Security has slipped backwards on the evolutionary ladder in Apples latest Mac OS X release, security researchers say, with Leopards firewall having more holes than its namesake cat has spots.
“The short answer is the Leopard firewall is … ugly and a step backwards from 10.4,” said Rich Mogull, an independent security consultant and founder of Securosis.
The first security hole is that Leopards firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.
Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application, and that it completely hides the firewall rules in a black box that isnt user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of “block all” does anything but that—meaning that the firewall essentially cant be trusted.
To view an eWEEK slideshow of eWEEK Labs walk-through of MacOS X Leopard.
Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line.
“I installed Leopard over the weekend and lets just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard,” Mogull said.
Heise Securitys Jürgen Schmidt on Oct. 29 posted an appraisal of Leopards firewall that concluded that “initial functional testing has already uncovered cause for concern,” in spite of the fact that “Apple is using security in general and the new firewall in particular to promote Leopard.”
“The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks,” Schmidt wrote in the posting. “But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally.”
“Only Apple can explain what precisely is going on here,” Schmidt wrote with regards to the firewalls failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan.
Perhaps Apple could explain, but the company chooses not to.
Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company “takes security very seriously,” that it has “a great track record of addressing potential vulnerabilities before they can affect users,” and that it always welcomes feedback on how it can make security better on the Mac.
Regarding the firewalls allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based.
Page 2: Leopard Has More Holes than Spots
Leopard Has More Holes
than Spots”>
In other words, in 10.4, when a user turned on the firewall, he or she was presented with a box that allowed enabling and disabling of network services such as file sharing, a Web server, or SSH (Secure Shell) access.
“Not perfect—it lacked application or outbound control—but reasonable,” Mogull said. “There was also a setting to block UDP [User Datagram Protocol].”
In 10.5, the conversion to “allow all, deny all, or select applications” is both limiting and confusing.
“Reading the help files and looking at the dialog window, the labels dont match and its hard to figure out whats going on,” Mogull said. “The dialog window says, Set access for specific services and applications and appears to list currently active network services in the bottom, with a + and – button to add and remove applications. The help file calls this, Limit incoming connections to specific services and applications (emphasis mine) which makes more sense.”
To read more about the arrival of Leopard, the new desktop OS predator, click here.
But if a user chooses that setting, Mogull said, it appears to allow all network services that have been turned on, and the ability to modify settings disappears. “When you add an application, you can choose allow or deny all, but not for services that you activate from the sharing preferences pane,” he said. Also, Apple has no warnings for configuration conflicts. For example, Mogull enabled file sharing but had “deny all” selected.
“My other Mac could see the one sharing (via Bonjour), but couldnt connect,” he said. “If deny all was set it shouldnt be broadcasting itself on my LAN, and I should get a warning that the service wouldnt allow connections.”
It goes beyond confusion and lack of choice, however. Heises Schmidt was dismayed to find that choosing the option to block all incoming connections does not in fact stop connections—a finding that means users “cant rely on the firewall,” he said.
Specifically, Schmidt found that ports for previously discovered system services are still accessible after choosing “block all,” and that even with this firewall configuration its still possible to communicate via Internet connection with the ntpd (Network Time Protocol daemon) server, which sets and maintains system time of day in sync with the time server.
If activated by the operating system, the NetBIOS name server—which is automatically activated in wired local networks—can also be accessed, regardless of the firewalls configuration, Schmidt found.
“Even if users select Block all incoming connections, potential attackers can continue to communicate with system services such as the time server and possibly with the NetBIOS name server,” he said.
Its hard to pin down how much of a threat Leopards quirky firewall present, Schmidt said. Whats worrisome is that Apple is using a version of ntpd—4.2.2—with a number of known and documented bugs, instead of the current version, 4.2.4. Ditto for Samba, Schmidt said, with Apple using 3.0.25b-apple; releases 3.0.25c and 3.0.26a contained “numerous bug fixes,” he noted.
Its not clear whether the bugs are relevant or if Apple has back-ported fixes, Schmidt said, but the worst-case scenario could have serious consequences, given that both Samba and ntpd run as root and dont appear to be supported by new sandbox functions in Leopard.
“If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system—with all the consequences this entails, right up to mass distribution via a worm,” Schmidt said in his posting.
Other researchers are taking the firewall warnings with a grain of salt, however. “It may depend on how you upgrade,” Tom Ptacek, founder of Matasano, told eWEEK. “Users effectively have four choices: Install over Tiger, without removing any files; Archive, which replaces Tiger but makes a copy of your old Tiger install; Erase, which clears everything else off and reinstalls from scratch; [and] Erase-and-Migrate, where you take a backup of your system, erase, and then run Migration Assistant to copy your old settings over.”
But Schmidt told eWEEK that, in order to make sure he was testing Leopard rather than “any leftovers from Tiger or old beta versions of Leopard,” he conducted a complete install from scratch, completely removing all partition data from the drive and creating new partitions during the installation process. He has not, however, tested any of the migration paths as yet.
At any rate, theres debate regarding whether Leopards firewall is in fact new. On one hand, Ptacek said that OS Xs firewall “has always been lax compared to aftermarket firewalls” and that the latest Leopard findings dont particularly groundbreaking. Schmidt disagrees, however, saying that the firewall is “completely new.” “It has nothing to do with the one in Tiger,” he said. “The latter is based on ipfw; [whereas] the firewall in Leopard does application filtering—whatever this turns out to be.”
With “Sharing” settings at their default values, Ptacek said, Leopard exposes few services. “It does not expose SSH or Windows File Sharing (Samba/SMB) by default, though it does expose a related service that makes Leopard show up on the Network Neighborhood on Windows networks,” he said.
Ptacek also questioned whether or not the services Leopards firewall exposes in “block all” configuration are hotspots for security vulnerabilities, with the exception of Bonjour.
Being able to query the Netbios Name Server—part of the Samba package—thats activated upon connection to a wired LAN despite “block all” configuration is enough to worry about, Schmidt said. “Think of a scenario where you connect your MacBook to the network of the company you are visiting,” he said. “Everybody there can talk to your Netbios Name Server—even if you set the firewall to Block everything.”
In addition, Schmidt found that if he chose “Set access to specific services and programs” he could then connect to a simple backdoor he created with netcat, a networking utility for connecting on TCP or UDP, over the Internet. There were no Sharing settings active at the time, he said, nor did he authorize the netcat connection. Therefore, he says, any Trojan can “easily” install a backdoor reachable from the outside—”even if you think your firewall is protecting you.”
Although Leopards new Sandboxing feature serves as an additional layer of security around such services, Schmidt said that not all services are protected. Bonjour is, but the time server ntpd is not, he said, which can be checked in the startup script for ntpd in /System/Library/LaunchDaemon. The script activates a program called ntp-wrapper which is in fact a shell script that calls /usr/sbin/ntpd without sandbox, he noted.
Editors Note: This story was updated to include input from Tom Ptacek and Jürgen Schmidt.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.