Researcher: Leopard's Firewall is a Mess

The launch of Apple's newest OS, Leopard, has been, to say the least, tinged with negative press, what with reports of bluescreens due to third party applications and Java incompatibilities. On Friday, Rich Mogull, a security consultant and former Gartner analyst, added more fuel to the fire when he said "[Leopard's] firewall is a mess" after spending two days digging into the new firewall's capabilities. "It's a step back from Tiger's firewall. I was originally pretty bullish on Leopard's security, and I still am on the concepts, but the implementation makes most of its advances ineffective or unusable."

The firewall in Mac OS X 10.5 Leopard uses a bare-bones interface -- earlier this week, Mogull called it "so simple as to be nearly useless" -- that offers users three options: allow all incoming connections, block all incoming connections, and set access for specific services and applications Unfortunately, the implementation seems fraught with problems. "'Block all' does seem to block actual connections," said Mogull, "but any shared ports are detected as 'open/filtered' on a port scan." And unless users turn on stealth, some services -- Bonjour, Apple's network-device-locating technology, is one -- are seen as open by scans, no matter what firewall setting is selected. Only by using "Block all" with stealth enabled are shared services actually invisible.

Those inconsistencies pale against the firewall's ability to break some applications without warning. When the "Set access" mode is turned on, the firewall digitally signs applications that the user allows access to incoming communication; although most firewalls will block a program from running if it detects change, such as an upgrade to a new version, Mogull discovered that Leopard takes it one step further, blocking applications that change at runtime. Skype, the popular VoIP software and instant messenger, is one such program. If the user has set the firewall to "Set access" and runs Skype, the icon will bounce a time or two on the dock, but not load. Nor does Leopard tell the user that Skype has failed or why it won't launch. Only the Mac OS X Console gives a clue, with a message such as: 11/2/07 9:47:51 AM [0x0-0x35035].com.skype.skype[399] Check 1 failed. Can't run Skype.

However, Mogull isn't all bad news. "Fortunately, all of this is fixable," he said. "Apple clearly was a little rushed, but they're moving in the right direction. It's our responsibility to keep on Apple to make sure they convert these concepts into actual implementations."

View: Full Story on InfoWorld

Report a problem with article
Previous Story

Yahoo Exec Apologizes for Chinese Journalist Incident

Next Story

Mozilla Prism Prototype Now Available on Mac and Linux

72 Comments

Commenting is disabled on this article.

its just like when vista shipped lol
when all the dust settles down, some will stick to vista, other will go buy a mac. thats all.

i fail to see your reasoning behind this, are you saying that users are going to either go vista or go MAC, when the dust settle service packs will get released and OS's will become more stable, until then most people will stick with what works for them, and definately can't see all that many people goign mac simply because they don't like vista.

Sounds a bit like cripple ware, having a reduced firewall because you don't expect an attack.
When the attack comes, I hope Apple's ready to rush out those updates to previous OSes.

Look

C_Guy
Raid 0
Whocares78

We get it, you don't like OSX
Big deal, but why the great desire to push you're own opinion onto people who don't care about your opinion?

Move on, stop trolling and don't come crying when someone bashings Vista cause by your actions in here you're just making that more and more likely by being total and utter tospots

I never said I don't like OS X. Why would I bother running it, if I didn't like it? What I don't like is the lock in of Apple's hardware. That... and Apple fanatics screaming what they use is the best. That's it.

BTW, I'm not running Vista yet.

RAID 0 said,
I never said I don't like OS X. Why would I bother running it, if I didn't like it? What I don't like is the lock in of Apple's hardware. That... and Apple fanatics screaming what they use is the best. That's it.

BTW, I'm not running Vista yet.

Sorry but you're trolling and bashing of them is just as bad as anything that they do. Take a look in the mirror.

evo_spook said,

Sorry but you're trolling and bashing of them is just as bad as anything that they do. Take a look in the mirror.

