Apple Fixes 'Misleading' Leopard Firewall Settings

4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."

As usual, other considerations...

Apple's "everything just works" niceties depend on things like Bonjour, in particular, being able to be accessed, and most users would end up selecting "Block all incoming collections" when making a firewall choice, because they won't really understand anything else...and "more" is "better", right? So blocking all must mean I'm super secure! Firewall good! Hacker bad! ...Except that now when I get my AppleTV and buy my son or daughter an iMac and expect to be able to do all the cool stuff that doesn't require any configuration and "just works"...nothing works. Why doesn't it work?

They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.

So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.

Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.

This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".

Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.

Apple describes all of this very explicitly here [apple.com]:

The 10.5.0 Application Firewall blocked all but:

          Processes that are running as UID 0
          mDNSResponder

The 10.5.1 Application Firewall blocks all but:

          configd, which implements DHCP and other network configuration services
          mDNSResponder, which implements Bonjour
          racoon, which implements IPSec

So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.

And from here [apple.com]:

CVE-ID: CVE-2007-4702

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: The "Block all incoming connections" setting for the firewall is misleading

Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

CVE-ID: CVE-2007-4703

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"

Description: The "Set access for specific services and applications" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services. This update corrects the issue so that any executable so marked is blocked. This issue does not affect systems prior to Mac OS X v10.5.

CVE-ID: CVE-2007-4704

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Changes to Application Firewall settings do not affect processes started by launchd until they are restarted

Description: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access. This update corrects the issue so that changes take effect immediately. This issue does not affect systems prior to Mac OS X v10.5.

Based on this, I'd say that several major issues with the Application Firewall have been addressed. Namely, the assertion that "Block all incoming connections" was misleading, and always allowing access to all UID 0 applications, regardless of explicit settings.

And from the comments in the last slashdot article about this, a lot of people weren't upset so much that Apple was making a judgment to still allow things like, e.g., Bonjour, but that "Block all incoming connections" didn't do just that. So they've tightened up the implementation and clarified the user interface. And, "ipfw technology is still accessible [...] and the Application Firewall does not overrule rules set with ipfw; if ipfw blocks an incoming packet, the Application Firewall will not process it."

That, and firewalls that are blocking "everything" often really still aren't blocking everything. They're still allowing back stateless traffic from DNS queries and VPN traffic and things of that nature, often by default. There's a lot more nuance here. And Apple fixing these problems isn't "fessing up" to anything. It's addressing legitimate security concerns that have been brought to their attention in a timely manner. Is that not what we expect and want Apple to be doing?

This summary is laughable: "fessed up"..."threw cold water on"..."provided cover for"..."Apple's claim that Leopard's firewall can block all incoming connections". Come on. It wasn't like Apple tried to make a firewall that could block all incoming connections and failed. They made a firewall that intentionally still allowed some services; essentially "Block all (but essential) incoming connections". And they had some mistakes in implementation. And the other security updates are for 10.4.x.

But instead of pointing out that Apple, for the first time, is also providing [apple.com] security updates for 10.x-2 where 10.x is the current release (Sec Update 2007-008 provides fixes for 10.3.9), I guess it's better to poke fun at Apple for actually fixing security vulnerabilities... :-/

Re:As usual, other considerations...

The * by my name means subscriber, which means I see the articles early, and have an opportunity to compose a reply before the article goes live.

Re:As usual, other considerations...

Supporting the services he uses with monetary compensation? Absurd!

That's not the product.

"The 'product' here is aggregated stuff that flows in _after_ it has been placed online elsewhere - and you enjoy paying for dated content?"

That's not the product. The product is the analysis and commentary and opinion posted ABOUT the content. Knowing viewpoints and trends can be as valuable as the content itself, if not more so.

What /. does

you're paying for nothing here, except a platform.

What /. does is

1. Filter the news so I don't have to read everything on every site, but can hit one site for all (or most of) the tech stuff that's relevant for me
2. Provide a somewhat civil way to discuss the news

I didn't pay, but I also don't block the ads, and I see nothing wrong with paying for it. If /. provides nothing, why are you here?

Re:As usual, other considerations...

Damn. That's one hell of a first post.
Is there even anything left to say?

Re:As usual, other considerations...

Let me first say that I get what you're saying, and I can understand where Apple are coming from....

But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

Seriously, if an MS-shipped firewall decided (without telling you) that 'block all incoming connections' really meant 'block all incoming connections except for MSN Messenger and oh, I don't know, maybe Media Player', would you be making excuses about how it was really necessary and understandable to deliver the "Microsoft Experience(TM)"?

No, I didn't think so either.

