Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Oct 29, 2007, 10:12 PM   #1
rpp3po
macrumors regular
 
Join Date: Aug 2003
Location: Germany
Serious flaws discovered in Leopard's firewall

You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):

Quote:
The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto.
rpp3po is offline   0 Reply With Quote
Old Oct 29, 2007, 10:19 PM   #2
Warbrain
macrumors 603
 
Warbrain's Avatar
 
Join Date: Jun 2004
Location: Chicago, IL
Quote:
Originally Posted by rpp3po View Post
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
It's no surprise. I loved the old firewall, this firewall is awful. It doesn't work right. Little Snitch is better than it.
__________________
WARBRAIN
Twitter | Blog
Warbrain is offline   0 Reply With Quote
Old Oct 29, 2007, 10:21 PM   #3
vansouza
macrumors Demi-God
 
vansouza's Avatar
 
Join Date: Mar 2006
Location: West Plains, MO USA Earth
Send a message via Yahoo to vansouza
The sky is falling...

Quote:
Originally Posted by rpp3po View Post
You wouldn't even believe Microsoft to be so stupid to expose open services (and even NetBIOS!!) to the internet when the firewall is setup to block ALL traffic. No kidding, Leopard does. Though, there is no proof of concept exploit, yet, that's a totally unneccessary design flaw, even a freshman CS student wouldn't be allowed to turn in.

From the article (German heise magazine):
Thank God for hardware firewalls.
__________________
You don't have a soul. You are a soul. You have a body. C. S. Lewis
2013 iMac & MBPR
vansouza is offline   0 Reply With Quote
Old Oct 29, 2007, 10:41 PM   #4
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by vansouza View Post
Thank God for hardware firewalls.
I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 10:45 PM   #5
flopticalcube
macrumors G4
 
flopticalcube's Avatar
 
Join Date: Sep 2006
Location: In the velcro closure of America's Hat
Quote:
Originally Posted by flyinmac View Post
I wonder what degree of hardware firewall you would need to compensate.

Would a standard router with NAT work?

Or, would you actually need a router with a specific firewall to compensate?
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right.
__________________
Read the Rules / Search the Forums / Use a Descriptive Title
Mac Won't Boot?
flopticalcube is offline   0 Reply With Quote
Old Oct 29, 2007, 10:53 PM   #6
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by flopticalcube View Post
I have an AEBS. It has a hardware firewall and it sucks. Apple can't even do hardware firewalls right.
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 10:55 PM   #7
flopticalcube
macrumors G4
 
flopticalcube's Avatar
 
Join Date: Sep 2006
Location: In the velcro closure of America's Hat
Quote:
Originally Posted by flyinmac View Post
I have a Linksys Router with a Hardware Firewall in it. I wonder if that is adequate, or if the Leopard issue would create an open door.

It's a BEFSX41 Labeled as a Broadband Firewall Router.

I've previously configured it, and it seems to have passed the online scanners. So, hopefully it will close the door that Apple is opening.
That should be more than adequate.
__________________
Read the Rules / Search the Forums / Use a Descriptive Title
Mac Won't Boot?
flopticalcube is offline   0 Reply With Quote
Old Oct 29, 2007, 10:58 PM   #8
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by flopticalcube View Post
That should be more than adequate.
I sure hope so
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 11:03 PM   #9
Sun Baked
macrumors G5
 
Sun Baked's Avatar
 
Join Date: May 2002
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter.

Edit: I miss the dead SPI enabled router.
__________________
On the seat back in front of you, you will find a “Panic Button”
If you press this button, we will ignore you, and work on saving the passengers who can calmly follow directions.
Sun Baked is offline   0 Reply With Quote
Old Oct 29, 2007, 11:09 PM   #10
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by Sun Baked View Post
Anybody turn on the advanced settings, use stealth, then look at the logs awhile latter.

Edit: I miss the dead SPI enabled router.
From reading the article, I couldn't tell.

