Holes in Leopard's firewall

Researchers find that setting the Apple firewall to block all incoming Internet traffic doesn't work.

Although Apple is selling its new Mac OS X Leopard operating system on its improved security, researchers at Heise Security have already found fault with its firewall. Unlike with Windows Vista, the Apple firewall is not enabled by default and must be enabled by the end user. Even if you had the firewall enabled in a previous version of the Mac OS X, after an upgrade to Leopard the firewall will again be set to "Allow all incoming connections." It will be disabled.

According to Jürgen Schmidt, editor in chief at Heise Security, if you enable the Apple firewall and set it to "Block all incoming connections," access from the Internet to certain internal system services will still be allowed. As an example, he said that his team was able to query the NetBIOS Naming Service over a Lan network even with full blocking enabled. The team was also unable to specifically enable UDP filtering within Leopard, which should block access to NetBIOS.

Schmidt also faulted Apple for not including the latest versions of open-source applications within Leopard. In August, Charles Miller of Independent Security Evaluators noted the same at the annual Black Hat conference in Las Vegas. The expectation over the summer had been that Leopard would include the most recent version of several open-source applications and protocols.

Within Leopard, Schmidt noted that Apple ships ntpd 4.2.2, while the latest version is 4.2.4, although he admits that it is unclear whether there are any exploitable vulnerabilities here.

That's not the case with Samba, a primary networking protocol. Over the summer Apple did update its Samba package, but not to the most recent version. Leopard ships with version 3.0.025b (same as Tiger). The more recent releases of Samaba, 3.0.25c and 3.0.26a, do include several known bug fixes so it is unclear why Apple did not update Samba within Leopard.

Apple has a longstanding policy about not commenting in public on issues regarding the security of its products.

Featured Video

Behmor's app controlled coffee maker links to the Web for better brewing

The $329 Behmor Connected Coffee Brewer boasts the guts of an SCAA-approved drip coffee maker melded with a Wi-Fi radio, plus Internet links and mobile app control all in the interest of creating better pots of java.

by Brian Bennett