Apple just released an update to Leopard, version 10.5.1.
The support document says the following:
Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls. In Security preferences’ Firewall tab, the “Block All” option is now called “Allow Only essential services”
Well, I suppose that’s some kind of progress. At least it’s labelled accurately. I’ve been really slammed this week, but Chris and I should have the instructions for using WaterRoof in combination with our template ipfw rule set and the Application Firewall soon (hopefully today).
I’ve tested the update and the application firewall still signs applications, but instead of just failing to launch modified applications, we’re now prompted to allow access manually again if they change. Code signing can be rough because of issues like this, and I think the prompt is a reasonable solution. However, I would prefer it to say, “This application has been modified since its last use; please click to allow network access” so we know that it’s a real change to the application and not just a random prompt to approve again.
In a separate document, Apple details some additional security updates to the application firewall. Most notably, the firewall will now block processes running as root if you specify them in the application firewall.
Based on these updates I’m now running the application firewall with ipfw, and will try and get those instructions posted soon.
Not that any of this matters much since there are no network attacks on Macs in the wild right now, but we all know that can’t last…
Reader interactions
2 Replies to “First Leopard Update Is Out- Some Of Firewall Fixed; Skype Works”
The application firewall in Leopard is deeply integrated with code signing. When you approve an application to connect to the network, it’s signed. Skype changes it’s binary code at run time, and thus won’‘t match the binary hash the operating system has on record. That’s why in 10.5.0 it won’‘t launch again.
In 10.5.1 you’‘re just prompted to re-allow it when it launches, creating a new signature that overwrites the old one. Every time you launch Skype you have to approve it, but that’s a lot better than having to reinstall. I partially blame Skype for this one, since there are plenty of ways to avoid mucking with your internal binary code at runtime.
I thought issues such as those that appeared with Skype were caused by the applications checking their binaries at launch, not by the firewall ungracefully shuttong them down…
If Skype has not been updated (I do not believe it has yet) and if the firewall still signs applications, how did Apple prevent these Skype-like issues from occurring? Did they change something in the signing process?