Mac OS X scares security spods (and WCC FTW)

Trick or IT Blogwatch? In which we worry about the security of Leopard's new, errr, security features. Not to mention Weebl's weighted companion cube...

Robert McMillan reports:

The security features introduced in Apple’s Leopard operating system update need work. That’s according to security experts who have been putting the new version of Mac OS X through its paces, since the upgrade was introduced last Friday. Leopard introduces a number of important security features to the Mac, but they are often implemented incompletely, leaving users vulnerable to attack ... two of Apple’s key security enhancements—Sandboxing and Library Randomization—are great ideas that are imperfectly applied within Leopard. [more]

Jürgen Schmidt is one of those "experts":

Initial functional testing has already uncovered cause for concern ... The most important task for any firewall is to keep out uninvited guests ... But a quick look at the firewall configuration in the Mac OS X Leopard shows that it is unable to do this ... The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected ... Apple is showing here a casual attitude with regard to security questions which strongly recalls that of Microsoft four years ago. [more]

And Thomas Ptacek is another:

Good little fanboy that I am, I had Leopard installed this weekend ... all Quick Look sandboxing does is restrict network access. Who cares? A Quick Look exploit is just going to install a trojan somewhere else ... Almost nothing you care about is sandboxed. For instance: Mail, Safari, and iChat ... The dynamic linker library (dyld) is not randomized ... [so] Cocoa programs running in Darwin are less secure than Win32 programs running under NTOSKRNL, and aren’t even in the same ballpark as Managed C++ or C# programs. [more]

Ryan Naraine snarks:

The first independent reviews of the security enhancements in Mac OS X Leopard are ... not entirely pleasant for the folks in Cupertino. [more]

Matt Buchanan looks on the bright side:

Of course, someone has to actually exploit the flaws—incompletions more so than outright screw-ups—to cause damage, but Apple should probably patch them up with some haste, particularly the leaky firewall issue. [more]

Todd Fraser recaps security 101:

Never trust software firewalls. Software firewalls are only should be used in protection against "internet static" attacks. Where just random worms and viruses are trying to get in. Software Firewalls are normally bad against direct attacks from real hackers. [more]

But Simon the space cowboy did RTFM:

if Leopard trusts the service (it's a root process, or it's signed with an acceptable crypto signature), it will have access through the firewall. Since Leopard ships with cryptographically-signed binaries/packages, I guess I'm not seeing the problem - if Jo(e)-evil-cracker already has 'root' on the system, the firewall isn't going to help save the system, after all ... You could argue that the 'Block all incoming connections' is badly worded, but you could [also] argue that reading the documentation for a new firewall would be a useful thing to do. [more]

kebes responds:

If the situation is indeed as you describe ... then you're right: this isn't a security vulnerability, but rather a case of poor UI design. The UI is saying "I'm blocking all connections" even though it isn't. You're also right that in principle the user should educate themselves about their software. However the software should, as much as possible, not misrepresent what's going on. Saying "blocking all connections" and then allowing something to connect is a recipe for security mistakes. [more]

Todd Knarr:

I notice in [Jürgen Schmidt's] report that [he] complains about services Nmap lists as "open/filtered". Nmap reports that result when it encounters a port that elicits no reply whatsoever to a probe. This happens only when a firewall is dropping all traffic to a port and not generating any ICMP error packet for the attempt ... If this is any indication of the quality of this "analysis", we can discount the article. [more]

And finally...

• Weebl's weighted companion cube
  

Buffer overflow:

• The Long Tail: Sorry PR people: you're blocked
• StorageMojo: Sun counter-punches NetApp
• The Red Tape Chronicles: Price for 'premium' text messages? $10,000
• RConversation: Facebook goes to China... will it censor too?
• The Old New Thing: You can't change it, but you can hide it and add something that looks like it
• Microsoft Watch: Security: What Microsoft Can Teach Apple
• Techdirt: Lawsuit Over 'Theft' Of Digital Items In Second Life Shows Up In First Life Court
• Techdirt: Google's Ad Success Has Lessons For Television
• Miguel Castro: The Saga of the Super Rig - part 5

Other Computerworld bloggers:

• Michael R. Farnum: Keep an eye out for hints of impending attacks
• Ryan Faas: Leopard/Windows Server and File Sharing Tips
• Eric Ogren: Sellers should have a shopping list too
• Patrick Thibodeau: H-1B scam targets Indian visa seekers
• Shark Tank: Training time
• Douglas Schweitzer: GPS records: Proof or Evidence?
• Shark Bait: Thomas Crown Affair at Best Buy

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You too can pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk. FTW!

Previously in IT Blogwatch:

• Net neutrality haunts senate (and the working dead)
• Email privacy SNAFU @ House Judiciary Committee (and IPv6 please)
• Leopard reviews spotted; lost weekends ahoy! (and Boston travel)