Apple admits to ‘misleading’ Leopard firewall settings

[midijeep]

November 15th, 2007
Apple admits to ‘misleading’ Leopard firewall settings
Posted by Ryan Naraine @ 11:14 am

Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard.

The acknowledgment from Cupertino comes less than a month after independent researchers threw cold water on Apple’s claim that Leopard’s firewall can block all incoming connections.

[ SEE: Apple monster update fixes 41 Mac OS X, Safari vulnerabilities ]

In an advisory accompanying the Mac OS X v10.5.1 update, Apple admitted that the “Block all incoming connections” setting for the firewall is misleading.

“The ‘Block all incoming connections’ setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services,” Apple said.

[ SEE: Researchers pooh-pooh Mac OS X Leopard security ]

With the fix, the firewall will more accurately describe the option as “Allow only essential services”, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services, Apple said

Two other Application Firewall flaws are addressed:

CVE-2007-4703: The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

[ SEE: Memory randomization (ASLR) coming to Mac OS X Leopard ]

CVE-2007-4704: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access.

The Leopard firewall patch comes less than 24 hours after Apple shipped a monster update to cover at least 41 Mac OS X and Safari for Windows (beta) vulnerabilities.

[Damrod]

I still don't trust the new application firewall. I rather rely on the still present ipw (configured quite solid with Flying Buttress) combined with LittleSnitch.

[Thank The Cheese]

The biggest security flaw of all is simply the fact that it is not on by default. If there is one thing they should have learned from Windows, it's that the firewall should be on by default.

btw, the article cited is from by Ryan Naraine

[zynizen]

so why is Leopard even released if its nothing its cracked up to be? What did they actually improve then? I've been reading tons of articles posted here over the last few weeks about leopard and issues, it seems its not even worth the headaches, but so many millions of people are still happy?

Did they rush the OS? Geeez...

[lurk]

The happy people don't complain. Even I complain and I am happy so go figure. There are some things that are not working right but there are many more that are and I for one cannot imagine going back.

Reading these kinds of threads and the discussion threads at apple.com in not a good way of forming an opinion.

[ElDiabloConCaca]

Quote:

Originally Posted by zynizen

so why is Leopard even released if its nothing its cracked up to be? What did they actually improve then? I've been reading tons of articles posted here over the last few weeks about leopard and issues, it seems its not even worth the headaches, but so many millions of people are still happy?

Did they rush the OS? Geeez...

For starts, this is a "help" forum -- so you're going to be reading about problems and issues with Mac OS X here. Rarely does a person simply post the good things about Mac OS X because this is mainly a place to get help fixing problems.

Imagine going to a car repair shop. Sure, you'd see a ton of broken cars, but it would be silly and unreasonable to infer that ALL cars are broken, no? I mean, you went to a place where a very small fraction of cars go to be fixed... similar to here: you came to a place where problems with Mac OS X are discussed, debated, and/or solved -- it's silly to infer that Mac OS X is inherently "broken" by what you read here.

[Ferdinand]

Quote:

Originally Posted by ElDiabloConCaca

Imagine going to a car repair shop. Sure, you'd see a ton of broken cars, but it would be silly and unreasonable to infer that ALL cars are broken, no? I mean, you went to a place where a very small fraction of cars go to be fixed... similar to here: you came to a place where problems with Mac OS X are discussed, debated, and/or solved -- it's silly to infer that Mac OS X is inherently "broken" by what you read here.

Great said! I agree completely.