Apple admits to 'misleading' Leopard firewall settings

Apple admits to 'misleading' Leopard firewall settings

Summary: Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard.

SHARE:

Apple ships fix for Mac OS X Leopard firewall flaws Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard.

The acknowledgment from Cupertino comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections.

[ SEE: Apple monster update fixes 41 Mac OS X, Safari vulnerabilities ]

In an advisory accompanying the Mac OS X v10.5.1 update, Apple admitted that the "Block all incoming connections" setting for the firewall is misleading.

"The 'Block all incoming connections' setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services," Apple said.

[ SEE: Researchers pooh-pooh Mac OS X Leopard security ]

With the fix, the firewall will more accurately describe the option as "Allow only essential services", and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services, Apple said

Two other Application Firewall flaws are addressed:

CVE-2007-4703: The "Set access for specific services and applications" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services.

[ SEE: Memory randomization (ASLR) coming to Mac OS X Leopard ]

CVE-2007-4704: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access.

The Leopard firewall patch comes less than 24 hours after Apple shipped a monster update to cover at least 41 Mac OS X and Safari for Windows (beta) vulnerabilities.

Topics: Operating Systems, Apple, Hardware, Networking, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

155 comments
Log in or register to join the discussion
  • Does not computer. AAAAAARRRRGHHHH!!!!!

    [i]Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard.[/i]

    But, but, but, I posted and I posted and I posted about how Leopard was perfect and secure and how the firewall was rock solid and how M$ sucked and now Apple is disputing me? AAAAAARRRRRGGGGGHHHHH! I've obviously displeased the emperor and must commit seppuku.

    snicker, smirk :)
    NonZealot
    • Warning: All your computer are belong to US!!!

      Firewall problems? Firewall schmireall. buwahahah.....
      D T Schmitz
      • Re:Apple sadmits to misleading Leopard firewall settings

        At least Apple admits when they are wrong, just get the patch poof the problem is fixed, now hay about Windows? They would spend a lot of time admitting the truth about Vista flaws. I will continue to use my Vista laptop for one purpse only the media center that my satellite is connected to, great for recording programs and burning to do disk, when I want to work on my computer I will stick to my Apple.
        Teacee
        • WHAT? A multimedia application a PC does better than a MAC!!!!

          Stop the presses! Front Page News!!!
          A Mac user admits to a multimedia application the Windows PC does better than the MAC.
          OMG, what next? The SKY IS FALLING????
          coachgeorge
          • OMG!!!

            It's the third sign of the apocalypse!

            Talking heads will be pulling their hair. Churches will be overflowing. People will begin hoarding toilet paper and Juicy Fruit.
            Dr. John
          • Is it possible for someone to design a virus ...

            ...capable of infecting an Apple computer?

            I don't think there is anyone smart enough to get by Apple's defences. The only positive outcome of breaking Leopard would be making these arrogant, delusional Apple fanatics eat some crow. I don't want it to happen; in fact I don't think it will happen.

            Please don't take this message as a challenge if you read it, after all you will simply be wasting your time since you are not capable of infiltrating the incredible Apple OS anyway.
            Information_z
          • lol

            im not security expert, but pretty much all decent security experts can crack a mac. in fact, u can go to the wrong website, and poof...ur mac is infiltrated. that's what happened in a competition...there was this hacking competition between Mac, Vista, and Linux. Guess which computer got hacked first? The first dude hacked the Mac so fast that Apple was informed. He directed Safari to a website with malicious code, and the mac was hacked. The whole "Mac is inherently secure cuz of unix" is a myth and it's even been debunked by MacWorld.
            zomgguy
          • No. We just get tired of pasting the code in posts...

            here on ZDNet to prove to zealots that they exist!

            I've had it with all that, just go on believing your invulnerable, the crackers will love it, that is if anyone convinces them an Apple owner has anything worth stealing!
            JCitizen
          • "better" be default

            the PC is only "better" in this regard because many satellite TV interfaces ship with
            (crappy) Windows-only drivers and support applications.

            Of course you could fork out for the FireWire version for the Mac but it's two or three
            times the price.
            grail@...
      • Re:Apple admits to misleading Leopard firewall settings

        At least Apple admits when they are wrong, just get the patch poof the problem is fixed, now hay about Windows? They would spend a lot of time admitting the truth about Vista flaws. I will continue to use my Vista laptop for one purpse only the media center that my satellite is connected to, great for recording programs and burning to do disk, when I want to work on my computer I will stick to my Apple.
        Teacee
    • Promise?

      snicker smirk
      MarcB_z
    • If you must...

      Commit seppuku, then I think it'd be mildly amusing if you did it with a blunt plastic spoon and arranged for worldwide broadcast on CNN or BBC or whatever.
      ego.sum.stig
      • There really is no

        method to your mad and usually disjoined statements is there. You are just a plain old fashioned nutjob. Are you zkiwi in disguise? You sport about the same level of wit.
        xuniL_z
        • I read you review first and they went onto his....

          I have to say it's like listening to TV critics who slam movies before you
          go to see them. They set your expectations sooooo low that you
          actually find yourself enjoying the film. Now I'm NOT saying in this case
          it is true cause frankly I found his post rather amusing and I don't think
          your review effected me much either way.

          Pagan jim
          Laff
          • sorry

            jim bob but not everything is aimed at your pleasure, as disconcerting that must seem to you.
            xuniL_z
        • There really is no?

          " You are just a plain old fashioned nutjob. Are you zkiwi in disguise? You sport about the same level of wit. "

          Now Xu that was just plain mean!
          aussieblnd@...
          • Ozzy....

            you may not have noticed the posts s/he has made to me?
            xuniL_z
    • Message has been deleted.

      Mike Cox, Sr.
      • Message has been deleted.

        rtk
      • Message has been deleted.

        Confused by religion