Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity
    • IT Management
    • Networking

    Hefty Apple Patch Set Tackles Leopard Firewall Issues

    By
    Lisa Vaas
    -
    November 15, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Apple issued an enormous set of patches on Nov. 14, with 41 fixes for Mac OS X and Safari vulnerabilities that attackers can exploit to hijack systems, trigger denial-of-service and jack up their privileges.

      If thats not enough, Apple capped it off on Nov. 15 with three fixes to Leopards firewall, to solve the issue of Leopards firewall not blocking all connections when configured to do so.

      One of the Leopard firewall issues was simply a misleading description of the firewall setting, “Block all incoming connections.” That setting actually allows any process running as root to receive incoming connections and also allows mDNSResponder to receive connections.

      Apples fix was simple: Change the name of the option to “Allow only essential services” and continue to allow a small, fixed set of system services to accept connections: configd (for Dynamic Host Configuration Protocol and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec).

      The other two Leopard firewall fixes were to functions themselves. One issue was that processes running as root couldnt be blocked when the firewall was directed to “Set access for specific services and applications,” even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections.” This could lead to network services being exposed unexpectedly. Apples update corrects the problem, making sure that any executable marked as blocked is in fact blocked.

      To why experts say that Leopard has more holes than spots, click here.

      Another Leopard firewall glitch is that changes to certain settings dont take effect until restart. A user would expect the changes to take effect immediately and might thus leave their system exposed to network access. The update causes such settings to take effect immediately.

      That takes care of the big issues security researchers had with the Leopard firewall, said Andrew Storms, director of security for nCircle. “They nailed all the big three problems that people had talked about,” he said.

      A number of the updates put out on Nov. 14 represent upgrades to third-party applications. Its good to finally see the fixes out, Storm said, given that the third-party applications typically are open-source projects, such as the Bzip2 data compressor and Kerberos, the network authentication protocol.

      With change logs open to the world, flaws in open-source applications are easy to pick apart to create an exploit, Storm said.

      Thats precisely what happened when H.D. Moore used a Libtiff vulnerability and Charlie Miller used WebKit bugs to exploit the iPhone, Storm said.

      Its encouraging to see Apple bring out these fixes for critical vulnerabilities that impact consumers, Storm said. “Everyone should be encouraged to update ASAP.”

      One of Apples security updates is an update to Macromedia Flash. It addresses a vulnerability that attackers can exploit to seize control of a system. Adobe actually fixed this problem back on July 10, but Apple has taken the matter into its own hands and decided to push the patch out to Mac users, updating their Adobe Flash Player to Version 9.0.47.0.

      Given that Flash vulnerabilities are typically exploited in drive-by attacks that require no user interaction, updating Flash Player is of particular importance.

      “Flash has become the de facto standard for video content distribution on the Web. And with YouTubes increasing popularity, users have come to believe that Flash content is benign,” Storm said in a release.

      Symantec on Nov. 15 sent members of its Deep Sight service an advisory that pegged the OS X vulnerabilities at 10, the highest possible rating for impact and severity, while giving the Apple update an urgency rating of 9.6.

      OS X 10.4.10 and prior versions are vulnerable. Besides OS X, the vulnerabilities affect a number of applications: Apple RAID, CFFTP, CFNetwork, Core Foundation, Core Text, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore and WebKit.

      Mac OS X v10.4.11 and Security Update 2007-008 may be obtained from the Software Update pane in System Preferences, or from Apples Software Downloads site, as can the Leopard firewall update, Mac OS X v10.5.1. Safari 3 Beta Update 3.0.4 (Windows) is available via the Apple Software Update application, or Apples Safari download site.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×