Yes, Apple should be applauded for recognising a problem in their software, as well as a problem in the way their software presents itself, and fixing it.

But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

Re:As usual, other considerations...

Quick update before I get flamed, I re-read my original post and saw where I said they should not be forgiven. Seems I'm the one who should read their own posts.

I admit in my original post my words were inaccurate.

I meant something more like "forgive, but don't forget". Also more like I said in my reply to your reply.

Again, apologies for inaccurate and/or argumentative tone.

Re:As usual, other considerations...

Curse you!

I was about to quote you and make you eat those words. But you had to go read you post and post a nice apology.

How can I insult you now, and retain the high ground?

Jeez, we get anymore people like you on slashdot it might get all 'reasonable' and 'adult' like. ;)

Re:As usual, other considerations...

Microsoft wanted to make their software appear user friendly and easy to use. They went ahead and created ActiveX and in numerous places like with network shares, setup the default permissions so that everyone could use it.

There is a significant difference between Apple's firewall settings and MS's use of DirectX. Apple changed the way the firewall worked to be application level and sandboxed the services that it let by the firewall. Unfortunately they misleadingly labeled that setting. When users tested it, they became upset. Apple needs to keep customers happy in order to make money, so they changed it to conform to what customers wanted. It is good business and the way the market is supposed to work. Apple wants to make money, so acting out of what could be called avarice, they give users what they want.

Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.

On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security. They just aren't motivated.

Re:As usual, other considerations...

Were you actively using computers when ActiveX was introduced? Were you involved in doing any web development? On one hand you can go on and on about how Microsoft leveraged their monopoly to get into the web arena. I will agree with you there. Perhaps you can realize that at the time that Microsoft introduced ActiveX, there weren't any other technologies out there that allowed the content delivery and functionality with the ease that ActiveX and IE did. It was a big fat security hole and no one in their right mind will argue against that. However the reason that they rolled it out was to enable developers to target web users with applications. I'd say they were right on the money with the need for that. They went ahead and picked ease of use over security to allow app developers to develop web content. We all know how that worked out with regard to malware. You can't argue that it didn't allow content developers to get their content out there... even if 85% of it was unwanted. ;)

I disagree that Microsoft doesn't have any financial motivation to fix the problems in ActiveX and their various technologies. Take a look at IE7. Where are all the ActiveX exploits that target IE7? Microsoft has a HUGE installed userbase that depends on IE/IIS and Visual Studio for development. They have a huge incentive to keep that cash cow secure.

From real world experience, I can tell you that Microsoft does just fine with security. I have hands on experience with literally thousands of desktops and hundreds of servers running 2000/XP/2003 and zero security incidents. With good firewalls, security policies, group policies, WSUS, AV, etc. it is possible to secure Microsoft networks. You just have to know what you are doing and stay abreast of the latest developments. It also helps if you use some open source tools like Snort, nmap and the like to keep an eye on what is going on behind the scenes.

The original point of my first post still stands though. As Apple moves forward, they are going to have to face the same challenges that Microsoft faced... balancing the user expectation of an easy to use interface and "it just works" mentality with security needs.

Re:As usual, other considerations...

The people who think that Microsoft is less secure than Apple or Linux don't really know security or the security market well at all. They simply have formed an opinion by listening to fanboys, advertisements and the uninformed.

Well, I've been working at a network security company for the last four years and have been reading detailed weekly reports for internal consumption, written by well regarded professionals. What, exactly is your expertise?

The average linux / apple system in production is no more secure than the average microsoft system ---- in reality they BOTH have tons of vulnerabilities.

Everything has vulnerabilities. Linux and OS X boxes, have fewer, exposed for shorter periods of time, and less regularly exploited, especially in an automated fashion.

IF (and thats a BIG if) a linux system is configured properly, including SE Linux...

You did note that the new version of OS X ships with a MAC ported from SELinux and comes with all the services exposed by default preconfigured to run in sandboxes. And because it is included by default, unlike Linux distros, applications developed from now on can count on it and come preconfigured as well.

...they are ALL just as vulnerable to directed attacks.

No, they're not because default Linux and OS X install have fewer exposed services and fewer known, unfixed vulnerabilities at any given point. Aside from that, most exploits are not directed, but automated and Windows is vastly more exposed to those attacks.

People who buy MAC / Linux for the 'security benefits' are simply deluding themselves into thinking they've improved anything.

Please. The numbers belie your assertion. The average user, simply buying a Mac significantly reduces their risk of having their machine compromised.

