<<< Date Index >>>     <<< Thread Index >>>

Leopard's firewall damages Skype and WoW



Hi,

some further research on the firewall of Mac OS X Leopard proved, that the firewall is altering binaries on the disc -- in some cases they refuse to work after that.

In contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections". (see: http://www.heise-security.co.uk/articles/98120).

By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In restricted mode, simply trying to start a service brings up a window asking the user for permission. The system records this choice and enters it into the firewall's exceptions list. Hitherto Apple furnishes unsigned programs with a digital signature in the process.
If changes are made to the program subsequently, the permission is withdrawn.

Code signing becomes a problem when an application performs its own self-integrity check and determines that the file on the hard disk has been changed. The firewall's code signature changes the checksum of Skype's binary on the disc:

MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11
MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa

after which, if the user attempts to start Skype from the command line it displays the following message:

Main starting
Check 1 failed. Can't run Skype

Similar behaviour has been observed by World of Warcraft users.

For more see:

http://www.heise-security.co.uk/news/98492

Code Signing is documented in:

http://developer.apple.com/releasenotes/Security/RN-CodeSigning/
http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html

bye, ju

--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970