Mac OS X Leopard firewall breaks programs
Maybe it wasn't such a bad idea that Apple decided the firewall in Mac OS X Leopard should be deactivated by default. It turns out that it signs programs retrospectively in the "Set access for specific services and programs" settings - and can affect program integrity as a result. Complaints have been coming in from users that VoIP application Skype and online role-playing game World of Warcraft no longer work after they have been activated in the firewall.
The background to all this is that, in contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures, something which has also been introduced for the first time in Leopard. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections".
By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In the "Block all incoming connections" state, it blocks incoming connections to unsigned services and records this with entries such as:
Deny evilserver connecting from 10.10.22.75:60957 uid = 0 proto=6
In restricted mode, simply trying to start a service brings up a window asking the user for permission. The user can then allow or forbid this. The system records this choice and enters it into the firewall's exceptions list. To achieve this, Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn.
Code signing becomes a problem when an application performs its own self-integrity check and determines that the file on the hard disk has been changed. The firewall's code signature changes the checksum of Skype's binary on the disc:
MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11
MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa
after which, if the user attempts to start Skype from the command line it displays the following message:
Check 1 failed. Can't run Skype
Users who start Skype from the GUI merely see a dancing symbol which then disappears without further comment. Reinstallation is required to restore the application to normal function.
World of Warcraft players are reporting similar problems. Some are viewing the message, "Unable to validate game version. This may be caused by file corruption or the interference of another program." The game's makers Blizzard are clearly aware of the problem, but so far the only available workaround is to reinstall WoW completely.
- A second look at the Mac OS X Leopard firewall on heise Security
- Leopard Firewall + Code Signing Breaks Skype (And Other Applications) by Rich Mogull
- New: Apple documents Leopard firewall functionality and holes