back to article Security site knocks spots off Mac OS X Leopard firewall

It's been a rocky week for security-conscious Mac fans. A rare appearance of a Trojan targeting Mac fans made it out onto the net and the release of Apple's much vaunted Leopard operating system was marred by security concerns about its firewall. Reports of Leopard installs hanging at boot, behaviour compared by some to the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    must ...

    ... resist ... flamebait ...

  2. Hywel Thomas
    Jobs Horns

    Trojan:Nothing to see here. Firewall:Very disappointing

    Mac fan speaks:

    The trojan is well worth reporting, as it's so rare, but this is pretty much impossible to protect against. Same deal as on Windows. A stupid user is a stupid user. Trojans affecting Windows are the user's fault, not the Borg's.

    The firewall is another matter entirely. A bit of a disgrace. I don't think it'll cause any real problems for anyone, but that's not the point, and that's no defence. Disabled firewalls and misleading/shoddy configuration is down to Cupertino badness. Shame on Apple.

  3. Graham Dawson Silver badge
    Alert

    No matter what people say...

    This doesn't prove the "mac is secure because it's more obscure" line of argument taken by the microsoft fanbois. It's built on a very secure operating system, but Apple have made some of the same compromises that Microsoft made, and it's starting to bite them on the arse. I suspect that the security problems in OSX will never reach the nightmare levels they did in Windows simply because apple haven't made as *many* compromises... still, they've made noobish mistakes like putting listening services on open ports without any particular need for it, and running lots of services that just don't need to be run most of the time, so, really, who knows?

  4. Nick

    iPatch

    So, Mac Fanbois; looking forward to 'iPatch mimac' wednesdays?

    Looks like Apple's got to do the same growing up that MS have had to make. Lets just hope those who bought their pacamac's because they looked 'cool' are tech savvy enough to get into this patch and protect process that us Microshaft users are trained for. I do feel sorry for those using both Leopard AND Winblows on the same box, and just hope you're on a relatively unrestrictive data plans. Two sets of fixes is going to eat into anyones allowance.

  5. Nexox Enigma

    Limit of security.

    Security is only useful to the average user up to a point - after that it becomes inconvenient and irritating. Both Windows and OS X can only secure themselves to the point that the users don't get irritated. I suspect that the open ports are just to make the computer more useable with the firewall on.

    That said, I wouldn't really consider connecting a Windows or OS X box to the internet without a Linux firewall in between...

  6. Morely Dotes

    Come on, people! It's not a firewall!

    The software industry has perpetrated yet another falsehood, and tech reporters have (in their mad rush to get down the pub and guzzle a few pints before late-morning traffic makes it difficult to drive to the suburbs before lunch) simplt rearranged a few paragraphs and published the press releases as if they were news.

    A firewall is a device which sits *between* your valued systems and the threats. A piece of software which is running on the same hardware that holds your OS and treasured data is, at best, a burglar alarm; it can tell you if a break-in attempt is made, but it can't keep the burglars from "seeing" your computer(s) altogether.

    Windows, Mac, Linux, Amiga, Acorn, ZX-64... If you want a firewall (and you should, for much the same reason you want a mac and wellies in Winter), buy or build one. I've seen them sold for as little US$30 brand-new. But if what you bought runs o nthe same computer you're trying to protect, you didn't bu ya firewall, no matter what it says on the package.

  7. Anonymous Coward
    Anonymous Coward

    Not really the firewall...

    It's not really the firewall that may or may not be the issue here. It's more the security of the OS behind it.

    Here's hoping that some of these things are fixed in 10.5.1.

  8. Anonymous Coward
    Stop

    On comments about external firewall

    The comments about external firewall are completely misguided. With more and more people connecting to internet at random places, like Starbucks coffee shops or other WiFi hotspots, the old age idea of firewall as "a device which sits *between* your valued systems and the threats" is simply ridiculous.

    And Apple does deserve the ridicule for shipping such crap, and advertising it as security improvements.

  9. Abdul Omar
    Thumb Up

    On firewalls

    A firewall can only be relied on if there is a security infrastructure to support it.

    Until OS X has been relentlessly tested by a credible volume and variety of threats, it can't really be considered safe in any shape or form.

    Microsoft firewalls are inherently safer than Apple's simply because they are subject daily to a barrage of malicious digital intercontinental ballistic weapons, the vast majority of which bounce off an armour hide and fall spent onto the battlefield.

    The OSX firewall on the other hand, spends all its time sunning itself on a beach in its undies smugly thinking how secure it is and "ooooh aren't I shiny and clever" all the while sucking on gay little cocktails topped by a little paper umbrella covered in flowers.

    Wakey wakey! The tide seems to be going out unusually far today.

    And rapidly growing on the horizon is a tsunami of epic proportions, a rolling, sweeping, thundering, killing wave of giant explosive worms, viruses, spyware, malware, adware, google, Trojan horses, rootkits, backdoors, botnets, loggers, dialers and more.

    Mac users be warned.

    Expect no salvation at the latte salon.

  10. Ruben Mannstaedt

    uhm... no

    Actually, software firewalls can stop the burglars from "seeing" your computer altogether, and they have (depending on the firewall) the added benefit of allowing you to specify exactly what communication is ok to go out your computer depending on what program it originates from. A hardware firewall is a good thing to have, sure, but it cannot parse/block communication based on the originating program.

  11. Charlie Clark Silver badge
    Jobs Horns

    Only a week after release

    Why the fuck should we cut Apple some slack over this? Leopard was held back for six months so Apple could release the even less secure Jesus Phone - "hack me, I'm yours" but that is no excuse for this kind of sloppines. Of course, only numpties will have already upgraded without waiting for the security evaluations from respected publications like Heise.

  12. Anonymous Coward
    Anonymous Coward

    WTF is a "hardware firewall"?

    They don't exist and people referring to "hardware firewalls" are fucking idiots. A firewall is SOFTWARE! Where and on what you run that software is a design choice.

    The nearest you'll get to a "hardware firewall" is a brick in your fireplace/chimney.

  13. Ring peanut gallery

    Apple is distracted by two things

    A much more profitable ipod business and the fact that they are trying harder to protect the OS from the consumer than external security issues.

    Apple will fix the "installable on a standard PC" bug first!

  14. Antoinette Lacroix
    Coat

    Who cares ?

    < leans back - pats her BSD boxes - grins.

  15. Graham Dawson Silver badge
    Coat

    @Antoinette Lacroix

    A woman!

    And she's using BSD!

    I don't know whether to propose or run away screaming... wait, already married.

    Taxii!

  16. Anonymous Coward
    Coat

    Windows firewall more secure?

    ...

    <Astonished>

    Abdul..

    .. What did you smoke before sitting at the computer?

    </Astonished>

    On what proven or factual arguments are you basing your assertion?

    If I understand your reasoning an OS gets thougher because it's continuously exploited and not because is well engineered and inherently safer by design?

    Allow me to dissent: I stay with my ***X..

    The fact is:

    a): 90% of Userland won't accept the fact that all they got is a bad piece of engineering and is coming from Redmond.

    b): Adding insult to the injury those poor souls are forced to feed a whole industry of AV leeches and somebody told them is right to do so.

    Would you drive a 30.000 quids car with faulty brakes? And would you buy a 5000 quids "rope-and-anchor-set" in case your right pedal is not responding? For the joy perhaps...Well, Be my guest.

    Mabuse68

  17. Rob Beard
    Jobs Horns

    A woman using BSD

    Correct me if I'm wrong, isn't Darwin based on BSD?

    I bet there are a fair few Mac owners out there who will be upgrading to Jaguar because Steve came to them in a dream and told them they needed to.

    Rob

  18. Igor Mozolevsky

    RE: A woman using BSD

    > Correct me if I'm wrong, isn't Darwin based on BSD?

    The kernel is mach-based, the user-land is BSD based...

  19. David Wilkinson
    Flame

    I hate mac users who

    I like Macs, I think the world would be a better place if the Mac and Linux took market share from MS to the point where A) Microsoft had to work harder to stay competive and B) Software is forced to become more standards oriented to improve cross platform compatibility.

    But I wish the Mac morons who think that the reason that ignorance and/or stupidity must be behind Microsoft's market share should just shut up.

    Ever think that someone who buys a different computer than yours might do so because their wants and needs are different from yours?

    I

  20. Player_16

    @Rob Beard

    Yes Rob you are right. You will win that bet 'on there being a fair few Mac owners upgrading to Jaguar' because that is OS 10.2.

  21. Anonymous Coward
    Flame

    @I hate mac users who

    I appreciate your sentiment, and agree. There seems to be great sport in each baiting the other. But, fun aside, i do take issue with your last statement.

    I have to state that the main reason that someone needs a Windows box is that every else has one and they have one in work, their son/daughter general use it and kknow how to help them with it etc.....

    In most cases of personal use THAT is the reason they need a Windows box. I use XP, Vista and a Mac. it's a seven year old cube running Tiger. It's my personal machine because when I get home, I don't want to faff around with a computers, I do that all day and get paid for it and quite frankly a Windows box requires more fiddling around and looking after than a Mac. Im not a fanboy. I dont like Apple as a company and I certainly don't like their attitude to customers who feel they get short shrift when faults happen. I hate the silence, forum postings deletions etc and personally think Steve Jobs has several physcological issues.