There IS a place for Linux in the corporate world. There is also a place for Microsoft. I'm not so sure about Apple ---

Interested in finding Apple's place? Go to BlackHat, or DefCon, or one of the other big security conferences in the next year. When there, take a quick count of how many Mac laptops you see in use among security experts. It was upwards of 50% at the last one I went to, and it was a private conference for security experts at tier 1 network operators. Why do you suppose that is, because all those security experts are idiots and just not as brilliant as you are?

Re:As usual, other considerations...

But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

Umm, people were screaming themselves blue about how Apple's firewall was broken or fundamentally flawed or misleading. There were dozens of articles about it and hundreds of postings in discussion groups.

The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy. They very quickly made sensible changes to make it clearer how the firewall behaves and addressed pretty much everyone's concerns, even those of people who really didn't know what they were talking about.

But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

Security is a journey not a destination. Security is about trying to allow users to do what they want while stopping things they don't want from happening. There will always be security holes and room for improvement. Concentrating on mistakes made by any vendor is counter productive. So long as the vendor responds and fixes the problem and takes a responsible attitude, they're doing fine by me.

Re:As usual, other considerations...

The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum.

Funny. Technically, I don't need to use the Web at all in coffee shops, so by your argument I should block all traffic. On the other hand, I prefer my computer to be functional, when that functionality does not pose a significant security risk. Guess what, I also have SSH enabled for access, even though I only need to access it occasionally. The service I originally referred to (Bonjour) is unlikely to pose a security risk, especially since in addition to finding an exploit in it, an attacker would have to find an exploit in the Mandatory Access Control sandbox OS X runs it in by default. I'm a lot more likely to be exploited by an attack on my Mail.app than by an attack on Bonjour. Do you also advocate that I do not check my e-mail while at the coffee shop?

Save the "nice" services for when you are on a trusted network.

Screw that. Half the benefit of Bonjour enabled chatting is that I can easily talk to people I don't have in my "buddy" list while at conferences and coffee shops. Sacrificing function out of unjustified fear is not my cup of tea.

I don't want 3rd party.

Umm, okay, then don't use it. Good luck finding a capable first party GUI firewall configuration tool on a platform that is not riddled with security holes.

Honestly, it sounds to me like you're looking for something to complain about. I really wish people with your sort of an attitude on security would revisit your basic assumptions. Security is about allowing users to do what they want with a system, and prevent things they don't want from happening, especially without their permission. Reducing functionality just means users turn off security features or move to a system where they have more functionality. If I had a dollar for every time I've seen someone at a LAN party shut off their firewall completely because it was restricting something they wanted to do and was too hard to enable just that application/behavior... well, I'd have enough cash to buy a good steak and some scotch anyway.

Does it move files correctly?

My biggest concern about Leopard is the bug which causes it to delete files you're moving if the destination becomes unavailable. They forgot to put in a check to see whether the move completed correctly. So it just deletes them whether it finished or not. Is this behavior fixed with this update?

Haven't tested, but the notes said yes.

http://docs.info.apple.com/article.html?artnum=306907 [apple.com]

- Addresses a potential data loss issue when moving files across partitions in the Finder.

Re:Does it move files correctly?

Stop bringing facts into Myth propagation. Without the ability to propagate myths, what would many /. users do? You insensitive clod.

Macs have one mouse button. Java is slow. You can't run Office on a Mac, so it's useless. Windows machines lock up every 14.5 minutes. Microsoft innovates (tm). An iPod can't play mp3s.

/ Myths are cool
// So are slashies
// Oh, sorry, this isn't Fark

Skype vs. the Leopard firewall!

A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken [itwire.com], and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.

I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks' [skype.com]. Aaaargh...

Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded [apple.com] by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues... ;-)

"macosux" ... ?

Wow. Our lovely tag trolls have been forced to go all the way back to 1986.

I remember the endless "macs sux" ... "dos sux" ... repeat ad nauseam flamefests on BBSes. Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.

Seriously, people, if you don't want to hear about Mac OS X, is it really that hard to turn off the Apple stories in your /. preferences?

modes

In all honesty, why don't integrated firewalls have a basic/advanced settings mode?
Basic is ideal for most folks, but if you're so inclined just click on the advanced tab and not only have more configuration options but also a through, detailed explanation oh what the firewall is actually doing.

That'd be a great feature.

Slightly Disingenuous Summary

The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.

Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.

:|

Misleading!

The article blurb is misleading - the "41 security fixes" released in the Mac OS X update was part of 10.4.11.

The three issues in the 10.5 firewall were the only security fixes for 10.5.

maybe not

the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.

Oxymoron

Hopefully you can just turn the bloody thing off.

"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them.

