Leopard security questioned

Stephen Withers
Thursday, 01 November 2007 11:07

Your IT - Home IT

While most Mac users feel confident about the security of their computers (notwithstanding the latest Mac Trojan), experts have raised several issues relating to Mac OS X 10.5 Leopard.
Perhaps the most surprising is that Leopard's file is disabled by default. heise Security notes that even if the standard firewall is active in an older installation of Mac OS X, an upgrade to 10.5
will disable it.

Even if "Set access for specific services and applications" is selected, the firewall automatically adds every process started by the user to the list of exceptions, heise found. Very convenient for the user, but not very secure as it could easily be exploited by malware.

Furthermore, "Block all incoming connections" allowed some traffic to pass.

"[T]hese results mean that users can't rely on the firewall," heise's  Jürgen Schmidt said. "Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto." However, any flaws uncovered in system services exposed by the firewall could be remotely exploited.

He also notes that "the tried and tested BSD ipfw packet filter" is still present in Mac OS X 10.5 and could be used with an appropriate set of rules to provide better protection. (The default rule allows all traffic.)

Some of Leopard's new security-related features have also come in for criticism. According to Matasano Security's Thomas Ptacek, sandboxing and address space layout randomisation (ASLR) have significant shortcomings.

Sandboxing restricts the system functions available to an application. Ptacek gives the example that the Mail application should not be able to add accounts to the system. But "Almost nothing you care about is sandboxed. For instance: Mail, Safari, and iChat," he says. And the rules applying to the few items that are, such as Quick Look, are insufficiently restrictive.

ASLR varies the locations where system functions are loaded, making it harder for malware to exploit various types of memory corruption issues. Yet the dynamic linker library - which provides many functions useful to the malware writer - is not randomised, according to Ptacek.

"if I can run code on your box for any reason, I can probably walk past ASLR features in any of your programs," he says. "Cocoa programs running in Darwin are less secure than Win32 programs running under NTOSKRNL, and aren’t even in the same ballpark as Managed C++ or C# programs."

According to Mac security vendor Open Door, the Back to My Mac feature in Leopard (a remote control system that requires a .Mac account) can be used in certain circumstances without requiring a username and password for the target system.

Finally, some commentators have pointed to Apple's track record of being slow to incorporate the latest versions of open source projects used by Mac OS X, and suggest that hasn't changed with Leopard.

The reason this is a problem is that any security patches for those components can be used as templates for exploits of older versions.

Apple was invited to comment but no response had been received at the time of publication.