Focus on Apple
Apple releases Mac OS X v10.5.1 with Application Firewall security updates Nov 15 2007 07:11PM
Todd Woodward (todd_woodward symantec com) (1 replies)
Application Firewall security updates Nov 15 2007 08:08PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (4 replies)
Re: Application Firewall security updates Nov 21 2007 03:00PM
Dave Piscitello (dave corecom com) (2 replies)
Re: Application Firewall security updates Nov 21 2007 09:27PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (3 replies)
Re: Application Firewall security updates Nov 22 2007 06:35PM
Derek Chesterfield (dez mac com)
Re: Application Firewall security updates Nov 22 2007 04:28PM
Bruce Carter (bcarter nd edu)
RE: Application Firewall security updates Nov 21 2007 10:43PM
Todd Woodward (todd_woodward symantec com)
Re: Application Firewall security updates Nov 21 2007 09:02PM
Chris Adams (chris improbable org)
Re: Application Firewall security updates Nov 16 2007 03:58AM
Mike Savory (mike_lists nzbox com)
RE: Application Firewall security updates Nov 15 2007 09:55PM
Todd Woodward (todd_woodward symantec com)
Re: Application Firewall security updates Nov 15 2007 09:51PM
Dave Schroeder (das doit wisc edu) (3 replies)

On Nov 15, 2007, at 2:08 PM, Radoslav DejanoviÄ? wrote:

> Todd Woodward wrote:
>> Apple today released Mac OS X v10.5.1 with Application Firewall
>> updates which cover the following issues:
>>
>>
>> * "Block all incoming connections" setting renamed to "Allow only
>> essential services" to more "accurately [describe] the option"
>>
> What a nice WTF. This is a good example of what IMHO is Apple's
> wrong tactics. There's *huge* difference between "block all incoming
> connections" and "allow only essential services". Those are two
> completely different things. :-)

I was waiting for someone to comment on this...

Apple's "everything just works" niceties *depend* on things like
Bonjour in particular being able to be accessed, and most users would
end up selecting "Block all incoming collections" when making a
firewall choice, because they won't really understand anything
else...and "more" is "better", right? So blocking all must mean I'm
*super* secure.

...Except that now when I get my AppleTV and buy my son or daughter a
Mac and expect to be able to do all the cool stuff that doesn't
require any configuration, nothing works. Why doesn't it work? They
won't be able to answer that any more than they know what to pick on
the Firewall preferences screen.

So what Apple does is a little bit of deciding for the user what makes
sense. The first step was going to an intelligent application level
firewall. The next was making some policies that allow services Apple
considers "essential" to the whole Mac OS X user experience. And like
it or not, Bonjour is part of that.

> And then, for the average user, the statement "allow only essential
> services" is quite confusing. What are essential services? What if
> user has no need for some of them, yet can't easily turn them off
> because they're in the "essential" pack? What if someone really
> wants to disable all incoming connections (say, lots of people that
> use just an DSL connection, Mac and an USB printer)? If the setting
> has been *renamed*, does that mean that there's actually no way to
> fully disable incoming connections? Or is it still there somewhere?

Yes. Well, "still" there would be inaccurate. It was never there on
Leopard. "Block all incoming connections" didn't actually block all
incoming connections.

> Granted, you can still use ipfw to set up fine-grained firewall
> policies, so you're not really stuck with Application Layer
> Firewall. But, how many users know how to handle ipfw?

Anyone who knows enough to know, for certain, that they don't want,
e.g., Bonjour open also knows how to use any of a number of free or
commercial commandline or graphical options to set up ipfw any way
they wish.

That's the bottom line: anyone who knows enough to "know" they
"really" want to disable all incoming connections can easily do so.
Your example of "lots of people that use just an DSL connection, Mac
and an USB printer" aren't necessarily people for whom it would be
appropriate to make that judgment.

> That's weird - while it is true that many users would like to have a
> firewall that's easy to set up, denying them ability to completely
> lock their computers is not something I would call good security
> practice. Mixing descriptions, and having deceptive descriptions
> that don't reflect the true status of the firewall - I can't see the
> point here. Is this, like, being user-friendly?

