Apple patches holes in Leopard firewall
Two and a half weeks after heise Security diagnosed the presence of holes in the Mac OS X Leopard firewall, Apple has released security updates intended to patch some of these holes. In addition, the upgrade to 10.5.1 should also mean an end to possible data loss when moving files between partitions in Finder.
The upgrade addresses three security problems, all affecting the new application firewall. Apple has changed the name of the function "Block all incoming connections" to "Allow only essential services." heise Security had criticised the fact that services were accessible from the outside world with this setting active. In addition, Apple has now severely restricted the number of "essential services". Where previously all services which were running with root privileges were in principle accessible from the outside world, under this setting this is now limited to network infrastructure services like DHCP (configd), Bonjour (mDNSResponder) and IPsec (racoon). heise Security had strongly criticised the fact that previously, despite using the most restrictive firewall settings, services such as the ntpd time server were accessible and therefore open to attack. With this update Apple has reduced the area of exposure considerably - as long as the user activates this option. As before, the firewall is still set to "Allow all incoming connections" by default.
Apple has also made improvements to the setting "Set access for specific services and applications" - also the subject of criticism from heise Security. In this case the firewall will in future ensure that services which run as 'root' are at least no longer accessible where the user explicitly blocks them using a blocking rule. Apple apparently decided not to take the more consistent step of making all applications which are not explicitly specified as exceptions inaccessible from the internet. Therefore, as previously, with this setting active the time server by default remains accessible from the outside world, despite not being included in the list. A simple demo server such as
nc -l 1414
is still accessible from the outside world on port 1414 with, for example, telnet, without the user having set up a rule for the server. Precisely because such services are not included in any list, it will not generally occur to the user to set up explicit blocking rules. Unsigned applications, by contrast, cause the user to be asked whether he wishes the service to be accessible. However, an application can get around this by using the universal network tool netcat, for example, to carry out its communications.
The summary finally records that previously, new rules would in some cases, for services started by launchd, only become active after being restarted. This should also be fixed by the update. Apple has also addressed the problem with applications such as Skype and World of Warcraft. It now appears to have given up ad-hoc signing of certain third party program files. A test installation of Skype was able to run without errors after setting up a firewall rule -- the program file remained unchanged.
[Update: Further research showed that Apple merely put Skype and a couple of Blizzard games on an exception list of files that must not be signed. That means that the firewall now asks every time you start Skype whether you want it to accept incoming connections.]
The update to 10.5.1. also brings further minor improvements, including in AirPort and Time Machine. Many points on the list are on the significance scale of "iCal alarms are now more reliably delivered via email." But notably, the problem of possible data loss when moving files between partitions has also been fixed.
The update to Mac OS X 10.5.1 is available via the operating system's automatic update function or as a download for manual installation for Mac OS X 10.5 client and server (both update packages are around 110 Mbytes). In view of the fixes and improvements included, users of Mac OS X 10.5 Leopard should install the update as soon as possible.
- About the security content of the Mac OS X 10.5.1 Update (client and server) from Apple
- Leopard with chinks in its armour from heise Security
- Mac OS X Leopard firewall breaks programs from heise Security
- Apple documents Leopard firewall functionality and holes from heise Security