I did, you know what I saw? Someone who uses XP, Ubuntu and OS X, all on one 500 dollar PC. It's not my only one.. I have 4 PCs and one iMac... YES THAT'S RIGHT!!! I OWN A MAC! What do I use most? MY PCs, all four of them.

Try this on for size.. You're a mac user on a WINDOWS SITE... what does that make you? Go ahead, I'll wait while YOU look in the mirror.

RAID 0 said,

I did, you know what I saw? Someone who uses XP, Ubuntu and OS X, all on one 500 dollar PC. It's not my only one.. I have 4 PCs and one iMac... YES THAT'S RIGHT!!! I OWN A MAC! What do I use most? MY PCs, all four of them.

Try this on for size.. You're a mac user on a WINDOWS SITE... what does that make you? Go ahead, I'll wait while YOU look in the mirror.

Well, sorry to pee on your parade, but I also have computers that use OSX, Windows XP and Linux. Also I do recall that the contributors of this site described it as a technology site and not a windows site, maybe in the past it was but not anymore.

Atleast all my machines are legit, unlike you're continued boasting of runnign osx on a pc

evo_spook said,

Well, sorry to pee on your parade, but I also have computers that use OSX, Windows XP and Linux. Also I do recall that the contributors of this site described it as a technology site and not a windows site, maybe in the past it was but not anymore.

Atleast all my machines are legit, unlike you're continued boasting of runnign osx on a pc

Pee on my parade? Sorry homie... there's noting you can do to affect me. From now on, don't say "You hate OS X" when you have no idea what I, or anyone else uses..unless otherwise stated prior to your post. Get it? Thanks.


well Troll, you did the same with me, so follow you're own advice, and stop you're trolling and this would be a lot more pleasant place to be if you stopped thinking it was your right to bash every mac user just cause they happen to like OSX, hey you use a PC, you prefer to use it well done, I prefer to use my Mac most of the time but I don't feel the wine on about it and its users like you do. Inferiority complex you got their?

evo_spook said,
well Troll, you did the same with me, so follow you're own advice, and stop you're trolling and this would be a lot more pleasant place to be if you stopped thinking it was your right to bash every mac user just cause they happen to like OSX, hey you use a PC, you prefer to use it well done, I prefer to use my Mac most of the time but I don't feel the wine on about it and its users like you do. Inferiority complex you got their?


Well, I'll give this to you... you did one thing I didn't.... and that's resort to name calling.

i don't have a problem with oSX, i have aproblem with people being blinded by marketing hype, to the point they don't feel the need to secure their machines, because, they are under the false belief their system is so secure. when ltd admits apple does have some issues and is not perfect, my missions will be complete. have you read half the comments by the ac fans on here, defending apple for their firewall being crap?? you can't defend the fact the firewall is crap, simple as that

i guesss you havent read a lot of my posts, i hate VISTA too, i guess you assume casue we say bad things about mac we are mS fanboys, and am not that big a fan of linux. adn i do not cliam any OS to be perfect as MAc fans do around here. XP for me.

wow so if you buy a copy of osx and run it on a PC it's illegal??? you assume a lot, like he pirated osx, he may have a perfectly legitimate copy.

but to make you happy, let me post the apple way,

oh this is not a problem, why woudl anyone turn on a firewall on a mac, it's not like it's Microsoft's insecrure crap, noones ever goignto hack my mac. and it looks really really pretty.

Well more Mac hate around here, it's to be expected, first things first, leopard should have been held back until it was a final product, I went back to tiger once I played around in Leopard, when Leopard gets the necessary fixes it needs I will go back to it, I do enjoy the new features, but for now I would rather the more stable OS to the new nick nacks.

As for Vista, well i absolutely despise it, nothing about it impressed me, much prefer XP, but I am so suprised as to why Microsoft and Apple have put out 2 OS's that we're not ready for release, Leopard isn't as bad as Vista for the first batch of glitches, but come on, I would much rather wait for a final product than get something that isn't ready.

