Risk
Whether the accessible services currently represent a security risk is hard to judge. The fact that Apple uses versions of open source software in which bugs have already been found and documented by the developers is cause for concern. Apple uses ntpd 4.2.2, the current version is 4.2.4. It is not clear whether any of the bug fixes are relevant in this scenario and if Apple back-ported fixes from more recent versions. The same applies to the Samba package (3.0.25b-apple), of which releases 3.0.25c and 3.0.26a contained numerous bug fixes.
Both system services run as root and do not appear to be supported by Leopard's new sandbox functions. If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system - with all the consequences this entails, right up to mass distribution via a worm.
Workarounds
At present, in order to block access to system services, users must either disconnect the network cable or fall back on the tried and tested BSD ipfw packet filter. This is still present, but by default is set to permeable - the only active rule lets everything through:
$ sudo ipfw list
65535 allow ip from any to any
Users who have already put together a well-honed set of ipfw rules are well advised to continue to use it under Leopard. However, a tutorial on how to generate such a rule set lies outside the scope of this article.
The verdict
The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.
Apple is showing here a casual attitude with regard to security questions which strongly recalls that of Microsoft four years ago. Back then Microsoft was supplying Windows XP with a firewall, which was, however, deactivated by default and was sometimes again deactivated when updates were installed. It was also the case that system services representing potential access points for malware were accessible via the internet interface by default. Despite years of warnings from security experts, the predominant attitude was that security must not get in the way of the great new networking functions.
Then along came worms such as Lovsan/Blaster and Sasser, which rapidly infected millions of Windows computers via security vulnerabilities in system services, causing millions worth of damage. Even today, an unpatched Windows system with no active firewall will be infected within a matter of minutes. However, Microsoft has since learnt its lesson -- a serviceable firewall, activated by default, has been included since Service Pack 2. With the standard configuration, no services are accessible from the internet on a Windows system. (ju)
Update:
Apple has issued security patches to adress the issues raised in this article. See: Apple patches holes in Leopard firewall
Also see:
- Mac OS X Leopard firewall breaks programs with more about how the firewall works and why programms like Skype and WoW don't work any more.
- Apple documents Leopard firewall functionality and holes and indirectly confirms these results
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
