consumers, Storm said. "Everyone should be encouraged to update ASAP."

One of Apples security updates is an update to Macromedia Flash. It addresses a vulnerability that attackers can exploit to seize control of a system. Adobe actually fixed this problem back on July 10, but Apple has taken the matter into its own hands and decided to push the patch out to Mac users, updating their Adobe Flash Player to Version

Given that Flash vulnerabilities are typically exploited in drive-by attacks that require no user interaction, updating Flash Player is of particular importance.

"Flash has become the de facto standard for video content distribution on the Web. And with YouTubes increasing popularity, users have come to believe that Flash content is benign," Storm said in a release.

Symantec on Nov. 15 sent members of its Deep Sight service an advisory that pegged the OS X vulnerabilities at 10, the highest possible rating for impact and severity, while giving the Apple update an urgency rating of 9.6.

OS X 10.4.10 and prior versions are vulnerable. Besides OS X, the vulnerabilities affect a number of applications: Apple RAID, CFFTP, CFNetwork, Core Foundation, Core Text, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore and WebKit.

Mac OS X v10.4.11 and Security Update 2007-008 may be obtained from the Software Update pane in System Preferences, or from Apples Software Downloads site, as can the Leopard firewall update, Mac OS X v10.5.1. Safari 3 Beta Update 3.0.4 (Windows) is available via the Apple Software Update application, or Apples Safari download site.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.