Leopard's firewall is broken

On 1-Nov-2007, at 07:50, Sander Tekelenburg wrote:

> This article <http://www.heise-security.co.uk/articles/98120>

Is a flaming pile of garbage.

There are some usability issues with the firewall. Having NTP and
NETBIOS ports open are not among those issues.

On 02/11/2007 2:50 AM, "Sander Tekelenburg" <tekelenbeuronet.nl> spake
thus:

> This article <http://www.heise-security.co.uk/articles/98120> reports that
> Leopard's firewall appears to be very broken.

Our head of technical support here just installed Leopard, turned on the
firewall, switched on "stealth mode" in the advanced settings, then invited
me to port scan him. The results came out something like this:

> All 1705 scanned ports on xx.yy.zz.ww (nn.nn.nn.nn) are filtered

which is what you'd expect for stealthed ports. I also tried replicating the
UDP scan from the article:

> All 1488 scanned ports on xx.yy.zz.ww (nn.nn.nn.nn) are open|filtered

So it looks like you can lock things up better than what the article said,
but it's extremely poor that this is hidden in the "advanced" settings where
no-one will find it (and presumably off by default).

--
Nigel Stanger, Dunedin, NEW ZEALAND.
http://xri.net/=nigel.stanger

> Having a firewall arbitrarily break approved applications is also
> unacceptable.
It's not arbitrary. If you approve Skype, and malware replaces Skype,
then you've unknowingly approved the thing the malware put in Skype's
place. That is one of the points of signed applications.

But having an application change itself is also unacceptable. And on
the Mac has been unacceptable since the dawn of time (or, more
accurately, when Apple first arranged for applications to be loaded
from a server, which was sometime before System 7, but well after
January 1984).

There's no obvious reason, in the prominent case of Skype, why Skype
has to modify itself. My guess was that it is recording its random
choice of port, but I was wrong.

I just ran Skype twice in a row from its .dmg file (which works around
the signing by always loading an unsigned Skype). The first time it
picked port 3919. The second time it also used port 3919. On another
Mac, it picked 54054. Back to the first Mac, for another user it
picked 31134. Therefore it keeps the port number on a per-user basis,
but outside the app. (Note: to repeat that test, do not open the
Advanced preferences in Skype until after you've taught the Skype for
the user that hasn't run Skype before the Skype name and password. If
you do, the preference pane presents a port of 0, and you can't get
out of the pane without picking a port, which breaks the experiment.
GRRR. Bad Skype. Fortunately, I didn't quite run out of users.)

One mitigation for all this for the home user (NOT for the corporate
IT folks), is that most home users these days are behind NAT. So
ports are likely not accessible from the world even if they are
accessible on the LAN. Especially for the few home users who believe
Steve Gibson and shut off the evil and dangerous UPnP in their router.


All the above notwithstanding, nice article, Rich. I'll travel off to
the referenced blog after dinner (priorities, after all).

   --John