News Blog Subscribe to News Blog
October 30, 2007 10:18 AM PDT

Holes in Leopard's firewall

Posted by Robert Vamosi

Although Apple is selling its new Mac OS X Leopard operating system on its improved security, researchers at Heise Security have already found fault with its firewall. Unlike with Windows Vista, the Apple firewall is not enabled by default and must be enabled by the end user. Even if you had the firewall enabled in a previous version of the Mac OS X, after an upgrade to Leopard the firewall will again be set to "Allow all incoming connections." It will be disabled.

According to Jürgen Schmidt, editor in chief at Heise Security, if you enable the Apple firewall and set it to "Block all incoming connections," access from the Internet to certain internal system services will still be allowed. As an example, he said that his team was able to query the NetBIOS Naming Service over a Lan network even with full blocking enabled. The team was also unable to specifically enable UDP filtering within Leopard, which should block access to NetBIOS.

Schmidt also faulted Apple for not including the latest versions of open-source applications within Leopard. In August, Charles Miller of Independent Security Evaluators noted the same at the annual Black Hat conference in Las Vegas. The expectation over the summer had been that Leopard would include the most recent version of several open-source applications and protocols.

Within Leopard, Schmidt noted that Apple ships ntpd 4.2.2, while the latest version is 4.2.4, although he admits that it is unclear whether there are any exploitable vulnerabilities here.

That's not the case with Samba, a primary networking protocol. Over the summer Apple did update its Samba package, but not to the most recent version. Leopard ships with version 3.0.025b (same as Tiger). The more recent releases of Samaba, 3.0.25c and 3.0.26a, do include several known bug fixes so it is unclear why Apple did not update Samba within Leopard.

Apple has a longstanding policy about not commenting in public on issues regarding the security of its products.

Recent posts from News Blog
End of Intel, AMD duopoly near? Via readies Isaiah chip
Google Translate speaks 10 new languages
Yahoo investors begin to weigh in on Icahn proxy fight
Hacker confab 'Last HOPE' to track attendees with RFID
Can the Feds enforce Net neutrality? Maybe not
Add a Comment (Log in or register) 57 comments (Page 1 of 2)
Been running...
by bond co. stooge October 30, 2007 11:13 AM PDT
...without my firewall turned on in OS X since 2002.
Reply to this comment View all 2 replies
But....
by yipcanjo October 30, 2007 11:15 AM PDT
...Steve Jobs can do no wrong! This is *clearly* Microsoft's fault. ;)
Reply to this comment View all 2 replies
OS X don't need it,
by mailbox001 October 30, 2007 11:43 AM PDT
Because OS X is immune to virus, trojans, malware, etc, what's the point of having any securiy software.
Reply to this comment View all 3 replies
LOL
by arluthier October 30, 2007 11:54 AM PDT
I hope that was sarcasm. :-)
Reply to this comment
Rotten APPLE?
by Al Giacoio October 30, 2007 1:19 PM PDT
It's amazing, when Apple was closed off from the world they were able to keep things like this from happening but now when you play with the big boys like Microsoft on a level playing feild Apple isn't so perfect!!!! Wow, they launched the iPhone which pushed OS X back and still managed to leave holes and the OS is no faster and not compatable with major titles. I guess they can pull all those idiotic commercials!
Reply to this comment View all 3 replies
You ALWAYS had to turn on the firewall
by NeverFade October 30, 2007 2:00 PM PDT
This is no different with the previous versions in that aspect.
Reply to this comment View reply
Ignorance and Idiocy.
by Penguinisto October 30, 2007 2:02 PM PDT
First off - Leopard is built not to run a single monolithic firewall, but to grant network reception and sending permissions on an app-by-app basis. If Leopard trusts the app/service (which is either trusted via cryptographic signature or by being initiated by the root user), it gets network access. Otherwise, it simply does not. Simply put - in order to break in, you either have to have the cryptographic trust, or you already have to know the local machine's root password. And BTW - for the truly paranoid, the traditional firewall is sitting there in System Preferences, where you can turn it on at any time after installation. This will give you twice the protection that Vista could ever hope to give in its current state. ========== Second Up - The title is misleading, the content is misleading (and inaccurate, and incomplete), and Heise is more used to pure *nix, where iptables/ipf trumps all. Things are a bit more nuanced nowadays, so call me when/if (most likely "if") someone manages to actually break into a Leopard machine, 'kay? ========= Meanwhile, anyone who doesn't have a home firewall appliance (not the one from the cable/DSL company, the one you buy and put in between the cable/DSL modem and your computers) deserves what they get by now *shrug*. It's called "defense in depth", and maybe more than just some people will get a clue and practice it? /P
Reply to this comment View all 2 replies
huh?
by theveggiedude October 30, 2007 2:49 PM PDT
"Wow, they launched the iPhone which pushed OS X back and still managed to leave holes and the OS is no faster and not compatable with major titles" What "major" titles are you referring to? All my applications are working. Such as Adobe PhotoShop, Firefox, Transmit, Final Cut Pro, Yahoo IM, World of Warcraft and including my not so major ones like BluePhoneElite and other shareware. And not faster? I think it is faster. What is your source? Mac OS X is not perfect, but lets not forget there is still not one virus for OS X in its seven year history.
Reply to this comment View reply
I don't believe the article is true.
by UrbanBard October 30, 2007 10:10 PM PDT
The Mac OS's firewall is always turned on. You have to make exceptions by opening up ports to allow file sharing, screen sharing, Skype, et. I don't have Leopard yet, but I don't see Apple changing that, Here is what Apple says, "Mac OS X includes firewall software you can use to block unwanted network communication with your computer. Using a firewall protects your computer from users on other networks or the Internet. In order to use Mac OS X services, such as personal file sharing, Windows sharing, or FTP access, you need to open ports in the firewall to allow traffic for that service to and from your computer. When you select a service in the Services pane of Sharing preferences, it is automatically selected in the Firewall pane, and the port is opened." As it says, these ports are closed unless you open them.
Reply to this comment
No...
by _t3h October 31, 2007 1:10 AM PDT
> I remember the iphone had flaws where people were getting their info taken. No, you remember flaws which could have potentially been used for this purpose. At no stage was this ever actually 'in the wild' (not that it's OK of course, but there is a difference).
Reply to this comment
1 | 2 | Next 10 Comments >>
Powered by Jive Software
advertisement
Click Here

  • About News Blog

  • Recent posts on technology, trends, and more.

Add this feed to your online news reader
Google
Yahoo
MSN

News Blog topics

Most popular stories

  1. CBS to buy CNET Networks

  2. Images: Microsoft telescope puts universe on your desktop

  3. Intel Germany executive reportedly confirms Atom-based iPhone

  4. Xbox 360 hits 10 million sold in U.S.

  5. Photos: Microsoft previews 2008 Xbox games

Latest tech news headlines

All News.com headlines »

Featured blogs

Beyond Binary by Ina Fried

Coop's Corner by Charles Cooper

Defense in Depth by Robert Vamosi

Geek Gestalt by Daniel Terdiman

Green Tech

One More Thing by Tom Krazit

Outside the Lines by Dan Farber

The Iconoclast by Declan McCullagh

The Social by Caroline McCarthy

Underexposed by Stephen Shankland

advertisement
Click Here
Welcome (log out) |View profile
Log in | Sign up Why join?
On MovieTome: POINT BREAK 2, yes, you read that right!
Advanced
search
advertisementGet more done with Windows Mobile
Advanced
search
Visit other CNET Networks sites: