Security Quest #11: Leopard Firewall Updates

Apple recently released security updates for their OS products and among those were updates for Leopard all centered around the firewall. The three firewall updates were included in the OS X 10.5.1 update.

One of the fixes took a page from Microsoft by changing some words to help call the problem solved. This “re-wording” was for the problem described as:

The “Block all incoming connections” setting for the firewall is misleading.

Apple fixed this so the setting now reads “Allow only essential services”. According to the bulletin they have reduced the number of apps that allow connections through the firewall. It used to be any app running as root could get through the firewall. Now the list is limited to configd (for DHCP and network configuration), mDNSResponder for Bonjour, and racoon for IPSec.

Previously, any process running as root would be allowed through the firewall even if it was on the list to block. The OS X 10.5.1 update now blocks any process that’s in the list to be blocked, even if it runs as root.

And in the third firewall fix Apple changed it so that changes to the firewall take effect immediately. Previously some processes had to be restarted for the change to take effect.

So, Apple made some changes to the firewall so it makes a little more sense and the way it works is more clearly defined. I still prefer the OS X 10.4 method of opening ports by number.

News & Links

BlogSecurity.net: RR Securing WordPress Tips – Good tips for securing a WordPress website.

PaulStamatiou.com: Privacy Implications of RFID Tags – An interesting read on the topic.

Wired.com: Hushmail To Warn Users of Law Enforcement Backdoor – Hushmail, always thought to be secure, can read any email with a court order. Even those using their most secure product.

apple.com: Apple security updates (OSX 10.3 & 10.4 and Safari 3 Beta for Windows – Apple released OS X 10.4.11 for Tiger which includes security updates. Also Security Update 2007-008 for OS X 10.3.9. And finally, Safari 3.0.4 beta for Windows which includes security updates.

news.com: In ID theft, some victims see opportunity – Roundup of ways companies make money from ID theft. Needing to pay to protect our identity just seems wrong to me.