Review: Security in OS X Leopard Preview Build

March 25, 2007 on 7:04 pm | In Apple, Popular, Security

I’ve got a few friends who really develop Apple software for a living (whose names I’d rather not discuss here) and run Apple’s developer builds of Leopard for software testing purposes. Every once in a while, I come by and test some of my apps, and the last few weeks, whenever I had some time to spare, I’ve been around the network to check on the security of the latest build - Client and Server edition. Stability and release date aside, Leopard’s already a very special OS. Apple’s taken a bit of a fright from the last ‘MOAB’ (The Month of Apple Bugs, for the uninformed) and has locked down several portions of the OS. The highlight of my tour was when someone said:

“Hey, Sebastiaan, don’t you, you know… -like- this stuff?” *Points at monitor*
Me: *peeks over and faints*

Here’s what I saw;

Image removed to comply to DMCA notice.

This is the Server Admin management pane for Leopard (people have pointed out this looks the same in Tiger, well, it now does what the GUI says it should do, touché), and although it sucks big-time that there is, once again, a built-in ‘don’t fuck up’ (some fields cannot be edited, including the ICMP rules), but look at that! It’s a veritable dashboard for network geeks! Count with that, that Leopard server could sit at home, between your modem, and your airport (slash access point that isn’t Apple), and serve anything (VPN, net-boot, files, calendar, weblogs, streaming, RADIUS to secure your wireless, Printing, software update deployment and even more), serve as a NAT and Firewall that is ultimately configurable. Gee, with all the news of late, I wonder more and more how possible it would be to run this on an Apple TV, or a Mac Mini. The latter must be possible, but the first would be fantastic. I have seen it running on a 0.7Ghz G4, and it was spanking fast.

Now, what runs on these Leopard machines, and is it secure?
Well, to be short: yes. Apple’s done a lot to make the Darwin 9 and up family save on a network administrator’s sleepless nights.

First of all, one of my points of critique in my last security articles was that the Firewall preferences were virtually hidden, and disabled by default. Now, following the ‘everything works out of the box - idiot proof - EXTREMELY friendly citizen in networks’, the software firewall is still defaulted to ‘Allow all connections’, but has more fine-grained controls if the user desires, including a, well, lock-down (disallow all traffic). It’s also housed in the Security preference panel.

Now, since the firewall is hardly the biggest issue in securityland, let’s look at some of the services’ version numbers;

versioning information removed to comply to DMCA notice

This looks like a new lineup of software. Especially the FreeRADIUS bundling makes me happy, as it’s becoming an easier technology than ACL’s on Access Points themselves, or even WPA2 / other ‘pass-phrase’ solutions. It’s fine-grained, gives the end-administrator more control over what is happening.

Other ‘little details’ involve the way the firewall handles things. Apple removed controls I discussed in the Advanced panel of the firewall of Tiger; “Stealth Mode” is gone, “UDP Filtering”, the rather generic button, is gone. You now have the ability to restrict services to the local network, or allow internet access. To my surprise, performing a port scan with nmap yielded all ports filtered but Bonjour. This means, as it stands now, out of the box, Leopard is actually OS-fingerprint proof.

It has been in the news lately that InputManagers no longer work in Leopard. If anyone was wondering if the loss of InputManagers would really cost Apple’s OS X it’s bleeding edge in user customization and hacking, Apple has done some Input hacking of their own - All Cocoa apps now enjoy inline grammar checking, which must be a service able to vacuum in the data you type. After seeing what service is responsible (this is a joke with Leopard’s new tools), it appears that simply hacking features into the Cocoa functionality will be a lot harder. Apple has hardcoded the spelling and grammar checker into the Cocoa framework itself, ensuring removing the InputManager support won’t break their own features. But is it really that impervious to adding a few hacks? We already know the current builds don’t allow Unsanity apps to do their work, and stuff like Mega-Zoom (a SIMBL plugin) doesn’t work anymore, so yes, it is. Is this really bad news? No. I consider it very good news that runtime code injection isn’t a possibility now. Of course, people will probably start an open, shared framework to put these kind of services in (like skinning, and changing some of the application’s fundamental workings) but Apple’s own binaries… I think we’ll be seeing a fight with that. Apple has proven to be very unforgiving to people reverse-engineering app files that belong to the Dock, or Finder. They discourage the OSX86 project, for understandable reasons. This could, quite certainly, hinder OS X86 hackers and break future exploits.

This already tells us one thing; Leopard will need less hardening out of the box. As I haven’t tested things like Bluetooth (not really available on the hardware I was assigned) I haven’t got a complete image on Leopard’s security, but it does feature some incredibly strong design decisions to harden the OS in advance. Apple isn’t stupid, they know OS X is the base to their user’s experience, and a secure base will ensure Apple stays in line as one of the most secure operating systems running on computers today.