I am a Mac fan, was a PC guy for a while but I was never happy with my PC, but with the Mac I am.
BTW I would really like to see someone make a replica of a Mac for the same price you pay for a Mac, I know you can get the same components cheaper and build a regular PC cheaper, but for myself I much prefer the iMac, everything built into one, if you can duplicate my iMac 20" Intel Core 2 Duo 2.33, 2 gigs ram, 250 GB hard drive, for less than the $1300 I paid, in the same casing with bluetooth, and wireless N, please tell me how.

For the record, Leopard<Tiger, and Vista<XP.

oh yeah i can go out and buy a MAC case, i know i can definatley buy a prettier case, besides the case i can easily build that for you for about 700, but i will be nice and upgrade it to a quad core 6600 for you and hell why not a 500gb hdd, do you understand the PC i could build for $1300, i am talkign dual raptors raid 0, wifi, bluetooth, 22 in monitor, pretty much the best of everything.

but when it comes down to it, your a mac user and you want a pretty apple logo on your pretty case, you got an old imac case, i am sure i coudl build a nice PC into that for you

whocares78 said,
oh yeah i can go out and buy a MAC case, i know i can definatley buy a prettier case, besides the case i can easily build that for you for about 700, but i will be nice and upgrade it to a quad core 6600 for you and hell why not a 500gb hdd, do you understand the PC i could build for $1300, i am talkign dual raptors raid 0, wifi, bluetooth, 22 in monitor, pretty much the best of everything.

but when it comes down to it, your a mac user and you want a pretty apple logo on your pretty case, you got an old imac case, i am sure i coudl build a nice PC into that for you

Why do you care that you could build a 'better' PC for less money? I certainly do not.

What about driver compatibility? What about an easy expierence?

People who argue the point about building a better PC for less money are missing the point of Macs... They are easy to use, and dont require hours and hours of messing about to get the thing working.

intosh said,
Why do you care that you could build a 'better' PC for less money? I certainly do not.

i was goignt on the above comment which was "BTW I would really like to see someone make a replica of a Mac for the same price you pay for a Mac,"

read everyeons posts not just the ones you want to insult

as for driver compatibility, when i buy hardware i get a driver on a CD once i finish installig windows i insert the CD and run it, how easy is that???, if i like i can even go on the web and update it, seriously do you even understand drivers and windows, i have never had driver problems.

i can build a PC and have it up and running within an hour!!. as i said above you have no idea of installing windows, maybe you installed 98 years ago and compare all windwos to installig 98, i don't know but i HAVE installed OSX, and it aint a lot different. hell you select your options and let it run.

all i know is that i have never gotten a virus, security breach or any other problem on my windows box ever.. i run nod32 and haven't had an issue..maybe noobs who don't know about phising or trokans or popup ads and stuff like that, pr people that browse porn ads have nobody to blame but themselves.

Exactly. I was using Bear Share one day... and thought to myself.... "I'm gonna try to infect my computer." Well, it didn't work. I use Zone Alarm Suite (i got for free) and once the file was done downloading... it moved it right into the vault. I didn't even have a chance to open it. I was kinda sad, then happy to know I'd have to do some DRASTIC things to infect my computer.

Oh BTW, I'm running 10.4 OS X on my 500 dollar PC. That includes the LCD screen. Dont that just burn you Mac guys? Paid out the anus to run this OS, and I did it for 500 bucks. HAHHAHAHAHHAA. I love my little triple booter! It's so cute! P4 D 2.8 4 Meg cache, 1 GB RAM (dual channel) 5200 256 AGP (OCed) Video card, one 160 gig SATA drive, 20 gig ATA drive, DVD burner, DVD player, 17" LCD and a custom case with UV lights inside and LEDs out side. What would that cost you in Mac dollars? 1300, 1400, 1500 hundred? (This is my second dual core PC, not my best) :P :P :P :P :P :P :P :P :P

Too bad you (usually) don't know how to build your own computers. Keep justifying that "premium" you all pay.