For those of us who actually have firewalls, having the operating system muck things up with a "software firewall" is just a nuisance. For those who don't, it's a false and dangerous sense of security.

And yet, no problems?

first of all - i do not subscribe to the concept that the only secure computer is the one that's turned off, unplugged, and not getting data. That's retarded. A box firewalled to the point where nothing can come in our out might as well not be plugged in.

now - i 100% agree that if it says "everything closed" it damn well better be.

But its still comforting to know that despite the legitimate problem - there was not galaxy-wide pandemonium as all the Macs running 10.5 cried out in terror. In fact, there were no problems at all.

In other words - just business as usual on the Mac front.

Now they need to fix the Printing options

In Tiger I had a bunch of drop-down options, like, say, hmmm, 'selection only' or say, duplex. This is entirely gone in Leopard for the printers that I have tried (i.e. HP 4050).

There is an app online that can do this for you, but it seems to only be for native programs (Safari, mail, etc...). Is it just me or should those options be built into the OS.

Everything else on Leopard has been very impressive, most of all it sped my computer up. Everything is faster, which I find very impressive for a new OS (ahem, buy-a-new-computer-4-me Vista).

OT: IPv6 still isn't working for me.

I upgraded from Tiger to Leopard last week and love it, except that I can no longer use IPv6. I've triple-checked my router, address, and prefix length manual settings and they're all correct. I just can't get out of the machine at all:

$ ping6 www.kame.net
ping6: nodename nor servname provided, or not known
$ ping6 2001:200:0:8002:203:47ff:fea5:3085
ping6: UDP connect: No route to host
$ ifconfig -a | grep inet6
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet6 ::1 prefixlen 128

Even though I have an address and router set up, it doesn't seem to be actually configuring any interfaces to use them. Another machine on the same network has no trouble:

$ ping6 www.kame.net
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=0 hlim=55 time=207.462 ms
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=1 hlim=55 time=206.939 ms
16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=2 hlim=54 time=339.163 ms

Even our old CRT iMac running Tiger works perfectly. Is anyone else successfully using IPv6 on Leopard? Is there some new gotcha that everyone but me knows about?

But....

..if they fix the spots, then is it still a leopard?

Link to the original article

Here's the official English translation: http://www.heise-security.co.uk/articles/98120 [heise-security.co.uk]

Really really dumb OS X question here

However as a user who has only recently added a OS X machine to his collection I have to ask.

Are these fixes part of the automatic updates that come down and require an restart? If so how can I see what was added to my system? With Windows Update (at least under XP) I could pick and choose what I wanted, see everything they wanted me to install, but I haven't found that in my Mac.

If I do software update all I ever see to get is a new version of iTunes and Quicktime. So pardon the confusion.

The firewall documentation in 10.5.1

The new, updated documentation for the firewall in 10.5.1 now contradicts what the firewall presents to the user: http://tinyurl.com/2a6bcg [tinyurl.com]

Defective by Design Tag??

[+] security, apple, macosx, securitythroughobscurity, leopard (tagging beta)

It seems to be missing the defectivebydesign tag that everyone likes to throw around. :)

P.S. I'm using OS X right now (not Leopard though).

802.1X still broken

10.5.1 (revised) is out, and 802.1x is STILL broken. The really scary part is when we talk with the Apple reps and system engineers, they uniformly tell us that "we don't know a whole lot about 802.1x." Ummm, what? You've had 802.1x since 10.3. I won't even go into how long MS has had 802.1x compatibility. C'mon Apple, FIX YOUR SHIT!

X11.app broken with update

After installing the update, X11.app will not start. I filed a bug report. Has anyone else seen this?

huh?

duh, they fixed it. This story is old news. In an update released last night (or at least that's when I go it), the cottonpickin' firewall tab says, "Allow only essential services," instead of "Disallow all" or however it was worded before. It would be cool, however, if there were an additional "disallow ALL incoming and outgoing connections," meaning that it would accomplish the same thing as unplugging your ethernet cable and turning off Airport. I can't imagine why in the world such a thing would actually be useful, though. If you need a totally disconnected system, install VMware, drop in a Linux virtual machine, and tell VMware to make it have no connection to the outside world.

Re:Did they really say that?

Why is that a Troll? I am generally curious if Apple claimed that their firewall can block all incoming connections. I would think since Ellison's famous comment regarding oracle as bine 'hacker proof' large companies would shy a way from absolutes like that.

Of course, I have read the posts and understand it is a poor description in the gui.

I am still at a loss as to being marked troll. Sometime I may nopt come across the way I intended online, but I can't figure out how that can be interpret as a troll.