“The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, “Block all incoming connections,” it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto,” Jürgen Schmidt reports for Heise Security
“Apple is showing here a casual attitude with regard to security questions which strongly recalls that of Microsoft four years ago. Back then Microsoft was supplying Windows XP with a firewall, which was, however, deactivated by default and was sometimes again deactivated when updates were installed. It was also the case that system services representing potential access points for malware were accessible via the internet interface by default. Despite years of warnings from security experts, the predominant attitude was that security must not get in the way of the great new networking functions,” Schmidt reports.
“Then along came worms such as Lovsan/Blaster and Sasser, which rapidly infected millions of Windows computers via security vulnerabilities in system services, causing millions worth of damage. Even today, an unpatched Windows system with no active firewall will be infected within a matter of minutes. However, Microsoft has since learnt its lesson — a serviceable firewall, activated by default, has been included since Service Pack 2. With the standard configuration, no services are accessible from the internet on a Windows system,” Schmidt reports.
Full article here.
Lisa Vaas reports for eWeek, “Instead of addressing perceived flaws in the firewall, an Apple spokesman told eWEEK only that the company ‘takes security very seriously,’ that it has ‘a great track record of addressing potential vulnerabilities before they can affect users,’ and that it always welcomes feedback on how it can make security better on the Mac.”
Full article here.