Leopard Firewall Has More Holes Than Spots

[CadCrazy]

Security has slipped backwards on the evolutionary ladder in Apple's latest Mac OS X release, security researchers say, with Leopard's firewall having more holes than its namesake cat has spots. "The short answer is the Leopard firewall is ... ugly and a step backwards from 10.4," said Rich Mogull, an independent security consultant and founder of Securosis LLC.


The first security hole is that Leopard's firewall turns itself off by default on installation—even if a user had the firewall turned on before upgrading. That choice flies in the face of what Microsoft has done with Vista, for example: harden security by shipping the operating system with security measures on by default.
Security researchers are also chagrined that Leopard only allows a choice between allow all, deny all, or pick by application; and that it completely hides the firewall rules in a black box that isn't user accessible, Mogull told eWEEK. Even worse, a security researcher from Heise Security has found that the configuration of "block all" does anything but that—meaning that the firewall essentially can't be trusted.
Another issue with Leopard is that, although the newest Mac operating system still includes the open-source firewall ipfw, it needs to be manually configured at the command line.
"I installed Leopard over the weekend and let's just say I plan on hunting down some good ipfw rules sets and will be checking to see if WaterRoof, a [Mac OS X] GUI utility for the firewall, will work in Leopard," Mogull said.
Heise Security's Jürgen Schmidt on Oct. 29 posted an appraisal of Leopard's firewall that concluded that "initial functional testing has already uncovered cause for concern," in spite of the fact that "Apple is using security in general and the new firewall in particular to promote Leopard."
"The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the Internet or wireless networks," Schmidt wrote in the posting. "But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this. By default it is … deactivated. … In contrast to, for example, Windows Vista, the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally."
"Only Apple can explain what precisely is going on here," Schmidt wrote with regards to the firewall's failure to prevent a test service from starting that was initiated by the user and could well have been a Trojan.
Perhaps Apple could explain, but the company chooses not to.
Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company "takes security very seriously," that it has "a great track record of addressing potential vulnerabilities before they can affect users," and that it always welcomes feedback on how it can make security better on the Mac.
Regarding the firewall's allow all, deny all, or pick by application choices, Mogull noted that the choices are a step backward from the flexibility of Mac OS X 10.4, where the firewall was network service-based, not application based.
In other words, in 10.4, when a user turned on the firewall, he or she was presented with a box that allowed enabling and disabling of network services such as file sharing, a Web server, or SSH (Secure Shell) access.
"Not perfect," Mogull said. "It lacked application or outbound control, but reasonable. There was also a setting to block UDP [User Datagram Protocol]."
In 10.5, with the conversion to "allow all, deny all, or select applications" is both limiting and confusing.
"Reading the help files and looking at the dialog window, the labels don't match and it's hard to figure out what's going on," Mogull said. "The dialog window says, 'Set access for specific services and applications' and appears to list currently active network services in the bottom, with a + and - button to add and remove applications. The help file calls this, 'Limit incoming connections to specific services and applications' (emphasis mine) which makes more sense."
But if a user chooses that setting, Mogull said, it appears to allow all network services that have been turned on, and the ability to modify settings disappears. "When you add an application, you can choose allow or deny all, but not for services that you activate from the sharing preferences pane," he said. Also, Apple has no warnings for configuration conflicts. For example, Mogull enabled file sharing but had "deny all" selected.
"My other Mac could see the one sharing (via Bonjour), but couldn't connect," he said. "If deny all was set it shouldn't be broadcasting itself on my LAN, and I should get a warning that the service wouldn't allow connections."
It goes beyond confusion and lack of choice, however. Heise's Schmidt was dismayed to find that choosing the option to block all incoming connections does not in fact stop connections—a finding that means users "can't rely on the firewall," he said.
Specifically, Schmidt found that ports for previously discovered system services are still accessible after choosing "block all," and that even with this firewall configuration it's still possible to communicate via Internet connection with the ntpd (Network Time Protocol daemon) server, which sets and maintains system time of day in sync with the time server.
If activated by the operating system, the NetBIOS name server—which is automatically activated in wired local networks—can also be accessed, regardless of the firewall's configuration, Schmidt found.
"Even if users select 'Block all incoming connections,' potential attackers can continue to communicate with system services such as the time server and possibly with the NetBIOS name server," he said.
It's hard to pin down how much of a threat Leopard's quirky firewall present, Schmidt said. What's worrisome is that Apple is using a version of ntpd—4.2.2—with a number of known and documented bugs, instead of the current version, 4.2.4. Ditto for Samba, Schmidt said, with Apple using 3.0.25b-apple; releases 3.0.25c and 3.0.26a contained "numerous bug fixes," he noted.
It's not clear whether the bugs are relevant or if Apple has back-ported fixes, Schmidt said, but the worst-case scenario could have serous consequences, given that both Samba and ntpd run as root and don't appear to be supported by new sandbox functions in Leopard.
"If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system—with all the consequences this entails, right up to mass distribution via a worm," Schmidt said in his posting.




Source

[naveen_reloaded]

Vista rocks always,for me atleast

[azzu]

^^ Die hard fanboyzz

[alsiladka]

I m not going through the article in detail, but wonder why they turned of the FW be default!

I m not going through the article in detail, but wonder why they turned of the FW by default!

[Gigacore]

I think LEOPARD is not happy with the half bitten APPLE....

Why leopard has so many FLAWS ?

[sakumar79]

@Gigacore, Leopards are meat-eaters, hence the dislike for apples

Also, because it is a member of the cat family, it has a lot of claws - oh wait, you asked about flaws...

Arun

[goobimama]

Yeah. It's always been a bit weird that the firewall is turned off by default (even with Tiger). I don't turn it on, but still, it would be better to have it turned on by default...

[Gigacore]

firewall is turned off by default very strange... and anyway can we use any third party firewall in Leopard ?

[blackpearl]

Where is arya?

[goobimama]

Yes, you can use a third party firewall, but the built in one is good enough. Just takes one click to start it in it's default mode.

[aryayush]

The firewall is turned on by default in Leopard, Milind.

[goobimama]

I haven't checked actually, but it was off in Tiger.

[aryayush]

Yes, it was. They've changed that with Leopard.