Yes, it is. Thats the point. And if anything, the description was
deceptive in 10.5.0. It no longer is.

This is about making security *easy* for typical users, while still
keeping things that make the Mac experience "just work".

Now, I *do* wish that Apple had one more option: Block *everything*,
but explain, hey, this is going to break some things like Bonjour,
etc., so be SURE that you want to do this, and don't complain if all
of a sudden your AppleTV syncing and iTunes sharing and automatic
local machine discovery no longer work.

> P.S. Application Layer Firewall, AFAIK, doesn't filter out programs
> running with superuser privileges. That calls for trouble.

Apple describes all of this very explicitly here:

http://docs.info.apple.com/article.html?artnum=306938

The 10.5.0 Application Firewall blocked all but:

â?¢ Processes that are running as UID 0
â?¢ mDNSResponder

The 10.5.1 Application Firewall blocks all but:

â?¢ configd, which implements DHCP and other network configuration
services
â?¢ mDNSResponder, which implements Bonjour
â?¢ racoon, which implements IPSec

So, while I haven't tested yet, it does NOT appear to allow all UID 0
processes, but rather only the above processes. If this is accurate,
that concern is now moot.

- Dave0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?>0?ô0?] DM0
 *?H?÷
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??£?0?0Uÿ?0U?RRbG,k,¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?B0?« ?0
 *?H?÷
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070724175606Z
080920175606Z0Ð1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10U Token -10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷
0????èöÆ?³G¡J[ ¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,¸iñ©7,#$0
 *?H?÷
ß¢úx IíN®?t ý¼¬Åƪ¡ q ?Þ¦`,]H?)u?Há?tm³°é¥¾0ñÊOV6¾Ô?
&@v?@¯IÿßO=?~ÿuC"i?Â?N??0ÔÉ® G¥ªÙ»rs5ì#¯P?ÑËpÍX¯âô³©ÖÙ?Ðz?YuVC?ö?1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
071115215102Z0# *?H?÷
 1àB5ö?BÀ
Æ?ûø??§?Ë?0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0
 *?H?÷
?'×??ôP|?ìi9VïëV?$íÝè ?Ï5t~ö¦ {j?·Qhqz1?¶¦?òÍì§b?åÆo³©ZÍâCü«·îÖ?Ñ3­?BDÏ,¯?{S(Sö?ªý«¤Úw¥×R¯Pò??.
âÆøºIn?PÁ;-?oåÌÜ?

[ reply ]
Re: Application Firewall security updates Nov 15 2007 11:36PM
Mark Senior (senatorfrog gmail com) (3 replies)
Re: Application Firewall security updates Nov 17 2007 02:54PM
Chris Pepper (pepper reppep com) (1 replies)
Re: Application Firewall security updates Nov 19 2007 12:59PM
Sandor Szücs (sszuecs zedat fu-berlin de)
Re: Application Firewall security updates Nov 16 2007 11:03AM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (2 replies)
Re: Application Firewall security updates Nov 16 2007 05:30PM
Mark Senior (senatorfrog gmail com)
Re: Application Firewall security updates Nov 16 2007 04:34PM
Derek Chesterfield (dez mac com) (1 replies)
Re: Application Firewall security updates Nov 17 2007 12:30AM
Mark Senior (senatorfrog gmail com)
Re: Application Firewall security updates Nov 16 2007 04:47AM
Derek Chesterfield (dez mac com) (2 replies)
Re: Application Firewall security updates Nov 16 2007 04:08PM
Scott Russell (ScottRussell nd edu)
Fwd: Application Firewall security updates Nov 16 2007 04:55AM
Derek Chesterfield (dez mac com)
Re: Application Firewall security updates Nov 15 2007 10:08PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr)
Re: Application Firewall security updates Nov 15 2007 10:05PM
Dave Schroeder (das doit wisc edu)


 

Privacy Statement
Copyright 2010, SecurityFocus