Researcher: Leopard's Firewall is a Mess

The launch of Apple's newest OS, Leopard, has been, to say the least, tinged with negative press, what with reports of bluescreens due to third party applications and Java incompatibilities. On Friday, Rich Mogull, a security consultant and former Gartner analyst, added more fuel to the fire when he said "[Leopard's] firewall is a mess" after spending two days digging into the new firewall's capabilities. "It's a step back from Tiger's firewall. I was originally pretty bullish on Leopard's security, and I still am on the concepts, but the implementation makes most of its advances ineffective or unusable."

The firewall in Mac OS X 10.5 Leopard uses a bare-bones interface -- earlier this week, Mogull called it "so simple as to be nearly useless" -- that offers users three options: allow all incoming connections, block all incoming connections, and set access for specific services and applications Unfortunately, the implementation seems fraught with problems. "'Block all' does seem to block actual connections," said Mogull, "but any shared ports are detected as 'open/filtered' on a port scan." And unless users turn on stealth, some services -- Bonjour, Apple's network-device-locating technology, is one -- are seen as open by scans, no matter what firewall setting is selected. Only by using "Block all" with stealth enabled are shared services actually invisible.

Those inconsistencies pale against the firewall's ability to break some applications without warning. When the "Set access" mode is turned on, the firewall digitally signs applications that the user allows access to incoming communication; although most firewalls will block a program from running if it detects change, such as an upgrade to a new version, Mogull discovered that Leopard takes it one step further, blocking applications that change at runtime. Skype, the popular VoIP software and instant messenger, is one such program. If the user has set the firewall to "Set access" and runs Skype, the icon will bounce a time or two on the dock, but not load. Nor does Leopard tell the user that Skype has failed or why it won't launch. Only the Mac OS X Console gives a clue, with a message such as: 11/2/07 9:47:51 AM [0x0-0x35035].com.skype.skype[399] Check 1 failed. Can't run Skype.

However, Mogull isn't all bad news. "Fortunately, all of this is fixable," he said. "Apple clearly was a little rushed, but they're moving in the right direction. It's our responsibility to keep on Apple to make sure they convert these concepts into actual implementations."

View: Full Story on InfoWorld

Report a problem with article
Previous Story

Yahoo Exec Apologizes for Chinese Journalist Incident

Next Story

Mozilla Prism Prototype Now Available on Mac and Linux

72 Comments - Add comment