[Infowarrior] - Leopard security concerns

[Richard Forno]

Leopard with chinks in its armour

A second look at the Mac OS X Leopard firewall

http://www.heise-security.co.uk/articles/98120

Apple is using security in general and the new firewall in particular to
promote Leopard, the latest version of Mac OS X. However, initial functional
testing has already uncovered cause for concern.

The most important task for any firewall is to keep out uninvited guests. In
particular, this means sealing off local services to prevent access from
potentially hostile networks, such as the internet or wireless networks.

But a quick look at the firewall configuration in the Mac OS X Leopard shows
that it is unable to do this. By default it is set to "Allow all incoming
connections," i.e. it is deactivated. Worse still, a user who, for security
purposes, has previously activated the firewall on his or her Mac will find
that, after upgrading to Leopard, the system restarts with the firewall
deactivated.

In contrast to, for example, Windows Vista, the Leopard firewall settings
fail to distinguish between trusted networks, such as a protected company
network, and potentially dangerous wireless networks in airports or even
direct internet connections. Leopard initially takes the magnanimous
position of trusting all networks equally.

< - much more - >

Conclusion:

The Mac OS X Leopard firewall failed every test. It is not activated by
default and, even when activated, it does not behave as expected. Network
connections to non-authorised services can still be established and even
under the most restrictive setting, "Block all incoming connections," it
allows access to system services from the internet. Although the problems
and peculiarities described here are not security vulnerabilities in the
sense that they can be exploited to break into a Mac, Apple would be well
advised to sort them out pronto.

Apple is showing here a casual attitude with regard to security questions
which strongly recalls that of Microsoft four years ago. Back then Microsoft
was supplying Windows XP with a firewall, which was, however, deactivated by
default and was sometimes again deactivated when updates were installed. It
was also the case that system services representing potential access points
for malware were accessible via the internet interface by default. Despite
years of warnings from security experts, the predominant attitude was that
security must not get in the way of the great new networking functions.

Then along came worms such as Lovsan/Blaster and Sasser, which rapidly
infected millions of Windows computers via security vulnerabilities in
system services, causing millions worth of damage. Even today, an unpatched
Windows system with no active firewall will be infected within a matter of
minutes. However, Microsoft has since learnt its lesson -- a serviceable
firewall, activated by default, has been included since Service Pack 2. With
the standard configuration, no services are accessible from the internet on
a Windows system. 

http://www.heise-security.co.uk/articles/98120