Cracks in the Mac OS X Leopard firewall
In the course of functional testing, heise Security has discovered a series of problems and peculiarities in the way the firewall in Apple's new operating system behaves. These may have an effect on system security. As with previous versions, by default the firewall in Mac OS X Leopard is deactivated. But even if the user activates it manually, the system is far from sealed off.
The major purpose of a firewall is to refuse access to uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the internet or wireless networks. However, the Leopard firewall fails miserably in this respect. In tests carried out by heise Security it was possible to communicate with the time server from remote even with the firewall set to "Block all incoming connections" - even when the Mac was directly connected to the internet via a DSL connection. The time server is started automatically by the system. In wired LANs, the NetBIOS name server from the Samba package is also active and, despite the firewall, accessible.
With the configuration set to the more flexible "Set access for specific services and applications," the firewall even allows access to arbitrary services started by the user -- regardless of whether or not they are in the list of shared services. Therefor a trojan horse could open a backdoor, that is accessible over the internet despite the firewall being activated.
Whether or not the accessible services represent an acute security problem is hard to judge. The fact that Apple uses versions of open source software in which bugs have already been found and documented by the developers is cause for concern. Apple uses version 4.2.2 of ntpd. The current version is version 4.2.4. It is not clear whether Apple has either fixed any relevant bugs in this version or back-ported fixes from more recent versions.
Prior to Service Pack 2, the Windows XP firewall was also deactivated by default and it was possible to access system services from the internet. Only after the emergence of worms such as Lovsan/Blaster and Sasser, which rapidly infected millions of Windows computers via security vulnerabilities in system services, did Microsoft change this.
- A second look at the Mac OS X Leopard firewall by heise Security