All these fixes bode well showing Apple's quick response to issues raised by their users. I am still hopeful the application-based (socket) firewall will become a strong security asset to improve Mac OS X's reputation for security. Although I believe the traditional ipfw will need to play a role also.
I like the idea of a layered security approach where ipfw blocks things at a port and packet level, and Leopard's new socket firewall blocks things at an application level. (Of course a hardware firewall is still recommended for home network connections.) Combine this with a system that leaves unnecessary services off until needed and has few exploitable bugs, and you have a highly secure system with minimal inconvenience.
Fixed in 10.5.1
- The firewall settings no longer refers to "Block all incoming connections", but calls it more accurately "Allow only essential services". This should go a long way to fixing the confusion caused by mislabeling this setting.
- When "Set access for specific services and applications" is selected in the application firewall, the setting now functions properly when setting "Block incoming connections" on root processes. Previously, root processes were always allowed.
- Processes launched by launchd previously were not affected by firewall settings changes until they were restarted. This caused applications to be unexpectedly exposed, and this was especially noticeable when changing settings and testing as many security expert did.
Not Sure
- From Apple's 10.5.1 Release Notes:
"Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls."
This may refer to fixes for applications like Skype, World of Warcraft, and other apps that do their own integrity check. We'll see how things develop.
Open Issues Remaining in 10.5.1
- Processes running as root still are allowed to accept incoming connections, unless specifically blocked. This will continue to be a sore spot, as it leave open the possibility of an exploit or Trojan running as root to go about it's business unhindered. An important thing to consider: any process running as root could change any settings it wanted.
- ipfw is still not active, as it is running with only one rule (65535 allow ip from any to any).
Background
Apple Release Notes for 10.5.1
Apple Security Update Notes
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing
Books
