The Register® — Biting the hand that feeds IT

Feeds

Mac OS X firewall blocks Skype and online gamers

You realise, of course, this means Warcraft

Magic Quadrant for Enterprise Backup/Recovery

The list of problems with the firewall bundled with Mac OS X Leopard operating system is growing.

Not only is Leopard's firewall deactivated upon installation it also trips up Skype and online gaming applications. Both German security news service Heise and security blogger Rich Mogull encountered the problem, the latest in a series each has discovered with the firewall.

Mogull traced the issue to the firewall's (application security) code signing features. Leopard signs applications on launch that aren’t already signed via Apple. The approach is designed to create a mechanism to block malware from altering executable files.

Unfortunately, some applications, such as Skype, may change as they run. This can cause a signature mismatch, and a refusal by the firewall to allow the application to run. Reinstalling the application fixes the problem, but is hardly convenient.

Heise has a similar diagnosis of the problem, which has also affected World of WarCraft gamers, it notes. Postings on World of WarCraft forums suggest a reinstall of the game is needed to get around the bug.

In personal firewalls for Windows with application firewall settings, such as Zone Alarm, users with admin privileges can manually change program privileges. Apple's failure to include something similar in Leopard's firewall in causing problems for some, but by no means all, users.

Reg Hardware editor, Tony Smith, who recently carried out a review of Mac OS X Leopard, reports that he was able to get Skype operating through the new firewall without any problems. ®

Magic Quadrant for Enterprise Backup/Recovery

Latest Comments
Anonymous Coward

I wasn't clear enough (I think you'll find)

In normal use, Skype doesn't modify anything in it's .app folder. The Skype binary in Skype.app/Contents/MacOS/Skype checks itself for consistency. The Leopard firewall alters that binary, thus tripping up Skype's internal consistency check.

Skype is paranoid. Apple's assumed that developers aren't.

Anyway, go verify for yourself:-

Install a fresh copy of skype. Then:-

cd /Applications

find Skype.app -type f -exec sum {} \; > 1

Run Skype. See, it works. Quit it. Run it again. Still works? Yup. Quit it.

Grab another file of checksums now you've run it once or twice.

find Skype.app -type f -exec sum {} \; > 2

diff 1 2

The diff should show no change in checksums.

Now turn on the Leopard firewall (I'm using "set access for specific services and applications"), run Skype, and say "always allow" to the firewall prompt. Skype is still working at this point.

Quit skype and try to relaunch - it's borked. Grab another set of checksums:-

find Skype.app -type f -exec sum {} \; > 3

diff 2 3

See how the binary's changed, and there's a CodeResources file there now.

system.log says:-

Nov 7 20:30:44 lapdog com.skype.skype[22549]: Main starting

Nov 7 20:30:44 lapdog com.skype.skype[22549]: Check 1 failed. Can't run Skype

Further confirming that it's Skype refusing to run, not Leopard actively blocking it.

A quick workaround is to run Skype from it's dmg rather than from a conventional location: the dmg is mounted read only so Leopard can't fiddle with it. Of course, if Skype needed to modify itself to run, this would also fail. It doesn't. Or hasn't yet failed for me.

Sorry to go on at length, but there's a lot of bollocks kicking around here. And no, I'm not a Skype apologist: it fecks me off as much as the next man that it's a bugger to spot on the network.

Lastly: check out http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf for an old-ish but interesting insight into the paranoia of the Skype app.

0
0

@ Jacob Reid

OK Jacob, Go lie down and sober up. Then post that again so that it makes some sense.

0
0

@Shakje

The problem with Vista and WoW (or indeed addon installers like wowace) is that it requires write permissions to the World of Warcraft directory whenever the launchers wants to install a patch. The common experience is to see the patch downloaded then fail to install, and wow prematurely ends.

As for wowace and similar software they just fail every time they try to install an addon.

So you have several choices for wow itself, run in admin mode to install a patch or set the permissions on your wow directory so your regular account can write to it. Running wowace in admin mode doesn't work - the download/install functions are separate tasks and therefore lose the admin priveleges - so you're limited to choice no. 2 (or logging in as administrator just to install addons).

I don't feel either represents too great a risk, however wow is one of the most attacked games in terms of account theft. This is usually done by cracking php guild websites and taking their user's passwords, unfortunately too many people use the same password or simple variations for everything. However if you fail to use the Blizzard launcher (which detects the most commonly used malware and key loggers), if you're running in admin mode you are opening yourself up a tad. Not too much, but just a bit.

The reality is the worst I can see happening is you lose your program directory and need to reinstall the game. It's a pain because you'd have to download large numbers of patches, but nothing more problematic than a new user installing WoW for the first time.

As for other online games, I don't know, I don't play them - but it's good to hear they don't cause these sorts of problems. :)

0
0

More from The Register

Interwebs taunt Sir Jony over Apple eye candy makeover
Hey Ive, Ive... add more unicorns, willya?
Apple: iOS7 dayglo Barbie makeover is UNFINISHED - report
Plus: You don't like the icons? Blame marketing
SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
Red Hat to ditch MySQL for MariaDB in RHEL 7
So long, Oracle! Don't let the door hit you on the way out
Java EE 7 melds HTML5 with enterprise apps
New release arrives with GlassFish, NetBeans support
 breaking news
'Office Facebook' firm Tibbr wants you to PAY for mobe-meetings app
Great idea. Punters won't cough for it though
 breaking news
The only Waze is Google: Ad giant tipped to gobble map app 'for $1.3bn'
Pac-Man-satnav-ish upstart in bidding war with Apple, Facebook
 breaking news
PM Cameron calls for modern, programmable computers! (We think)
IT education musings to G8 chiefs to mystify IT industry
Apple at WWDC: Sleek new iOS, death of the big cats, pint-sized Mac Pro
CEO Cook: 'The biggest change to iOS since the introduction of the iPhone'
Chrome and Firefox are planet-wreckers, IE cuddles dolphins
Microsoft-commissioned study finds IE sucks less power than rival browsers