Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Fixes 'Misleading' Leopard Firewall Settings

Posted by Zonk on from the walls-need-to-be-just-a-teensy-bit-thicker dept.

4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."

7 of 264 comments (clear)

  1. As usual, other considerations... by daveschroeder · · Score: 5, Informative
    Apple's "everything just works" niceties depend on things like Bonjour, in particular, being able to be accessed, and most users would end up selecting "Block all incoming collections" when making a firewall choice, because they won't really understand anything else...and "more" is "better", right? So blocking all must mean I'm super secure! Firewall good! Hacker bad! ...Except that now when I get my AppleTV and buy my son or daughter an iMac and expect to be able to do all the cool stuff that doesn't require any configuration and "just works"...nothing works. Why doesn't it work?

    They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.

    So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.

    Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.

    This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".

    Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.

    Apple describes all of this very explicitly here:

    The 10.5.0 Application Firewall blocked all but:

    Processes that are running as UID 0
    mDNSResponder

    The 10.5.1 Application Firewall blocks all but:

    configd, which implements DHCP and other network configuration services
    mDNSResponder, which implements Bonjour
    racoon, which implements IPSec

    So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.

    And from here:

    CVE-ID: CVE-2007-4702

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: The "Block all incoming connections" setting for the firewall is misleading

    Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

    CVE-ID: CVE-2007-4703

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"

    1. Re:As usual, other considerations... by Rodyland · · Score: 5, Insightful
      Let me first say that I get what you're saying, and I can understand where Apple are coming from....


      But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

      Seriously, if an MS-shipped firewall decided (without telling you) that 'block all incoming connections' really meant 'block all incoming connections except for MSN Messenger and oh, I don't know, maybe Media Player', would you be making excuses about how it was really necessary and understandable to deliver the "Microsoft Experience(TM)"?

      No, I didn't think so either.


      Yes, Apple should be applauded for recognising a problem in their software, as well as a problem in the way their software presents itself, and fixing it.

      But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

    2. Re:As usual, other considerations... by Anonymous Coward · · Score: 5, Insightful

      Supporting the services he uses with monetary compensation? Absurd!

    3. Re:As usual, other considerations... by 99BottlesOfBeerInMyF · · Score: 5, Insightful

      The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum.

      Funny. Technically, I don't need to use the Web at all in coffee shops, so by your argument I should block all traffic. On the other hand, I prefer my computer to be functional, when that functionality does not pose a significant security risk. Guess what, I also have SSH enabled for access, even though I only need to access it occasionally. The service I originally referred to (Bonjour) is unlikely to pose a security risk, especially since in addition to finding an exploit in it, an attacker would have to find an exploit in the Mandatory Access Control sandbox OS X runs it in by default. I'm a lot more likely to be exploited by an attack on my Mail.app than by an attack on Bonjour. Do you also advocate that I do not check my e-mail while at the coffee shop?

      Save the "nice" services for when you are on a trusted network.

      Screw that. Half the benefit of Bonjour enabled chatting is that I can easily talk to people I don't have in my "buddy" list while at conferences and coffee shops. Sacrificing function out of unjustified fear is not my cup of tea.

      I don't want 3rd party.

      Umm, okay, then don't use it. Good luck finding a capable first party GUI firewall configuration tool on a platform that is not riddled with security holes.

      Honestly, it sounds to me like you're looking for something to complain about. I really wish people with your sort of an attitude on security would revisit your basic assumptions. Security is about allowing users to do what they want with a system, and prevent things they don't want from happening, especially without their permission. Reducing functionality just means users turn off security features or move to a system where they have more functionality. If I had a dollar for every time I've seen someone at a LAN party shut off their firewall completely because it was restricting something they wanted to do and was too hard to enable just that application/behavior... well, I'd have enough cash to buy a good steak and some scotch anyway.

    4. Re:As usual, other considerations... by 99BottlesOfBeerInMyF · · Score: 5, Insightful

      The people who think that Microsoft is less secure than Apple or Linux don't really know security or the security market well at all. They simply have formed an opinion by listening to fanboys, advertisements and the uninformed.

      Well, I've been working at a network security company for the last four years and have been reading detailed weekly reports for internal consumption, written by well regarded professionals. What, exactly is your expertise?

      The average linux / apple system in production is no more secure than the average microsoft system ---- in reality they BOTH have tons of vulnerabilities.

      Everything has vulnerabilities. Linux and OS X boxes, have fewer, exposed for shorter periods of time, and less regularly exploited, especially in an automated fashion.

      IF (and thats a BIG if) a linux system is configured properly, including SE Linux...

      You did note that the new version of OS X ships with a MAC ported from SELinux and comes with all the services exposed by default preconfigured to run in sandboxes. And because it is included by default, unlike Linux distros, applications developed from now on can count on it and come preconfigured as well.

      ...they are ALL just as vulnerable to directed attacks.

      No, they're not because default Linux and OS X install have fewer exposed services and fewer known, unfixed vulnerabilities at any given point. Aside from that, most exploits are not directed, but automated and Windows is vastly more exposed to those attacks.

      People who buy MAC / Linux for the 'security benefits' are simply deluding themselves into thinking they've improved anything.

      Please. The numbers belie your assertion. The average user, simply buying a Mac significantly reduces their risk of having their machine compromised.

      There IS a place for Linux in the corporate world. There is also a place for Microsoft. I'm not so sure about Apple ---

      Interested in finding Apple's place? Go to BlackHat, or DefCon, or one of the other big security conferences in the next year. When there, take a quick count of how many Mac laptops you see in use among security experts. It was upwards of 50% at the last one I went to, and it was a private conference for security experts at tier 1 network operators. Why do you suppose that is, because all those security experts are idiots and just not as brilliant as you are?

  2. Haven't tested, but the notes said yes. by attemptedgoalie · · Score: 5, Informative


    http://docs.info.apple.com/article.html?artnum=306907

    - Addresses a potential data loss issue when moving files across partitions in the Finder.

    --
    My mom says I'm cool.
  3. Slightly Disingenuous Summary by ickoonite · · Score: 5, Informative

    The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.

    Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.

    :|