Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Businesses OS X Operating Systems Apple

Apple Fixes 'Misleading' Leopard Firewall Settings 264

Posted by Zonk from the walls-need-to-be-just-a-teensy-bit-thicker dept.
4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."
This discussion has been archived. No new comments can be posted.

Apple Fixes 'Misleading' Leopard Firewall Settings More

Apple Fixes 'Misleading' Leopard Firewall Settings

Comments Filter:

  • As usual, other considerations... (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Thursday November 15, 2007 @06:24PM (#21371211)
    Apple's "everything just works" niceties depend on things like Bonjour, in particular, being able to be accessed, and most users would end up selecting "Block all incoming collections" when making a firewall choice, because they won't really understand anything else...and "more" is "better", right? So blocking all must mean I'm super secure! Firewall good! Hacker bad! ...Except that now when I get my AppleTV and buy my son or daughter an iMac and expect to be able to do all the cool stuff that doesn't require any configuration and "just works"...nothing works. Why doesn't it work?

    They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.

    So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.

    Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.

    This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".

    Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.

    Apple describes all of this very explicitly here [apple.com]:

    The 10.5.0 Application Firewall blocked all but:

    Processes that are running as UID 0
    mDNSResponder

    The 10.5.1 Application Firewall blocks all but:

    configd, which implements DHCP and other network configuration services
    mDNSResponder, which implements Bonjour
    racoon, which implements IPSec

    So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.

    And from here [apple.com]:

    CVE-ID: CVE-2007-4702

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: The "Block all incoming connections" setting for the firewall is misleading

    Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

    CVE-ID: CVE-2007-4703

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"

  • Re:As usual, other considerations... (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Thursday November 15, 2007 @06:41PM (#21371417)
    The * by my name means subscriber, which means I see the articles early, and have an opportunity to compose a reply before the article goes live.

  • Does it move files correctly? (Score:3, Informative)

    by Hatta ( 162192 ) on Thursday November 15, 2007 @06:48PM (#21371519) Journal
    My biggest concern about Leopard is the bug which causes it to delete files you're moving if the destination becomes unavailable. They forgot to put in a check to see whether the move completed correctly. So it just deletes them whether it finished or not. Is this behavior fixed with this update?

  • Skype vs. the Leopard firewall! (Score:3, Informative)

    by Ford Prefect ( 8777 ) on Thursday November 15, 2007 @06:52PM (#21371551) Homepage
    A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken [itwire.com], and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.

    I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks' [skype.com]. Aaaargh...

    Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded [apple.com] by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues... ;-)

  • Haven't tested, but the notes said yes. (Score:5, Informative)

    by attemptedgoalie ( 634133 ) on Thursday November 15, 2007 @06:53PM (#21371573)

    http://docs.info.apple.com/article.html?artnum=306907 [apple.com]

    - Addresses a potential data loss issue when moving files across partitions in the Finder.

  • Re:Does it move files correctly? (Score:2, Informative)

    by slyn ( 1111419 ) <ozzietheowl@gmail.com> on Thursday November 15, 2007 @06:55PM (#21371585)
    Yes. [appleinsider.com]

    Its listed under system and finder.

  • Re:As usual, other considerations... (Score:4, Informative)

    by Rodyland ( 947093 ) on Thursday November 15, 2007 @07:22PM (#21371875)
    Quick update before I get flamed, I re-read my original post and saw where I said they should not be forgiven. Seems I'm the one who should read their own posts.

    I admit in my original post my words were inaccurate.

    I meant something more like "forgive, but don't forget". Also more like I said in my reply to your reply.

    Again, apologies for inaccurate and/or argumentative tone.

  • Slightly Disingenuous Summary (Score:5, Informative)

    by ickoonite ( 639305 ) on Thursday November 15, 2007 @07:25PM (#21371915) Homepage
    The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.

    Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.

    :|

  • Misleading! (Score:3, Informative)

    by ducasi ( 106725 ) on Thursday November 15, 2007 @07:26PM (#21371933) Journal
    The article blurb is misleading - the "41 security fixes" released in the Mac OS X update was part of 10.4.11.

    The three issues in the 10.5 firewall were the only security fixes for 10.5.

  • Re:Does it move files correctly? (Score:3, Informative)

    by argent ( 18001 ) <peter@slashdot . ... t a r o nga.com> on Thursday November 15, 2007 @07:32PM (#21372021) Homepage Journal
    Now you're making it sound like MacOS is copying Windows 3.1.

    The multi-button mouse comes from Xerox: Smalltalk, Interlisp-D, and the Xerox Star office system.

  • Re:So don't use the firewall. (Score:3, Informative)

    by sqlrob ( 173498 ) on Thursday November 15, 2007 @07:41PM (#21372117)
    The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

    Not all Unix systems. cf. OS X 10.5, which is a certified Unix.

    A computer system with no open ports is just as secure whether it's firewalled or not.
    Probably true on a modern system, but not a completely accurate statement. If there's flaws in the TCP stack, it doesn't matter if something's listening or not whena maliciously constructed packet blows things up before the "is something listening here" logic is hit.

  • Re:Now they need to fix the Printing options (Score:3, Informative)

    by Professor_UNIX ( 867045 ) on Thursday November 15, 2007 @09:05PM (#21372903)
    Those options are still there. When you "print" something and it brings up the window with the option to "Save as PDF", click the downward facing black on blue triangle right next to the printer name and it'll expand the window and give you all the other options like duplexing, color matching, paper handling and so on. To get those other options, select the drop-down box with the name of the application you're printing from after hitting the triangle and you'll see the rest of the options. At least, that's how it works on my Brother HL-1650N Laser Printer using IPP printing.

  • Re:OT: IPv6 still isn't working for me. (Score:1, Informative)

    by EdSchouten ( 786365 ) on Friday November 16, 2007 @01:51AM (#21375193) Homepage
    Same problem here. The System Preferences tool doesn't really apply the IPv6 settings. Take a look at the ifconfig output in Terminal. Only lo0 has an IPv6 address.

  • Re:Really really dumb OS X question here (Score:3, Informative)

    by xiaodidi ( 678443 ) on Friday November 16, 2007 @10:04AM (#21378051)
    Updates by default are not automatic. You will be prompted to accept them or not. Also, "restart" updates (about 50% or less) are marked so. See under "System Preferences"->"Software Update"

    You can manually start an update: [Apple-Menu]->Software Update

    To see which updates have been installed, open /Applications/Utilities/Console, and look under Logs->Software Update.log

    In some cases, you can re-install an update by

    1) removing the corresponding "package" at /Library/Receipts/

    2) running Software Update again, which should list the offending/removed update.

Slashdot Top Deals

Neutrinos have bad breadth.

Close