Slashdot Mirror
Apple Fixes 'Misleading' Leopard Firewall Settings
4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."
They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.
So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.
Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.
This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".
Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.
Apple describes all of this very explicitly here:
The 10.5.0 Application Firewall blocked all but:
Processes that are running as UID 0
mDNSResponder
The 10.5.1 Application Firewall blocks all but:
configd, which implements DHCP and other network configuration services
mDNSResponder, which implements Bonjour
racoon, which implements IPSec
So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.
And from here:
Comment removed based on user account deletion
Hmm... "fessed up"? Funny way of putting it, considering that companies actually taking responsibility seems to be somewhat of a rarity. My first thought was, "hey, that's great, they're acknowledging the problem and will fix it". Compare this to your own likely experiences of finding companies turning the other cheek and ignoring issues. I realize every company does it at one time or another, but I'm glad to see this issue actually being addressed, and not swept under the rug like one might expect.
My biggest concern about Leopard is the bug which causes it to delete files you're moving if the destination becomes unavailable. They forgot to put in a check to see whether the move completed correctly. So it just deletes them whether it finished or not. Is this behavior fixed with this update?
Give me Classic Slashdot or give me death!
A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken, and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.
;-)
I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks'. Aaaargh...
Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues...
Tedious Bloggy Stuff - hooray?
http://docs.info.apple.com/article.html?artnum=306907
- Addresses a potential data loss issue when moving files across partitions in the Finder.
My mom says I'm cool.
I had to re-download and install Skype, and now I have to run it with the firewall switched off.
The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.
A computer system with no open ports is just as secure whether it's firewalled or not.
Wow. Our lovely tag trolls have been forced to go all the way back to 1986.
I remember the endless "macs sux" ... "dos sux" ... repeat ad nauseam flamefests on BBSes. Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.
Seriously, people, if you don't want to hear about Mac OS X, is it really that hard to turn off the Apple stories in your /. preferences?
In all honesty, why don't integrated firewalls have a basic/advanced settings mode?
Basic is ideal for most folks, but if you're so inclined just click on the advanced tab and not only have more configuration options but also a through, detailed explanation oh what the firewall is actually doing.
That'd be a great feature.
This One button issue just seems to keep popping up and will not go away. The mouse that comes with an iMac actually has four buttons. One is the the scroll ball, another is the combination of the two buttons on the sides (you squeeze the mouse). The two main buttons are on top, on either side of the scroll ball. It looks like one button, but both the left and right sides click independently. I think the perception that is only has one button not only comes from the appearance, but also the fact that the factory default setting has the right button set to function the same as the left button. You have to enable "right click" in General Preferences/Mouse. This is probably just Apple trying to make the mouse less confusing for novice users. So if you have only demo'd the mouse in a store, it was probably set to the default settings. Assignments for all the buttons can be changed.
...MS didn't label the firewalls default settings as 'Block all incoming connections', just 'On'. If you turn on 'Block all incomming connections', it does just that and everything from file sharing to basic network functions are crippled, as intended.
The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.
:|
Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.
it doesn't seem as though we should have to put up with any more of that, let alone a-hole year? maybe that, & the phoney 'weather' will be addressed in the upcoming 'lonesome al gore' answers yOUR questions interview here on /.? robbIE? you with us on that?
The article blurb is misleading - the "41 security fixes" released in the Mac OS X update was part of 10.4.11.
The three issues in the 10.5 firewall were the only security fixes for 10.5.
I'm posting anonymously, because I feel a little stupid. I thought I understood networking, but am doubting myself in the face of all the "not safe without a firewall" posts. I have an iMac running 10.4.11. The OS X firewall is off. My Mac is wired to an ADSL router. It is the only device on the network. I haven't set up any port forwarding on the router. I haven't enabled any services on the sharing tab. I'm safe, right?
the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.
There was an unknown error in the submission.
Why is that a Troll? I am generally curious if Apple claimed that their firewall can block all incoming connections. I would think since Ellison's famous comment regarding oracle as bine 'hacker proof' large companies would shy a way from absolutes like that.
Of course, I have read the posts and understand it is a poor description in the gui.
I am still at a loss as to being marked troll. Sometime I may nopt come across the way I intended online, but I can't figure out how that can be interpret as a troll.
The Kruger Dunning explains most post on
Hopefully you can just turn the bloody thing off.
"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them.
For those of us who actually have firewalls, having the operating system muck things up with a "software firewall" is just a nuisance. For those who don't, it's a false and dangerous sense of security.
"Convictions are more dangerous enemies of truth than lies."
At first I thought it was a troll, but it really is named Niggersaurus (or at least close enough). Well done, sir.
first of all - i do not subscribe to the concept that the only secure computer is the one that's turned off, unplugged, and not getting data. That's retarded. A box firewalled to the point where nothing can come in our out might as well not be plugged in.
now - i 100% agree that if it says "everything closed" it damn well better be.
But its still comforting to know that despite the legitimate problem - there was not galaxy-wide pandemonium as all the Macs running 10.5 cried out in terror. In fact, there were no problems at all.
In other words - just business as usual on the Mac front.
guns kill people like spoons make Rosie O'Donnell fat.
In Tiger I had a bunch of drop-down options, like, say, hmmm, 'selection only' or say, duplex. This is entirely gone in Leopard for the printers that I have tried (i.e. HP 4050).
There is an app online that can do this for you, but it seems to only be for native programs (Safari, mail, etc...). Is it just me or should those options be built into the OS.
Everything else on Leopard has been very impressive, most of all it sped my computer up. Everything is faster, which I find very impressive for a new OS (ahem, buy-a-new-computer-4-me Vista).
The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy.
Really? How many people sell kit for Apple hardware? How many can people sell FairPlay tracks for ipods? Apple's as much of a monopolist as MS, it's just not as successful (yet).
Da Blog
the fruity bastards surrepetitiously install the Flash plugin along with the Safari 3 update.
I guess I should keep that uninstaller handy. Grrrrrrrrr.
"I don't consider it so much "paying for Slashdot" as sending a little financial support to the people that keep a site I find useful...and gives them some idea of the value which I place on their product."
...? eh?
:)
Nice try - that snow job almost worked. 'product'
The 'product' here is aggregated stuff that flows in _after_ it has been placed online elsewhere - and you enjoy paying for dated content? To the extent you compare it to paying a musician directly? Hello - you're paying for nothing here, except a platform. The original authors get zip from you.
You're obviously a shill (with suspiciously well timed and pre-packaged comments) shoveling a promotional agenda - good luck with that
"The 'product' here is aggregated stuff that flows in _after_ it has been placed online elsewhere - and you enjoy paying for dated content?"
That's not the product. The product is the analysis and commentary and opinion posted ABOUT the content. Knowing viewpoints and trends can be as valuable as the content itself, if not more so.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
I upgraded from Tiger to Leopard last week and love it, except that I can no longer use IPv6. I've triple-checked my router, address, and prefix length manual settings and they're all correct. I just can't get out of the machine at all:
Even though I have an address and router set up, it doesn't seem to be actually configuring any interfaces to use them. Another machine on the same network has no trouble:
Even our old CRT iMac running Tiger works perfectly. Is anyone else successfully using IPv6 on Leopard? Is there some new gotcha that everyone but me knows about?
Dewey, what part of this looks like authorities should be involved?
..if they fix the spots, then is it still a leopard?
The only market Apple is close to being a monopoly in is portable digital music players
Apple has a 100% monopoly in Macintoshes. This was not always the case, but this is how Jobs likes it and so that's how he made it after he re-took control of Apple.
Da Blog
It's a nice convenient little line to trot out that Apple are just as bad as Microsoft, but the evidence doesn't support it and never has.
Apple has a 100% monopoly in Macintoshes. This was not always the case, but this is how Jobs likes it and so that's how he made it after he re-took control of Apple. I think the fundamental difference here is that you believe, for whatever reasons, that were Apple to somehow become as successful as Microsoft was in the 1990s, that it would not use its market power illegally. Based on experience, I have less confidence in the business practices of technology companies enjoying dominant positions. I believe the fact that Apple was not found in a court of law to have been "as bad" as Microsoft comes not from some moral high ground but from lack of opportunity. Within its tiny niche, Apple over the years has dealt some very duff hands to its ISVs and hardware partners. It's just that the Apple market has been so small for so long that nobody really cared.
Da Blog
Despite Apple's patches, they still refuse to overturn the Applecart and admit their security is provided 100% by obscurity.
If you look at the 41 security issues they "fixed" (many were avoiding the problem rather than fixing it), you can see that the majority of them either allowed the execution of arbitrary code (in non-tech speak, that means "allowed someone to do whatever the fuck they want")... or it could easily lead into a scenario which would allow someone to exploit another bug and thus execute arbitrary code.
In fact... one of the 41 was from the "Month of Apple Bugs", which was held almost a year ago! It took Apple 10 months to fix a single bug? Wow... that's some really proactive security wonks.
Obscurity is a horrid security model. Eventually, someone's going to come along and right the mother of all Apple viruses... and it's not going to be pretty. One good virus will tear through either the Apple or Lunix user base like wet tissue, leaving only devastated fanboys in it's wake.
You're defining the market too narrowly.
Apple tried competing with Motorola, Power, Umax, Daystar, Radius etc and found it didn't like not having total control over its channels. Plus some companies were coming out with Macs that were faster and better-spec'd than Apple's. That made Apple look bad. Uprevving the system version from 7.x to 8.0 to freeze out the licensees was pretty underhanded.