SPI, I seem to recall something about that when I was researching my router / firewall purchase. Seems it was a feature of the Linksys Router if I remember correctly. But, then I could just be mixing things up at the moment.
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 11:15 PM   #11
iJawn108
macrumors 65816
 
iJawn108's Avatar
 
Join Date: Apr 2006
Quote:
Originally Posted by flyinmac View Post
I sure hope so
turn of Universal Plug n' play
__________________
Eagerly awaiting the new Mac Pro
iJawn108 is offline   0 Reply With Quote
Old Oct 29, 2007, 11:18 PM   #12
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by iJawn108 View Post
turn of Universal Plug n' play
I believe I did do that. I spent hours comparing the settings with descriptions of what they did on the Internet. Hopefully I got everything.
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 11:24 PM   #13
motulist
macrumors 68040
 
motulist's Avatar
 
Join Date: Dec 2003
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
motulist is offline   0 Reply With Quote
Old Oct 29, 2007, 11:28 PM   #14
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by motulist View Post
Are they saying the OS X firewall has always been terrible, or that 10.5 is a brand new firewall under the hood and it replaces a very good firewall that was in 10.4?
It sounds to me like they are saying that 10.5 is worse. But, I could be wrong.
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 29, 2007, 11:37 PM   #15
Daiden
macrumors 6502a
 
Join Date: Feb 2007
Location: New York, NY
Well this is somewhat disappointing.
Daiden is offline   0 Reply With Quote
Old Oct 30, 2007, 12:01 AM   #16
weaverra
macrumors regular
 
Join Date: Sep 2006
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

Last edited by weaverra; Oct 30, 2007 at 12:17 AM.
weaverra is offline   0 Reply With Quote
Old Oct 30, 2007, 12:19 AM   #17
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by iJawn108 View Post
turn of Universal Plug n' play
Just double-checked, and I did have that disabled already. So, hopefully I'm protected.

I just updated my firmware to the latest revision (on the router / firewall). I was one revision behind there.

And, I just went back through my settings, and all looks good there.

So, hopefully Leopard won't open the door on me.

Quote:
Originally Posted by Daiden View Post
Well this is somewhat disappointing.
Yes. If this is true, then Leopard will definitely be a let-down there.

Quote:
Originally Posted by weaverra View Post
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?

Edited: I did a port scan on my local network with the firewall on block all and stealth and it would not pick up anything until the very second I allowed all incoming connections. Am I missing something here???

Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3

Last edited by devilot; Oct 30, 2007 at 12:39 AM. Reason: Merged THREE posts; PLEASE use "Edit" and/or "Multi-Quote"
flyinmac is offline   0 Reply With Quote
Old Oct 30, 2007, 12:21 AM   #18
Sun Baked
macrumors G5
 
Sun Baked's Avatar
 
Join Date: May 2002
Quote:
Originally Posted by weaverra View Post
Has anyone else tested this? I'm not so quick to jump on this one yet. Why has it taken this long to figure this out?
He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.
__________________
On the seat back in front of you, you will find a “Panic Button”
If you press this button, we will ignore you, and work on saving the passengers who can calmly follow directions.
Sun Baked is offline   0 Reply With Quote
Old Oct 30, 2007, 12:25 AM   #19
flyinmac
macrumors 65816
 
Join Date: Sep 2006
Quote:
Originally Posted by Sun Baked View Post
He harped on netbios, then said that came from the Samba package.

I looked and have Bonjour and the time server open.

Hesitant to read between the lines... What is your belief based on your observations?
__________________
Mac Pro 2.66 GHz Quad, 14 GB RAM, two 22-inch LCD widescreens, 3.6 terabytes hard drive space. 2 SuperDrives.
Mac OS X 10.6.x. Vista Ultimate. Fusion, iPhone 5, Mac Mini G4 1.25, Apple TV 3
flyinmac is offline   0 Reply With Quote
Old Oct 30, 2007, 12:28 AM   #20
weaverra
macrumors regular
 
Join Date: Sep 2006
Quote:
Originally Posted by flyinmac View Post
Did you do this in the new Leopard (10.5)? Or, were you in Tiger (10.4.x)?
Leopard (10.5) I'm no security expert but from what I gathered something should have showed up according to their claim.

