OS X Leopard Firewall Flawed

cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."

Re:Investigation flawed, more like

[mcrbids]

... so if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all... Perhaps Heise are just used to using Linux, where the firewall trumps all ? ... and there are good reasons why this is useful.

For example, if you want to allow a database connection from the local DMZ but not anywhere else, you want to allow the database to connect to the wild, wooly Internet, but only from the DMZ. If the mere fact that the database server is "trusted" allows it to pierce the firewall, this capability is severely mitigated.

As a thought experiment, how is this "firewall" really any better than no firewall at all? Other than the warm and fuzzy "I have a firewall" effect, what good does it do if it doesn't block connections to applications, and worse, doesn't even properly report this fact to you?

The one that really takes the cake:

Some programs have access through the firewall although they don't appear in the list. These might include system applications, services, and processes (for example, those running as "root").

So running an application as root alone is enough to render it open to the world? And it's not even properly reported as such? And you are OK with this? Glad to know that you aren't my security administrator...

You could argue that the 'Block all incoming connections' is badly worded

That's not all that I'd argue. This is a "let me know I'm safe" button. This is "Don't let anybody in" button. People will check it, and not bother to think about it any more. That this button has almost no actual effect on security is simply awful.

This is a problem - expect a hotfix soon.

But Macs *just work*

[Chas]

Whether you want them to or not.

Ho hum.

[stewbacca]

Call me when there is a serious threat to my Mac. Still don't see any viruses or malware 20+ years on now... With every new Apple product come the lowliest, most insecure, windows-using chumps with lame attempts like this thread to cast a bad light on Apple.