The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Leopard's Firewall Faulted by Security Researchers

Leopard's Firewall Faulted by Security Researchers

by , 3:10 PM EDT, October 30th, 2007

Researchers at Heise Security have noted that, even after an upgrade from Tiger to Leopard, if the firewall was turned on in Tiger, it is turned off in Leopard, according to Robert Vamosi's C|Net Blog on Tuesday.

In addition, even if the Leopard firewall is once again turned on, some incoming connections will be allowed, determined by Leopard by default.

Jürgen Schmidt, editor in chief at Heise Security said, for example, his team was able to query the NetBIOS Naming Service on the network even with the firewall on. His team also had a problem filtering UDP packets in Leopard [in the firewall].

Heise Security also faulted Apple for not including the latest version of Samba which has bug fixes. It's the same version as in Tiger.

TMO notes that Apple typically avoids confusion by keeping things simple for novices but offers a UNIX architecture that allows professionals to implement whatever they need. Also, in Leopard, the firewall has been moved from the Sharing System Preference to Security.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:Guest
Subject: Correction

Firewall moved from the Sharing System Preference to Security. I had to re-enable ssh access from my Tiger setup so guess that makes up for the lack of default firewall. Hmmm....

Close Name:Guest
Subject: I miss the functionality

of manually adding a port range. Also, you cannot block UDP only.. etc.. Making something simple and removing features is not the same thing.

I also wonder if the testers of the firewall placed the mac's behind a router, which I think is more typical. <shrug>

Close Name:Steve Ballmer Guest
Subject: Macs are inherintly UNSECURE!

Vista is bulletproof!
The Death of 3rd Party Security Vultures and Such!
McAfee Inc., Trend Micro Inc., CA Inc. and especially Symantec, ... say goodnight! We are about to announce MS ForeFront 2.0!
Let me make it clear that while I have tolerated these "anti-virus" vendors for years, something about their very existence has not set very well with me. I mean, having a bunch of multi-million dollar companies that depend solely on there being bugs, leaks, holes, exploitables, mistakes, oversights and problems in Windows dosen't speak very well of Microsoft. They are like carrion, buzzards, jackels, ... protecting a rotten carcass from other smaller vermin. They always argue, "But, Bu-bu-but you need us!", maybe that was true in the past, but no longer!

VISTA IS BULLETPROOF!

None of these quacks bag of tricks are any longer necessary!
Between WGA and Forefront the OS and Genuine MS apps are totally impervious to attack! They are so secure that many times even the registered owners have trouble gaining access to the computer! So then how could any hacker?

These vultures will kick, choke and whine as the user-base realizes this truth, but I say good riddance, your success reflected badly on us anyway.

http://fakesteveballmer.blogspot.com

Close Name:Guest
Subject: Idiot Researchers

First off - Leopard does not need to run a single monolithic firewall. Leopard is specifically designed to grant network reception and send permissions on an app-by-app basis by default. Therefore, the firewall is actually always on. You have to make exceptions by opening up ports to allow file sharing, screen sharing, Skype, et. Otherwise, if you aren't running any servers, like sshd or "file sharing", a firewall is useless. Not running daemons that listen for outside connections is much more secure than a firewall. What a firewall is good for is allowing local network users access to services, while denying those services to other networks. But most of us have no need to run services at home, so a firewall is pretty much pointless.

If Leopard trusts the app/service (which is either trusted via cryptographic signature or by being initiated by the root user), it gets network access. Otherwise, it does not get access, plain and simple.

This means that in order to break in, you either have to have the cryptographic trust, or you already have to know the local machine's root password.

For the truly paranoid, the traditional firewall is sitting there in System Preferences, where you can turn it on at any time after installation. This will give you twice the protection that Vista could ever hope to give in its current state. So long as you don't use Windows Sharing (NetBEUI/NBT), a web server, ssh, NFS, or p2p... you generally have no need for a firewall if there's nothing on your box listening for inbound requests from the network (local or otherwise).

Comment on this Article


You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated July 6th

Mon, 11:17 AM
Ted Landau's User Friendly View - Apple’s LED Cinema Display: A Too Short Story
11:11 AM
Product News - Photo Recovery for Mac Adds Photoshop Support
10:39 AM
Hot Forum Topic - iPhones in Education
8:47 AM
News - Apple Employee Injured in Store Shooting
Fri, 10:29 AM
News - Apple Warns of Learning Interchange Security Breach
7:30 AM
News - Happy Fourth of July!
Thu, 6:07 PM
TMO Scoop - Psystar Moves to Drop Bankruptcy Ahead of Apple Legal Battle
5:37 PM
News - Uncomfirmed Reports Say Apple & Nvidia On The Outs
4:57 PM
News - Microsoft Sick Over Barf Ad
4:09 PM
Product News - KRK Ships R6 Passive Studio Monitor for Recording
3:45 PM
John Martellaro's Blog - Particle Debris (week ending 7/2)  Juiced, Joost and Goosed
3:12 PM
Product News - ExactScan 2 Pro Released

The Mac Observer Reader Specials

  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!