Bloke says Leopard's firewall is pants

A REVIEW of the Mac OS/X 10.5 Leopard firewall found it deficient in every area tested.

This is surprising, because the Cupertino fruit company touted its improved security as an important feature to sell Leopard to all those Mac fans who have been besieging Torrent sites and drooling over their first-day FedEx packages.

The review lays it on the line right from the start, beginning: "The most important task for any firewall is to keep out uninvited guests. In particular, this means sealing off local services to prevent access from potentially hostile networks, such as the internet or wireless networks. But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this."

Well, yes and no. A careful reading of the review yields a mixed assessment of its validity. Some criticisms seem valid, but others appear to stem from misapprehensions. We'll walk through it and identify which concerns appear correct and where the review went astray.

The first concern, and perhaps the most troubling, is that "...the Leopard firewall settings fail to distinguish between trusted networks, such as a protected company network, and potentially dangerous wireless networks in airports or even direct internet connections. Leopard initially takes the magnanimous position of trusting all networks equally." If true, this is a troubling sign of an overly simplistic approach to firewalling any current system.

But, given other problems found in this review, it's possible that the reviewer either didn't search properly for or somehow overlooked firewall capabilities that are actually present.

It proceeds to detail every fault it found through functional testing. The next issue is that Leopard's firewall is disabled by default, that is, it will "Allow all incoming connections."

It goes on, "Worse still, a user who, for security purposes, has previously activated the firewall on his or her Mac will find that, after upgrading to Leopard, the system restarts with the firewall deactivated." This is a useability versus security issue about default trust.

Presumably if a user sets up services such as Secure Shell or Samba file sharing, they will know enough to configure the firewall before connecting it to the Internet. Conversely, an ordinary user who doesn't set up shared resources should be able to trust that the services exposed to the network by default are trusted or incapable of malicious manipulation.

So the first thing the user must do is (re)activate the firewall. To do this, under the menu "System preferences / Security", Mac OS/X shows the user the list of shared resources that they set up while installing or upgrading to Leopard. The user can either allow or disallow external access to server resources like, for example, Secure Shell "Remote login" (SSH).

One would think the firewall would honour the user's selections as to what services should be visible to external visitors. But no, as the reviewer writes: "...initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence but clearly sees no reason to prevent it."

Apple clearly assumes that, if the user starts a service, they mean to make it available to the world, overriding firewall settings. As the reviewer notes, "This would, however, also apply to a trojan, covertly setting up a backdoor on the system." This is a serious flaw.

The reviewer alleges that Leopard makes some services available that aren't listed in its firewall settings or shown by its graphical front-end under " System preferences / Sharing". On the reviewer's system, these services included the Zeroconf service "mDNSresponder" and the time service "ntp", plus the two NetBIOS services "netbios-ns" and "netbios-dgm".

The reviewer claims that Zeroconf broadcasts what services are available. What Zeroconf mostly does is provide local DNS and DHCP services and access to shared printers over a LAN. Yes, it can also advertise things like VoIP gateways and chat servers, and so on, but if a user is setting up services like those, presumably they will know what they are doing. Zeroconf isn't a security concern. It doesn't offer useful default external Internet services.

He also claims that the firewall quietly permitted access to all of the services listed. Yikes!

But not really. The ntp service keeps time and it's mostly an outbound query function, but if asked it will return the system time, that's all. Sure, there are ways to mis-configure it such that other systems can mess with its time-keeping integrity, but we'll give Apple the benefit of believing it configures ntp properly by default, so it can be viewed as trusted.

As to the NetBIOS services, the reviewer queried them from within the test machine itself, so those queries didn't even pass through the firewall. So, his conclusion that the NetBIOS services are exposed externally is unwarranted. The verdict here is that that is unproven.

But there's more. One might reasonably expect that the option to "Block all incoming connections" would provide security. Indeed, the review found that blocked SSH "Remote login" requests, and some other ports. But the reviewer then claims that a port scan using nmap found that other ports were still open, specifically ports 123 "ntp", 137 "netbios-ns", 138 "netbios-dgm", 631 "ipp", and 5353 "zeroconf". The reviewer therefore concludes that, " Specifically these results mean that users can't rely on the firewall."

However, the reviewer goes badly astray here. The state results that he received from the nmap port scan were all "open|filtered", which is merely nmap's way of saying that it didn't get any response to its probes, positive or negative. In firewall terms, those requests were denied but not rejected. That means that those packets were silently dropped by the system. Therefore the reviewer's conclusion that users can't rely on the firewall is wrong.

Again the reviewer makes much of the result that ntp returned a time.date string when queried. However, as stated above, we don't regard the ntp service as a security threat.

As to what level of risk Leopard's firewall might present, the reviewer is unsure, saying "Whether the accessible services currently represent a security risk is hard to judge. The fact that Apple uses versions of open source software in which bugs have already been found and documented by the developers is cause for concern."

In particular he mentions that Apple's versions of ntp and Samba are not the most current, but writes "It is not clear whether any of the bug fixes are relevant in this scenario and if Apple back-ported fixes from more recent versions." But he claims it's cause for concern: "Both system services run as root and do not appear to be supported by Leopard's new sandbox functions. If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system - with all the consequences this entails, right up to mass distribution via a worm."

These concerns might bear a little investigation, at least for Apple's shipped version of ntp, since that's the only service that he showed was accessible externally. But it's really quite a stretch to claim that ntp -- one of the oldest and simplest of all network services -- might present a serious security vulnerability. He didn't show that Samba is exposed externally.

This review recommends that Mac users of OS/X 10.5 Leopard either unplug their Internet connections or use a BSD ipfw packet filtering firewall. However, due to the errors in the review's method and interpretations of test results, we cannot concur with its conclusions.

In our view the review winds up looking like a hatchet job that Leopard's firewall doesn't fully deserve, even though it does appear as though Apple's Mac OS/X 10.5 Leopard firewall might benefit from some rethought, further development and refinement.

If Apple would like to send this hack one of its hell-fast laptops loaded with Leopard OS/X 10.5, maybe we can work something out for a real second opinion on Leopard's firewall. µ

L'INQ
Heise