RAID 0 said,
Exactly. I was using Bear Share one day... and thought to myself.... "I'm gonna try to infect my computer." Well, it didn't work. I use Zone Alarm Suite (i got for free) and once the file was done downloading... it moved it right into the vault. I didn't even have a chance to open it. I was kinda sad, then happy to know I'd have to do some DRASTIC things to infect my computer.

Oh BTW, I'm running 10.4 OS X on my 500 dollar PC. That includes the LCD screen. Dont that just burn you Mac guys? Paid out the anus to run this OS, and I did it for 500 bucks. HAHHAHAHAHHAA. I love my little triple booter! It's so cute! P4 D 2.8 4 Meg cache, 1 GB RAM (dual channel) 5200 256 AGP (OCed) Video card, one 160 gig SATA drive, 20 gig ATA drive, DVD burner, DVD player, 17" LCD and a custom case with UV lights inside and LEDs out side. What would that cost you in Mac dollars? 1300, 1400, 1500 hundred? (This is my second dual core PC, not my best) :P :P :P :P :P :P :P :P :P

Too bad you (usually) don't know how to build your own computers. Keep justifying that "premium" you all pay.

There is this little thing called "taste" that Mac users tend to have...

You certainly seem to be missing the point of it.

Is "taste" slang for "Steve Jobs salary"?

The most expensive part of any Apple product is the apple logo which does nothing but make certain people feel better about how they spent their money.

intosh said,
There is this little thing called "taste" that Mac users tend to have...

You certainly seem to be missing the point of it.

so you mean when someone brings out a PC that looks pretty you will buy one??

from my expierience mac users like macs cause they are pretty and they look nice on their desks. you proved the point with your tatse comment, mac users don't really care about anythign besides the fact it looks pretty

whocares78 said,

so you mean when someone brings out a PC that looks pretty you will buy one??

from my expierience mac users like macs cause they are pretty and they look nice on their desks. you proved the point with your tatse comment, mac users don't really care about anythign besides the fact it looks pretty

No. But the guy above basically said his computer was better because it had 'neons'. You interpreted that to mean 'pretty'. I said Mac users have 'taste' which is a different thing altogether.

Actually, you are wrong, Mac users tend to like computers that get the job done, not blind you with blue LEDs and Neons, and case windows, and, oh wait, I forgot what I was doing.

C_Guy said,
Is "taste" slang for "Steve Jobs salary"?

The most expensive part of any Apple product is the apple logo which does nothing but make certain people feel better about how they spent their money.

Steve Jobs Salary? He takes $1 a year thanks.

How much does Bill Gates get paid?

yep, don't forget we have to protect ourselves against that dangerous Trojan that is got by visiting a porn site, that then asks us to download a file, asks us to to mount a file, that the then not only needs to us install it but also AKS US TO GIVE IT ADMIN RIGHTS (ps Windows fans, very few proper apps ask for this in osx, only certain apple, adobe or system alt apps do).

All in all, this reminds me of a red dwarf episode

ISTER: I dunno though. This wooden horse of Troy malarkey, I'm not buyin' that.
RIMMER: It's one of the most famous military maneuvers in history!
LISTER: I mean, the Greeks have been camped outside Troy, kerpowing, zapping, and kersplatting the Trojans for the best part of a decade, yeah?
RIMMER: So?
LISTER: So all of a sudden they wake up one mornin' and the Greeks have gone. And there outside the city walls they've left this gift; this tribute to their valiant foes: a huge wooden horse, just large enough to happily contain 500 Greeks in full battle dress and still leave adequate room for toilet facilities? Are you telling me not one Trojan goes, "Hang on a minute, that's a bit of a funny prezzy. What's wrong with a couple hundred pairs of socks and some aftershave?" No, they don't -- they just wheel it in and all decide to go for an early night! People that stupid deserve to be kerpowed, zapped and kersplatted in their beds! You know what the big joke is? From this particular phase in history we derive the phrase, "Beware of Greeks bearing gifts," when it would be much more logical to derive the phrase, "Beware of Trojans, they're complete smegheads!"
RIMMER: Well, thank you, A.J.P. Taylor.

