Blog

Quick Leopard Update

By Rich

We have some guests in town so it will be a couple more days until I’m back to the regular blogging schedule, but I did manage to install Leopard this weekend.

As an OS, so far it looks great. The upgrade went without a hitch and everything seems to be working well. I still need to dig into my Unix tools and the less-frequently used applications, but the day to day stuff is all working fine.

The security updates are a bit of a mixed bag. Tom at Matasano posted a really good technical summary of how Apple implemented some key new security features. I’ve also talked to a couple other researchers who have dug in.

The summary is that Apple is dipping their toes, but needs to fully implement the features if we’re to see the security benefits. Library Randomization seems to be only a partial implementation. Check out Tom’s details, but I validated this through another source and it’s unlikely this will offer the buffer overflow protection we’re looking for. As Tom describes, it’s more of a speed bump than a wall.

The firewall may be better, but we’ll never know. The user interface is so simple as to be nearly useless and despite the simplicity is more confusing. It’s all or nothing (block all incoming connections, or allow all incoming connections, or select applications to secure).

Later this week or next weekend I’ll have time to play with it more, but the firewall changes don’t look good and may place more people at risk.

There are a bunch of other implementation problems. I’d say, right now, my earlier statements that this is the most significant security improvement in the OS X line are premature. The components are there, but the execution is off. It’s nothing they can’t easily fix in some regular updates, and we (the customers) need to stay on Apple to finish the job.

No Related Posts
Comments

[...] Rich’s follow up article on Leopard Security [...]

By Network Security Podcast


Sorry, I just saw a throw-away comment somewhere about the change in FileVault (in regards to having to turn off FileVault in 10.4, then turn it back on in 10.5 for the new features).  Have not seen anything else—am also curious to know more!

By BKWatch


@windexh8er-

I’‘m a little confused by your comment/criticism on my mention of ipfw? The Leopard firewall no longer uses ipfw, but ipfw is included. Ipfw is a good resource to have included and I’‘m not critical of it at all. Tiger relied on it, but Leopard uses its own firewall, which is behaving oddly. If I’‘m missing something, please let me know which comment is off kilter and I’‘ll respond or correct any mistake I made.

In Tiger when you enabled a service it appeared with a checkbox in the firewall settings pane, and you could still manually enable or disable it there without changing anything in the Sharing pane. In Leopard, this is no longer true- the service is listed, but you can’‘t make changes there.

I’‘m spending most of today testing various configurations of the firewall, but so far it’s very odd, and doesn’‘t act like I normally expect a firewall to behave. One thing on my (brand new) system is that even if you enable a service like file sharing in the Sharing preferences, if deny all is selected you can’‘t connect. Tiger used to warn me when I had conflicting settings like this.

My testing so far shows the firewall not blocking ports properly, and it isn’‘t a GUI issue. mDNS for example seems to be always enabled, and it’s known to be a service with vulnerabilities in the past. If the firewall says deny all, with the stealth option selected, nothing should show as open. That’s not what I’‘m seeing right now, but I’‘ll test more and post results later.

By rmogull


@bkwatch-

Because I totally missed that! I’‘ll start digging in more, but it wasn’‘t discussed in the pre-release documentation. If you have a link to save me a little research time, send it on over…

By rmogull


And this is direct verbage from Apple on how the firewall worked in Tiger:

"When you select a service in the Services pane of Sharing preferences, it is automatically selected in the Firewall pane, and the port is opened."

So… Yes, if you open Sharing and you’‘re at the airport everyone would have access to your share.  Duh.  That would be exactly how Windows would work as well if you opened it up.  I love how the media twists some of this around.  If the firewall is truly broke and it passes traffic it shouldn’‘t then that’s probably a GUI control issue because ipfw works *exactly* how it should on my Leopard box.  I may reload the rules from scratch just to analyze what’s really broken here…

By windexh8er


It’s good to see that you (Rich) are getting more visible press…  Just a comment on the eWeek article that references you a lot (http://www.eweek.com/article2/0,1895,2209676,00.asp).  One is—I find it slightly annoying of the comments about ipfw when, seemingly, you really didn’‘t do any research yourself.  I’‘m not saying you shouldn’‘t take the press when it comes to you, but…  Just seems a little off kilter—especially when you stated in past comments that you were too lazy to use IPFW from CLI and always resorted to WaterRoof in Tiger.

One last thing…  In the eWeek article it states "Mogull enabled file sharing but had "deny all" selected".  When you enable the service, even if you have "block all" selected you should still be able to connect.  That’s how it worked in Tiger, that’s how it works in Leopard.  If the common user had to add a firewall rule for sharing after they enabled it they would be confused.  I’‘m not certain why you couldn’‘t completely connect but I think the information given was false the way you stated it.

Anyway…

By windexh8er


I’‘m surprised, with your problems with FileVault, that you didn’‘t talk more about the improvements there.  To wit, the move from sparseimages to sparsepackages.  Although I don’‘t quite understand either, it seems as if the new sparsepackages are more immune to corruption.

I mean, the biggest nightmare I have with Macs is that any Mac—and any notebook—can be turned into a firewire drive in about 30 seconds and your entire drive can be read.  I realize that is not "security" with a capital S, and that possession is 9/10 of the law, but moving more people towards FileVault would seem to improve life.  And yes, I know you can do that with a PC as well—but I’‘d need to either get a specialized CD and/or open the laptop to do the same move.

Of course, after I demonstrated that on my girlfriend’s Mac my own filevault image became corrupted and I had to do a restore.  Pain.

By BKWatch


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.