Apple Fixes 'Misleading' Leopard Firewall Settings 264
4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."
As usual, other considerations... (Score:5, Informative)
They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.
So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.
Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.
This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".
Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.
Apple describes all of this very explicitly here [apple.com]:
The 10.5.0 Application Firewall blocked all but:
Processes that are running as UID 0
mDNSResponder
The 10.5.1 Application Firewall blocks all but:
configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.
And from here [apple.com]:
Re:As usual, other considerations... (Score:5, Informative)
Does it move files correctly? (Score:3, Informative)
Skype vs. the Leopard firewall! (Score:3, Informative)
I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks' [skype.com]. Aaaargh...
Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded [apple.com] by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues...
Haven't tested, but the notes said yes. (Score:5, Informative)
http://docs.info.apple.com/article.html?artnum=306907 [apple.com]
- Addresses a potential data loss issue when moving files across partitions in the Finder.
Re:Does it move files correctly? (Score:2, Informative)
Its listed under system and finder.
Re:As usual, other considerations... (Score:4, Informative)
I admit in my original post my words were inaccurate.
I meant something more like "forgive, but don't forget". Also more like I said in my reply to your reply.
Again, apologies for inaccurate and/or argumentative tone.
Slightly Disingenuous Summary (Score:5, Informative)
Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.
Misleading! (Score:3, Informative)
The three issues in the 10.5 firewall were the only security fixes for 10.5.
Re:Does it move files correctly? (Score:3, Informative)
The multi-button mouse comes from Xerox: Smalltalk, Interlisp-D, and the Xerox Star office system.
Re:So don't use the firewall. (Score:3, Informative)
Not all Unix systems. cf. OS X 10.5, which is a certified Unix.
A computer system with no open ports is just as secure whether it's firewalled or not.
Probably true on a modern system, but not a completely accurate statement. If there's flaws in the TCP stack, it doesn't matter if something's listening or not whena maliciously constructed packet blows things up before the "is something listening here" logic is hit.
Re:Now they need to fix the Printing options (Score:3, Informative)
Re:OT: IPv6 still isn't working for me. (Score:1, Informative)
Re:Really really dumb OS X question here (Score:3, Informative)
You can manually start an update: [Apple-Menu]->Software Update
To see which updates have been installed, open
In some cases, you can re-install an update by
1) removing the corresponding "package" at
2) running Software Update again, which should list the offending/removed update.