00:19 is when I allowed all incoming connections


Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:56 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:57 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:58 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:16:59 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:00 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:01 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:03 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49202 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49204 uid = 0 proto=6
Oct 30 00:17:07 bobby-weavers-macbook-pro-15 Firewall[40]: Deny smbd connecting from 192.168.x.xxx:49203 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from :::631 uid = 0 proto=6
Oct 30 00:19:06 bobby-weavers-macbook-pro-15 Firewall[40]: Allow cupsd listening from 0.0.0.0:631 uid = 0 proto=6
Oct 30 00:21:18 bobby-weavers-macbook-pro-15 Firewall[40]: Stealth Mode connection attempt to UDP 192.168.x.xxx:49429 from 66.82.x.x:xx
weaverra is offline   0 Reply With Quote
Old Oct 30, 2007, 12:36 AM   #21
Peace
macrumors P6
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
This guy/site doesn't understand the Leopard firewall..
Peace is offline   0 Reply With Quote
Old Oct 30, 2007, 12:42 AM   #22
Sun Baked
macrumors G5
 
Sun Baked's Avatar
 
Join Date: May 2002
Quote:
Originally Posted by flyinmac View Post
Hesitant to read between the lines... What is your belief based on your observations?
They said Apple allows every process started by the user into the execptions list ... even if you run a trojan.

Almost sounded like they stayed there til you restarted.

Which is basically how all Apple firewalls are typically punched in the contests, getting at them through stuff the user runs.
__________________
On the seat back in front of you, you will find a “Panic Button”
If you press this button, we will ignore you, and work on saving the passengers who can calmly follow directions.
Sun Baked is offline   0 Reply With Quote
Old Oct 30, 2007, 03:41 AM   #23
Detektiv-Pinky
macrumors 6502a
 
Detektiv-Pinky's Avatar
 
Join Date: Feb 2006
Location: Berlin, Germany
Quote:
Originally Posted by Peace View Post
This guy/site doesn't understand the Leopard firewall..
This is entirely possible. However, I honestly think that the apple firewall is not an easily usable and confidence inspiring product. And it is turned 'OFF' by default!

I do not know the English version of the UI, but in the German version Apple tells you that 'normally the OS is choosing for which programms it allows incoming connection', that is not something I want my firewall to do.

So if you have in-depth knowledge of the workings of the Mac OS X firewall, maybe you like to share it with us.
__________________
Anecdotal evidence is an oxymoron!
Detektiv-Pinky is offline   0 Reply With Quote
Old Oct 30, 2007, 05:15 AM   #24
boz0
macrumors regular
 
Join Date: May 2007
Location: /dev/null
Quote:
Originally Posted by flyinmac View Post
I have a Linksys Router with a Hardware Firewall in it.
This is nonsense.

To begin with, there's no such thing as a "hardware firewall". A better (and commonly used) designation is "appliance". A firewall appliance is a dedicated box, running an OS (in many cases a tweaked Linux or *BSD, though there are of course many other possibilities, like IOS on Cisco firewalls), on top of which the actual firewall software sits.

Now, assuming you call a "hardware firewall" any kind of dedicated firewall appliance, well, obviously, since your wireless router does wireless routing, it's not a dedicated firewall, is it?

That said, whether you have a dedicated firewall box or not, it's the quality of the firewall software that has to be taken into account. It's always a very bad idea to make a product insecure by default. Microsoft has been bashed repeatedly for that, and so should Apple!

However, I'm not yet ready to believe that their firewall is as flawed as the article says. I'll have a look in a couple days!
boz0 is offline   0 Reply With Quote
Old Oct 30, 2007, 05:19 AM   #25
joelovesapple
macrumors 6502a
 
Join Date: Sep 2006
Location: UK
Thanks for the info. I'll be keeping my eye out for a software update to combat this problem.
joelovesapple is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
What is the OS X firewall for? jennyp OS X Mavericks (10.9) 9 Mar 24, 2014 09:21 AM
Retina iPad Mini's Display Criticized Over Poor Color Gamut and Accuracy MacRumors MacRumors.com News Discussion 578 Dec 11, 2013 04:57 PM
First openly gay Austin school board member criticized for withholding sexuality Tomorrow Politics, Religion, Social Issues 11 Nov 12, 2012 04:28 PM
Firewall Tech198 iPhone and iPod touch Apps 0 Sep 16, 2012 10:35 PM
Apple's Retail Store Staff Compensation Criticized MacRumors MacRumors.com News Discussion 448 Jul 12, 2012 10:46 AM

Forum Jump

All times are GMT -5. The time now is 08:41 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC