Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Surprise, Leopard's Got Security Flaws

Illustration for article titled Surprise, Leopards Got Security Flaws

We've already covered a couple of Leopard's uh-ohs and their fixes, but researchers have kicked up the dirt to reveal a few security-related flaws. First, according to Jürgen Schmidt, editor in chief at Heise Security, if you enable Leopard's firewall (it's disabled by default) and set it to "block all incoming connections," some internal system services are still allowed access from the internet, making it a mite porous. And according to Thomas Ptacek from Matasano Security, two of its security features—sandboxing and library randomization—are half-baked in execution.


The problem with its implementation of sandboxing—where an app is placed in a "sandbox" so it can't get rough with the rest of the OS if it's hacked—is that a lot of the most commonly hacked apps like the browser, mail client and IM app aren't run in a sandbox. To top it off, the sandbox walls aren't as thorough as they should be, mostly applying to network access. Library randomization has similar problems—it wasn't implemented everywhere it should have been, like the Dynamic Link Library, according to Ptacek.


Of course, someone has to actually exploit the flaws—incompletions more so than outright screw-ups—to cause damage, but Apple should probably patch them up with some haste, particularly the leaky firewall issue. [Cnet, Mac World]

Share This Story

Get our newsletter



All the apps in Leopard are cryptographically signed, and therefore have access through the firewall just as someone with 'root' access.

Okay, I admit, I am just a programmer .. So, help me out with this one:

If I find a hole in the Mac OS or in one of it's apps, and make the program do something it is not supposed to do — how is it that having the program I just took over be 'cryptographically signed' going to help the end user?

"Ha! I took over your computer and am having it spit out spam to millions of people!"

"Yeah, but it is cryptographically signed, man - so, that makes it cool OS X spam rather than that lame-o Windows spam."