I'll wait until they actually do something before I pass judgement. I won't agree with the sort of cynicism you espouse.
You're entitled to your opinion. However, even despite the shallow extent of Macintosh shareware compared to other ecosystems, over the years Apple has shown no reluctance in copying popular shareware products and bundling them with the OS. It has behaved generally like a standard OS vendor.
Da Blog
- Filter the news so I don't have to read everything on every site, but can hit one site for all (or most of) the tech stuff that's relevant for me
- Provide a somewhat civil way to discuss the news
I didn't pay, but I also don't block the ads, and I see nothing wrong with paying for it. Ifhttp://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html
http://www.skype.com/help/guides/firewall.html
Where in the world did you get the idea that people did not "literally scream themselves blue in the face" about this issue? Honestly, this idea that Apple gets a free pass because it's Apple is hilarious. Do you even read blogs which have Apple as a topic? Mac users are some of the worst whiners ever (and I mean that in a good way, so don't flame me). They whine about everything. Icons on the dock don't line up perfectly well with the Dock's perspective? There are literally thousands of blog entries whining about that. People download a trojan from a porn site and install it on their Macs, giving the installer their password? Literally thousands of "Apple is doomed!" news stories.
Apple doesn't get a free pass from anyone. Everything Apple does is minutely followed by Apple's customers and Apple haters alike. Apple can't set one foot in front of the other without people all over the Internet whining about it.
It's not a bad thing, either. There's so little malware on Macs because Mac users will whine about it all day if something is found, giving it little chance to spread. There are so many good, well designed applications on Macs because Mac users don't tolerate crap. They will whine and whine and whine if their favourite application has a button which is a pixel too high, or if the Firewall settings are named confusingly. In the end, bad software just doesn't survive on Macs.
Here's the official English translation: http://www.heise-security.co.uk/articles/98120
And Nike has a 100% monopoly on Air Max shoes. That doesn't mean they actually have any kind of monopoly.
However as a user who has only recently added a OS X machine to his collection I have to ask.
Are these fixes part of the automatic updates that come down and require an restart? If so how can I see what was added to my system? With Windows Update (at least under XP) I could pick and choose what I wanted, see everything they wanted me to install, but I haven't found that in my Mac.
If I do software update all I ever see to get is a new version of iTunes and Quicktime. So pardon the confusion.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
'"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them'
...
And you only really need a firewall if you are running services on ports that you don't want visible on the Internet. And in this day and age a firewall is next to useless as so many services are being piggybacked over HTML, in order to bypass the firewall
was Re:Oxymoron
davecb5620@gmail.com
The new, updated documentation for the firewall in 10.5.1 now contradicts what the firewall presents to the user: http://tinyurl.com/2a6bcg
[+] security, apple, macosx, securitythroughobscurity, leopard (tagging beta)
:)
It seems to be missing the defectivebydesign tag that everyone likes to throw around.
P.S. I'm using OS X right now (not Leopard though).
I have a button I got a conference long ago:
Windows 95 = Mac '89
Still true today! Pffftttt!
10.5.1 (revised) is out, and 802.1x is STILL broken. The really scary part is when we talk with the Apple reps and system engineers, they uniformly tell us that "we don't know a whole lot about 802.1x." Ummm, what? You've had 802.1x since 10.3. I won't even go into how long MS has had 802.1x compatibility. C'mon Apple, FIX YOUR SHIT!
Clearly I forgot to equip my +5 Codpiece of Karma.
After installing the update, X11.app will not start. I filed a bug report. Has anyone else seen this?
All it did was force Apple to compete with its own 'partners' for the most profitable chunk of the same slice.
Yes, it's very difficult for entrenched monopolies to compete in a more open market.
But I think I see that our perspectives are too different to come to an agreement on this matter so I suggest that we agree to disagree?
Da Blog
And Nike has a 100% monopoly on Air Max shoes. That doesn't mean they actually have any kind of monopoly.
A shoe is not a computer. If I choose to wear a particular shoe, it does not in any real way constrain my choice of sock, trouser, or top. Nike can not mandate that only particular sock manufacturers can license rights or imprimaturs to make matching accessories. It does not require that I purchase a later-model shoe from the same manufacturer to minimise any "switching costs" during my shoe model transition.
Da Blog
# BMW has a monopoly on beemers.
# The Coca-Cola Corporation has a monopoly on Coke.
# Nabisco has a monopoly on Oreos.
# Rolex has a monopoly on Rolex watches.
A car is not a computer.
A soft drink is not a computer.
A biscuit is not a computer.
A watch is not a computer.