    Now - (BTW - is it just me or isn't it about time we asked Antoinette if she also has the red outfit that surely made its way geek wallpaper success?) - I also like *nix. I set it up and it sits there and works. May not be as easy to install certain items as a windows box but i don't have to worry about it.

    And why do I have a Windows machine? Well my work one has Vista 64 (mistake) running on a dual Turion 64 laptop. It annoys the hell out of me. It's slower than XP. In fact, Vista made me realise just how far XP has come and I even missed it! So my home laptop is a Windows XP box. And you know what? I use it for games. That's right. And it's pretty good. Even if my gaming skills are not. But in everyday use? I can't do it. When you use XP you can feel the OS was amended to help combat the ignorance of the majority of users who don't know when to/not to install a program, click on a link in an email, update vital updates etc. I don't use ignorance as a slur here - the use of computer should not be the domain of those 'in the know' so fine. But, and the stats here I feel would suuport this, those who are 'in the know' for the most part will use a *nix (macs included, why do you think the majority of El Reg staff use Macs? They sure as hell do not get a discount...) based machine. Why? Not just because they dissecting packets for the hell of it, but because they have been burned by Windows in the past. They have seen the results of an insecure (even supposedly secure) Windows machine. They have relatives who phone them up regularly with yet another issue.

    I convinced my parents to get a Mac, not because im all for the Jobs cause and hate Gates, but because I was forever acting as tech support over the phone, and as much as I love my dad, that will try anyones patience. Since he has the Mac the volume of calls has reduced to maybe one every 6 months. His Windows laptop goes mainly unused. Though to be fair it is a Sony......

    So, finally, my point is this....what most people want from a machine is a stable, secure and fast machine. They want it to work. They dont want it to break down, be infected with trojans, have to worry about Virii, have to have a MSCE, or a RHCE to install items and do routine maintenance.

    And like it or not, the Mac fits that profile better than any other commercial and free offering. I don't like it. I hate monopolies. When my cube finally dies i'll get another second hand older mac to run my day to day stuff. My laptop, when I have exhausted BF1942/been banned from every server, will have either gentoo, ot fedora or Ubuntu. Hell maybe even BSD...be a great* way to start chatting up Antoinette! "Wanna see my Kernel?"

    Disagree with me? Look out for Benny the destroyer and just shoot me. Why not, everyone else does..

    *for a given value of great.

  22. Antoinette Lacroix
    Happy

    @ Ben

    I can see your point, but:.

    There are the ones that use Windows, and never have a problem, because they use it as the vendor has set it up, and don't fiddle with it. If one is "in the know" it doesn't matter what OS one uses. It only gets critical if $USER "thinks" he knows everything just because he knows how to use applications. I don't think the majority of *nix users are more tech savvy than the average Windows user. Lots of Linux users use the OS just because it isn't Windows, and don't have the foggiest how it works. How else would you explain all the bashing between Linux fanboys ? If they had a clue, they'd know that their (vanilla) Kernels and Userlands are almost identical. Browse a random Linux forum and you'll see that most of them want "Howtos". 1% does the work and the rest happily copy/pastes away, without knowing what they're actually doing.

    Btw,

    I show you my Kernel anytime, you might even have a peek at my *.conf files. And no, I'm not in the possession of the "red outfit", but I occasionally wear those illuminated plastic horns.

  23. Anonymous Coward
    Coat

    @Antoinette

    mmmm

    I have yet to find an XP, yet alone vista, install that works well striaght from the vendor, especially with all the 'Valueware' they also seem to install.

    I can agree with you about the linux users though.

    You can nmap me anytime!

    *goes for a lie down*

  24. Joe

    I'm confused

    How does this affect my ZX81?

  25. Lance McGrath
    Thumb Down

    Poor reporting

    It's rather sad how many times this article has been referenced in the media. I've really lost a lot of respect for the guys at Heise after this show.

    Two major factors stand out: first, these guys apparently don't know how to read nmap output. Go look at the manual and you'll find out that open|filtered is NOT cause for concern, and does not mean the machine is allowing you access to that port. You could argue that it's not the best design decision on Fyodor's side, but that output does not indicate a flaw in the OS X firewall.

    Secondly, it appears that they ran some of their tests from the local machine itself! Looking at my own MacBook's routing table, I see:

    192.168.10.185 127.0.0.1 UHS 0 214 lo0

    The IP of my wireless interface is routed out the loopback interface. Loopback interfaces, which are virtual, typically are not firewalled, *as they can only be accessed from within the machine itself*. So, flawed testing. Of course things appear open when you test on an unfirewalled interface.

    Finally, I don't recall ever seeing anything where the OS X firewall is supposed to block outbound connections. Maybe it's a good idea, maybe it's not, but it's "failure" to do so hardly seems like a major concern to me.

    I'll stick with my mac, and get my security news from somebody who knows what he or she is talking about, thanks.;-)

  26. Anonymous Coward
    Alert

    Oh c'mon Apple . . .

    Firewall not on by default??! Holes??! Oh wait -- you we able to slick up the Dock though. OK. I feel better (*shaking head in disgust*)

    Asses.

  27. Hamish Blair
    Jobs Halo

    Respect, man!

    I agree:

    Ever think that someone who buys a different computer than yours might do so because their wants and needs are different from yours?

    That's why I use a Mac, not a PC!

  28. Pascal Monett Silver badge

    @John Naismith

    Since no one has picked that up, and you seem to not know, I have to point out that a "hardware" firewall is typically a router with firewall code packed into one of the chips - in the hardware, so to speak.

    The main advantage of that is that there is simply no way for a hacker to "overwrite" the code. If there is no flaw in the code (and firewalls have had much experience by now - any flaw is quickly found), then there is simply no way to subvert it.

    What is commonly named a "software" firewall is the app you have sitting in your Taskbar. It can be more or less well written, it can function better or not, but one thing is sure : it IS open to getting hacked from other components of the PC it's running on (especially if the user is of the run-any-attachment-I-get kind).

    I have a hardware firewall and my PC has anti-spyware and anti-virus monitors. I have yet to be infected by anything (but I think before I open an attachment), and my PC is not part of a botnet either. I think that is a pretty good reason to keep one.

  29. Anonymous Coward
    Joke

    aaaaaaaaaah ja!

    All I know is, I left my mac 10.4.x without a firewall in the DMZ for 4 months, non-stop .... I use it as an nfs file server (local net only) and web server in home network ... although I got quite a few idiots attempting to log on via ssh, nobody ever got in, as far as I can tell ... Ok, I change my password at least once a month with [a-z]+[A-z]+[1-9]+ in it, and not replacing i's with 1's etc but, i doubt a windows box could survive that! Firewall, never used it on my mac ... what for? And, if you want to try and hack me, my IP is 127.58.165.28

  30. Anonymous Coward
    Thumb Down

    @Mabuse68

    You're feeding the troll, mind yourself!

    @Pascal - you know when you update the firmware on your firewall? That's how you overwrite the code...

    I'm not sure why a perimeter firewall would be any more secure than just a NAT'ing ADSL router that doesn't map inbound connections, for round the house use.

    @127.58.165.28 - hacked you easily. Just check, I set your system up just how I like it... ;-)

  31. Simon Powell

    Let's be honest

    Hand on heart, hwo many Leopard machines nowadays are not going to be behind either a corporate firewall or at worst a home user one? I think people are just looking at a way to get at Apple in the same way we so salaciously do with Microshaft. This isn't quite the apocalyptic bug that folks are trying to make it out to be. Also you can bet your bottom dollar that this will be addressed a lot quicker than if Redmond's supremely talented chimps were 'fixing' it.

  32. Rich Turner

    How many Leopards are not going to be behind a firewall?

    Simon - when did you last visit a Starbucks and see all the Steve diciples pretending to study whilst posing with their iMac, iPod, iPhone and iLatte?

    Morely: Almost all firewall devices are simply cut-down machines with a CPU, some RAM, a network card and some form of NV storage upon which the OS & software is stored. ALL of them are driven by software that defines their function as firewalls. All of them are updateable otherwise you'd need to throw the tin away once every couple of months as the manufacturer released improvements and enhancements. Running well engineered firewall software on your machine is (for most people) as good as running a separate physical firewall device since that software should put a hard boundary between the outside world's network and the user's environment.

    I think that what the researchers were pointing out is a valid weakness in Apple's current firewall in that it can't easily arbitrate traffic based on whether the network the user is connected to is a trusted network (e.g. home or work) or an untrusted network (e.g. Starbucks, hotel, airport, etc). I'm sure they'll get around to fixing this, but I agree that it's something of a glaring omission which could well result in an increasing number of diciples getting smacked by a hacker.

    As MacOS increases in popularity, Apple is going to have to start taking security seriously as serious hackers don't tend to attack a weakness because of religious or idealogical positions - they tend to do it for noteriety and/or "to prove it can be done", and/or for personal gain.

    Only time will tell if Apple have the maturity and ethics that result in them doing the right thing.

This topic is closed for new posts.