Holes in Leopard's firewall

Although Apple is selling its new Mac OS X Leopard operating system on its improved security, researchers at Heise Security have already found fault with its firewall. Unlike with Windows Vista, the Apple firewall is not enabled by default and must be enabled by the end user. Even if you had the firewall enabled in a previous version of the Mac OS X, after an upgrade to Leopard the firewall will again be set to "Allow all incoming connections." It will be disabled.

According to Jürgen Schmidt, editor in chief at Heise Security, if you enable the Apple firewall and set it to "Block all incoming connections," access from the Internet to certain internal system services will still be allowed. As an example, he said that his team was able to query the NetBIOS Naming Service over a Lan network even with full blocking enabled. The team was also unable to specifically enable UDP filtering within Leopard, which should block access to NetBIOS.

Schmidt also faulted Apple for not including the latest versions of open-source applications within Leopard. In August, Charles Miller of Independent Security Evaluators noted the same at the annual Black Hat conference in Las Vegas. The expectation over the summer had been that Leopard would include the most recent version of several open-source applications and protocols.

Within Leopard, Schmidt noted that Apple ships ntpd 4.2.2, while the latest version is 4.2.4, although he admits that it is unclear whether there are any exploitable vulnerabilities here.

That's not the case with Samba, a primary networking protocol. Over the summer Apple did update its Samba package, but not to the most recent version. Leopard ships with version 3.0.025b (same as Tiger). The more recent releases of Samaba, 3.0.25c and 3.0.26a, do include several known bug fixes so it is unclear why Apple did not update Samba within Leopard.

Apple has a longstanding policy about not commenting in public on issues regarding the security of its products.

[bond co. stooge]

Been running...

...without my firewall turned on in OS X since 2002.

[yipcanjo]

Awesome.

That doesn't make you smart or clever, however -- just lucky.

[arluthier]

Dang...

I sure wish IP addresses were posted with the comments... that might have made for some fun. hehe

[yipcanjo]

But....

...Steve Jobs can do no wrong!

This is *clearly* Microsoft's fault.

;)

[Gunady]

I agree..

LOL

[Kissmyne]

LOL

Actually thats pretty funny..


Companies need to take responsibility for themselves period.

[mailbox001]

OS X don't need it,

Because OS X is immune to virus, trojans, malware, etc, what's the point of having any securiy software.

[FutureGuy]

nothing is "immune"

grow up kiddo.

[this1!]

post your IP

that is if you REALLY think its immune...

[rcrusoe]

Nothing is secure

Fifteen years in the business has taught me the only computer that
is "immune to virus, trojans, malware, etc" is one that is still in the
box. - and under armed guard.

OS X will eventually be successfully attacked. Every OS so far has
been, with the possible exception of OS/400.

[arluthier]

LOL

I hope that was sarcasm. :-)

[Al Giacoio]

Rotten APPLE?

It's amazing, when Apple was closed off from the world they were able to keep things like this from happening but now when you play with the big boys like Microsoft on a level playing feild Apple isn't so perfect!!!! Wow, they launched the iPhone which pushed OS X back and still managed to leave holes and the OS is no faster and not compatable with major titles. I guess they can pull all those idiotic commercials!

[htown1962]

hey dummy...

they haven't run those ads in months!

[protagonistic]

RE: Rotten APPLE?

That may be, but at least it does not slow older hardware down to
the point of being unusable like Vista does. And most of us don't
even have to upgrade their HW to run it.

And if the playing field was level Windows would not be almost a
monopoly. And I am not talking OS X here.

[Kissmyne]

Ok are you serious.....

Ok first thing.. play with the big boys? ***!?! Second Apple never said they made perfect software, but ya know at least they can fool some people. On the other hand, since we are talking about PERFECTION, where exactly does that put Windows Vista? And as far as security holes go, if you look hard enough for something you are bound to find it regardless of the software, and Apple is under a microscope as far as that goes...

[NeverFade]

You ALWAYS had to turn on the firewall

This is no different with the previous versions in that aspect.

[rapier1]

Well

One of th things it does say is that when you do an upgrade it
revert the firewall back to off. Probably a mistake overall.

[Penguinisto]

Ignorance and Idiocy.

First off - Leopard is built not to run a single monolithic firewall, but to grant network reception and sending permissions on an app-by-app basis.

If Leopard trusts the app/service (which is either trusted via cryptographic signature or by being initiated by the root user), it gets network access. Otherwise, it simply does not.

Simply put - in order to break in, you either have to have the cryptographic trust, or you already have to know the local machine's root password.

And BTW - for the truly paranoid, the traditional firewall is sitting there in System Preferences, where you can turn it on at any time after installation. This will give you twice the protection that Vista could ever hope to give in its current state.

==========

Second Up - The title is misleading, the content is misleading (and inaccurate, and incomplete), and Heise is more used to pure *nix, where iptables/ipf trumps all. Things are a bit more nuanced nowadays, so call me when/if (most likely "if") someone manages to actually break into a Leopard machine, 'kay?

=========

Meanwhile, anyone who doesn't have a home firewall appliance (not the one from the cable/DSL company, the one you buy and put in between the cable/DSL modem and your computers) deserves what they get by now *shrug*.

It's called "defense in depth", and maybe more than just some people will get a clue and practice it?

/P

[ferretboy88]

The iphone had 9 holes

If Apple made perfect software then they would never have to give
you security updates. I remember the iphone had flaws where
people were getting their info taken. its better to be safe than
sorry. Steve Woz said that OS 10 had some security flaws that were
not around in OS 9.

[Vegaman_Dan]

Firewall or not to firewall.

You've commented before that having any sort of firewall to protect a Mac was a waste of a fool's money. Now you are suggesting people should run a hardware firewall instead?

I'm confused here. Should people run a firewall or not? Software or hardware? Your comments in the past contradict what you're saying here. A clarification of your stand on firewalls and security would be appreciated to avoid confusion in the future.

[theveggiedude]

huh?

"Wow, they launched the iPhone which pushed OS X back and still managed to leave holes and the OS is no faster and not compatable with major titles"

What "major" titles are you referring to? All my applications are working. Such as Adobe PhotoShop, Firefox, Transmit, Final Cut Pro, Yahoo IM, World of Warcraft and including my not so major ones like BluePhoneElite and other shareware.

And not faster? I think it is faster. What is your source?

Mac OS X is not perfect, but lets not forget there is still not one virus for OS X in its seven year history.

[marcs57]

What about this?

http://www.macworld.com/news/2007/10/31/trojan/index.php

(not a virus, but still bad)

[UrbanBard]

I don't believe the article is true.

The Mac OS's firewall is always turned on. You have to make
exceptions by opening up ports to allow file sharing, screen
sharing, Skype, et.

I don't have Leopard yet, but I don't see Apple changing that,

Here is what Apple says,
"Mac OS X includes firewall software you can use to block
unwanted network communication with your computer. Using a
firewall protects your computer from users on other networks or
the Internet.

In order to use Mac OS X services, such as personal file sharing,
Windows sharing, or FTP access, you need to open ports in the
firewall to allow traffic for that service to and from your
computer. When you select a service in the Services pane of
Sharing preferences, it is automatically selected in the Firewall
pane, and the port is opened."

As it says, these ports are closed unless you open them.

[_t3h]

No...

> I remember the iphone had flaws where
people were getting their info taken.

No, you remember flaws which could have potentially been used
for this purpose. At no stage was this ever actually 'in the wild' (not
that it's OK of course, but there is a difference).

[_t3h]

On that matter

It actually did rather well. Not only was it being hit by 30mbit of
traffic, it was hosting a webserver, and was dugg, slashdotted and
reddited all at the same time.

[b_baggins]

You don't need a firewall

if your services are turned off. And they are by default in OS X. The authors make a big deal about being able to query Netbios names with the firewall on.

Well, duh, that's because netbios is DISABLED by default in OS X. You have to turn it ON. When you do, OS X is smart enough to know that you would probably like the firewall to open a port to this service, since you JUST TURNED IT ON and so does that for you automatically when you turn on the firewall.

Classic FUD.

[baddawg65]

No bulletproof system.

For those who believe in that the Mac is absolutely bulletproof is mistaken. There is no such thing as system that will be total invulnerable to attack when connected to the internet. Just that Mac only has 5% of the market is the reason the cracker and other miscreants hasn't fully jumped on the Mac yet. But as the Mac gains in popularity we will get a dose what Windows get eventually. Bigger warning for those who run VINE or Crossover with Windows on their Intel based Mac because the virtualization will allow Windows application to do things on the Mac side also so in theory an virus that could erase an file on the "Windows" will erase the same file in Mac side.

[ralfthedog]

Correct me if I am wrong...

Correct me if I am wrong. Windows can't read Linux/Mac file systems.

No one thinks that OS-X or Linux are imposable to hack or write a virus for. It is just that Windows is effectively defenseless.

From time to time hackers have contests to see who can break into more systems or deface more websites (Please don't ask me how I know.). Different point values are given to different operating systems.

Linux or other Unix operating systems will give you one point. OS-X will give you 3 or 4. You don't get any points for hacking Windows. It is like shooting a 30 foot picture of a fish in a barrel with a shotgun from five feet away (Nothing to brag about).

[qprize]

more trademark FUD from c|net

So, if you screw with the security settings you may have security
vulnerabilities?! If you roll down the windows and leave the keys in the
ignition your car may get stolen, too. But if you leave OS X's settings alone,
usie the default mode that 99% of Apple users run, you're safe.

Maybe you could run another Mac Attack contest, and change this security
setting, too. Then you may finally give away those MacBooks and the 10
grand you never paid out from the last "successful" attack.

OS X and Apple is simply better. Heck, Apple and Vista is simply better -
take a look at PC Magazines latest Windows speed tests!

It's time to give it up. Either go to journalism school, fold your tent, or
simply rebrand yourself Microsoft. You're a laughingstock as it now stands.

[TGallag69]

I dont get it?

I thought Mac was bullet proof & immune from all the "bad things" found on the Internet? So WHY does it need a firewall?

[TheMusicMan12]

Interesting?????

Everyone needs a an effective firewall.

What is interesting though is that when I ran my own nmap port
scan (sudo nmap -sU ipaddress - the same that they ran) on a
MacBook that I own and I got this: All 1488 scanned ports on
xx.x.x.x are open|filtered.

According to nmap documentation:

open|filtered

Nmap places ports in this state when it is unable to determine
whether a port is open or filtered. This occurs for scan types in
which open ports give no response. The lack of response could
also mean that a packet filter dropped the probe or any
response it elicited. So Nmap does not know for sure whether
the port is open or being filtered. The UDP, IP protocol, FIN, null,
and Xmas scans classify ports this way.

It interesting that I should get a different result???

[afterhours]

samba

well, using a windows filesharing protocol can potentially open a Mac up to exploits of that protocol -- another fine legacy from Windows. Macs are vastly more secure than anything windows, but that doesn't leave it bullitproof to stupid users who undo stuff.

I'm trying to see where the Firewall settings are left open by default. I don't see it in Leopard. Could it be that such was the setting imported from the tester's Tiger install? It would be useful if journalists could ask such questions or address them -- you know, the simple stuff: what settings are wide open or 'vulnerable' to a system with a clean install, not a migrated package adopting bad user habits from the prior system. Alas, these journalists can't be bothered with details. Cnet -- hire someone who can ask better questions and write more complete answers. The rest (be it Mac, Windows, Linux, Commodore64) is all FUD.

[barbara mae]

YOUV'VE GOT TO BE KIDDDING!!

Seriously!! Nothing is perfect. Apple is having some virus problems, very small in comparison to the "other" operating system. In fact just recently they caught a "cold" (re virus) from Microsoft. The comment on the news wires is "Shame on Microsoft for not checking their stuff before its put on the shelf...however it goes on to say "shame on Apple for believing that they were totally immune....and whose the consumer going to blame when their prized APPLE gets a "cold"!
Believe me, don't be that kind of bird that sticks its head in a hole and says....nothings happening outside because I can't see it.

[WhinterIzzy]

I read about this before, so I looked more closely at what actually happened. The "hacker" used javascript to cause safari to download and run a script that opened openssh to anyone allowing the "hacker" to gain access to the system. All these claims about it being Apple's firewall is bogus. This script would in reality because safari has a freaking off switch for the automatic download, and so saying it's a hole in Apple's firewall is complete bull.

[geo11101]

Eric Schmidt is the biggest Mafia puppet in the US. He is bad news for apple users. http://endmafia.com