If I choose to wear or eat or drive particular commodities, that does not in any real way constrain my choice of matching objects, such as furry dice, nachos, cheese, or gold chains. None of these manufacturers (well, except for BMW) can mandate that only particular manufacturers can license rights or imprimaturs to make matching accessories. It does not require that I purchase a later-model commodity object from the same manufacturer to minimise any "switching costs" during my transition.
In the case of BMW, many tying agreements exist during manufacture to constrain the choice of factory-installed options available. However, decades of law have established, not without some struggling by car manufacturers, that consumers have a right to modify or to add unlicenced 3rd-party add-ons to their vehicles without voiding warranties or manufacturer's service contracts.
Da Blog
A local firewall isn't normally necessary on a UNIX system, since there should be no required services that can't run without leaving a promiscuous listening TCP port, so a firewall isn't necessary to protect local services from remote exploits.
I have only ever used a local firewall on any UNIX system when I'm also performing packet forwarding (ie, acting as a router) and so can't control access at the application layer.
So the main purpose of a local firewall on UNIX is not to protect standard services from attack, it's to prevent a backdoor listener from being accessed. Which is what this does.
The real defect seems to be in the implementation not actually ensuring terminated services are shut down. That's a bug (though not a design defect).
I would argue that "deficient by design" would apply: it's missing useful functionality. But that doesn't make it defective.
It's still broken in 10.5.1, still completely insecure and broken is the only way to put it.
Drop to a command line, run the command "nc -l 9999" to start a listener, then go to another machine on your network and "telnet yourleopardip 9999" to connect back to your Mac. Nothing stops you, it is literally WIDE OPEN on all ports. Uid 0 or not, it does not matter.
..if they fix the spots, then is it still a leopard? Well, if they ever fix your cock, you'll still be a sucker.http://slashdot.org/comments.pl?sid=360581&cid=21355383
From the same user: I don't own either an iPhone or an iPod, but as a user interface expert I certainly admire the work that went into them and I wish any of the cell phones I've ever owned had an interface that was even close to as easy to use.
Being a user interface expert doesn't mean he can't have worked at a network security company for four years. For one thing, 'user interface expert' says nothing about his current job. In fact, it's such a meaningless phrase that nothing useful can really be taken out of it. Amateur, professional, current and past, there's no substance that would actually counter his assertion of working for network security.
And this is ignoring your idiotic assumption that people can't be experts at more than one thing.
No where did I say people cant be experts at more than one thing. Please take your meds..
My point is fairly clear and that is he assumes professions/expertise to get his point across esp when he is losing the argument. If thats not obvious to you, I'm sorry, that post wasn't for you.
I see people switching in between being a security researcher and user interface expert all the time.. no really.. happens all the time.
duh, they fixed it. This story is old news. In an update released last night (or at least that's when I go it), the cottonpickin' firewall tab says, "Allow only essential services," instead of "Disallow all" or however it was worded before. It would be cool, however, if there were an additional "disallow ALL incoming and outgoing connections," meaning that it would accomplish the same thing as unplugging your ethernet cable and turning off Airport. I can't imagine why in the world such a thing would actually be useful, though. If you need a totally disconnected system, install VMware, drop in a Linux virtual machine, and tell VMware to make it have no connection to the outside world.
Nobody claims
Nobody you know, obviously.
Da Blog
Only morons claim Nintendo has a monopoly on gaming. The same applies to Apple and computers.
Where did I claim that? You're obviously having trouble understanding the difference between the set of all exemplars versus a sub-set. You know, there should be a Godwin for the first person to resort to personal abuse in a conversation as defence for lack of clue. Oh wait, there is.
Da Blog
Apple competes in the personal computer system market ... OS X is not a competitor in this market because Apple does not sell it to OEMs to install on other systems. Apple just uses it to bypass MS's monopoly
Here's where our perspective differs. From my POV, Apple deploys OSX as a defensive strategy to lock in a customer base and create a barrier around its market. It is not really bypassing Microsoft's monopoly, it is replacing it with a smaller monopoly and a shallower software pool.
The advent of things like Boot Camp and Parallels is interesting regarding Apple's long-term approach to the Mac. For years the idea of supporting Windows/DOS emulation on a Mac was seen as a Very Bad Thing from a strategic point of view. The example of the Amiga was fresh in people's minds - part of its launch strategy was that it provided MS-DOS emulation from Day 1. Many people felt this was why it never really got a good ecosystem beyond games. Obviously thinking in Apple has changed as regards building out OSX's base long-term because, with the ability to run Windows easily on their machines, why should any software publishers begin any new large-scale OSX project or spend too much effort upgrading? It's a short-term win but a long-term questionable proposition. Apple's monopoly on Mac opeating systems has served it well, but maybe along with its transformation from Apple Computer to simply Apple, new thinking on the long-term development of its monopoly strategy has changed.
Da Blog
It has come to this.
Da Blog