SirEvan said,
the apple fanboys(trolls) have been rather silent lately with all this apple news...maybe they're hibernating.

That's because we've been too busy enjoying the most advanced and awesome OS, Mac OSX Leopard. So I guess it's really you that's trolling but feel free to continue tring to convince everyone that wildly popular Vista (sarcasim) is worth the upgrade and a smashing success. LOL

internetworld7 said,

That's because we've been too busy enjoying the most advanced and awesome OS, Mac OSX Leopard. So I guess it's really you that's trolling but feel free to continue tring to convince everyone that wildly popular Vista (sarcasim) is worth the upgrade and a smashing success. LOL :laugh:

well if you call the fact you now get bluescreens and your firewall is worse, awesome, then you must really luv vista, cause that has lots of problems.

AT LEAST WINDOWS USERS CAN ADMIT VISTA IS S^&T. i'd like to see an apple fanboy admit anything bad about apple

all i kept hearing was "macOSX is invincible i dont need antivirus/firewall/anti spyware like windows does"

you're mistaken, that's Linux.

i didnt even know macOSX had a firewall :P

all i kept hearing was "macOSX is invincible i dont need antivirus/firewall/anti spyware like windows does"

Berserk87 said,
i didnt even know macOSX had a firewall :P

all i kept hearing was "macOSX is invincible i dont need antivirus/firewall/anti spyware like windows does"

Not to worry, you heard right.

(internetworld7 said @ #10.1)
Not to worry, you heard right.

yeah the fact proof of concept viruses have existed do not indicate a OS was ever vulnerable, in fact its invinsible.

nothign is invinsible.

vista firewall its a mess too, the new console its ok, but the new outbound protection its useless (its disabled by default), because they dont prompt you when a useful program want to go out, you have to manually add every exe to the rules making its annoying, the default outbound protection its to block all outbound connection.... its not flexible like the inbound protection.

anyways its better have something than nothing and its still a big improvement over sp2 windows firewall, lets hope that microsoft add those improvements and features into sp3.

BTW something that i really like of a MAC its the network profiler, you can save each profile oc TCP/IP setting lets say one for university, one for work, one for home anyways its very good in vista and xp they only have an alternate profile making it very limited, need a 3rd party APP to make that work like netsetman or Thinkvantage access connection....

While I do agree that it would be great if outbound protection in Vista was more interactive, you can't deny that it's very configurable.

I'm curious to know what services and ports are open on a factory install of Leopard that require a firewall so badly. What services are exploitable?

Thats why I used my routers firewall :). All this kinda news came out when Vista was out, it's just the way new OS's are, wait a few months or so for some update packs then go out and buy it..

Most consumer firewalls can't do application level control as the XP/Vista and OSX ones can. They usually only do port level filtering.

bucko said,
Thats why I used my routers firewall :). All this kinda news came out when Vista was out, it's just the way new OS's are, wait a few months or so for some update packs then go out and buy it..

You must not have a laptop.

WTF has this got to do with VISTA, whast wrong with vistas firewall, i havent heard of any issues??

"Most consumer firewalls can't do application level control " lies all lies. most hardware firewalls maybe

"You must not have a laptop. " HUH, what is the difference between laptop and desktop when it comes to firewalls

Don't drag Microsoft into this ****. Windows has had a perfectly fine little firewall ever since XP SP2.

Don't feed the trolls.

When faced with information that differs from their own personal agenda, trolls typically attempt to drive the discussion off topic.

raskren said,
Don't feed the trolls.

When faced with information that differs from their own personal agenda, trolls typically attempt to drive the discussion off topic.


Grr I am a troll...
GGRRRRR

Maybe cause there is only so much one can add to an OS that we have reached the point where the newer updates are just rushed to increase sales without much thought and testing done on them....

thollian said,
Maybe cause there is only so much one can add to an OS that we have reached the point where the newer updates are just rushed to increase sales without much thought and testing done on them....

I agree. I say dont fix whats not broken.