Security site knocks spots off Mac OS X Leopard firewall
Even when you turn it on it's no good
It's been a rocky week for security-conscious Mac fans. A rare appearance of a Trojan targeting Mac fans made it out onto the net and the release of Apple's much vaunted Leopard operating system was marred by security concerns about its firewall.
Reports of Leopard installs hanging at boot, behaviour compared by some to the Blue Screen of Death of Windows notoriety, didn't help either. An unsupported add-on extension for a Logitech mouse drive has emerged as the main suspect behind that stability issue.
Much has been made of the Trojan, dubbed RSPlug-A, after it was found on several porn websites. To get infected, users have to give explicit permission for the malware, which poses as a codec, to run. The firewall issue, by contrast, affects all users upgrading to Leopard - not just those hunting for free skin flicks.
Users upgrading to Leopard found the built-in firewall deactivated when they upgraded from Tiger, the previous version of Mac OS X. This removes an important defence against hacker attacks and a removes a way to prevent Mac computers infected by a worm from spreading infection. Admittedly, this is a unlikely risk, but the failing of the firewall is a surprise, given that improved security was an Apple design goal for Leopard.
A review by Heise Security found issues with the firewall run deeper than simply been turned off by default. Even after activation the technology has a number of shortcomings.
Setting a poor example
Heise notes that, in contrast to the Windows firewall, the Leopard firewall does not include a setting to allow a distinction to be made between trusted corporate networks and riskier environments, such as Wi-Fi hotspots.
If a user selected "Block all incoming connections" the firewall reportedly blocks most ports and services, but not all. Potential hackers might be able to communicate with system services such as a time server and (possibly and more seriously) with the NetBIOS name server, according to Heise. Adding to the problems, Leopard bundles older versions of three-party open source tools known to contain security bugs.
Heise's overall verdict is damning. "The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, 'Block all incoming connections', it allows access to system services from the internet," it concludes
"Apple is showing here a casual attitude with regard to security questions which strongly recalls that of Microsoft four years ago," it adds.
Other researchers have criticised Leopard's firewall, albeit to a lesser extent than Heise. Security blogger Rich Mogull reckons the firewall is a mess but he takes issue with a key Heise finding. He agrees that with "stealth mode" enabled on the firewall services show up in port scans. Crucially, however, they can’t actually be used.
In fairness it's worth pointing out that Leopard's firewall in less than a week old. Glitches and security bugs accompany every major operating system upgrade, not just those from Apple.
Windows Firewall was long present in XP, but never activated by default until Service Pack 2, after the Sasser and Nimda worm outbreaks had concentrated minds at Redmond.
Let's hope it won't take a similar such incident to spur Apple into action. ®
How many Leopards are not going to be behind a firewall?
Simon - when did you last visit a Starbucks and see all the Steve diciples pretending to study whilst posing with their iMac, iPod, iPhone and iLatte?
Morely: Almost all firewall devices are simply cut-down machines with a CPU, some RAM, a network card and some form of NV storage upon which the OS & software is stored. ALL of them are driven by software that defines their function as firewalls. All of them are updateable otherwise you'd need to throw the tin away once every couple of months as the manufacturer released improvements and enhancements. Running well engineered firewall software on your machine is (for most people) as good as running a separate physical firewall device since that software should put a hard boundary between the outside world's network and the user's environment.
I think that what the researchers were pointing out is a valid weakness in Apple's current firewall in that it can't easily arbitrate traffic based on whether the network the user is connected to is a trusted network (e.g. home or work) or an untrusted network (e.g. Starbucks, hotel, airport, etc). I'm sure they'll get around to fixing this, but I agree that it's something of a glaring omission which could well result in an increasing number of diciples getting smacked by a hacker.
As MacOS increases in popularity, Apple is going to have to start taking security seriously as serious hackers don't tend to attack a weakness because of religious or idealogical positions - they tend to do it for noteriety and/or "to prove it can be done", and/or for personal gain.
Only time will tell if Apple have the maturity and ethics that result in them doing the right thing.
Let's be honest
Hand on heart, hwo many Leopard machines nowadays are not going to be behind either a corporate firewall or at worst a home user one? I think people are just looking at a way to get at Apple in the same way we so salaciously do with Microshaft. This isn't quite the apocalyptic bug that folks are trying to make it out to be. Also you can bet your bottom dollar that this will be addressed a lot quicker than if Redmond's supremely talented chimps were 'fixing' it.
You're feeding the troll, mind yourself!
@Pascal - you know when you update the firmware on your firewall? That's how you overwrite the code...
I'm not sure why a perimeter firewall would be any more secure than just a NAT'ing ADSL router that doesn't map inbound connections, for round the house use.
@127.58.165.28 - hacked you easily. Just check, I set your system up just how I like it... ;-)
All I know is, I left my mac 10.4.x without a firewall in the DMZ for 4 months, non-stop .... I use it as an nfs file server (local net only) and web server in home network ... although I got quite a few idiots attempting to log on via ssh, nobody ever got in, as far as I can tell ... Ok, I change my password at least once a month with [a-z]+[A-z]+[1-9]+ in it, and not replacing i's with 1's etc but, i doubt a windows box could survive that! Firewall, never used it on my mac ... what for? And, if you want to try and hack me, my IP is 127.58.165.28
Ever think that someone who buys a different computer than yours might do so because their wants and needs are different from yours?
That's why I use a Mac, not a PC!