Leopard's firewall damages Skype and WoW

Hi,

some further research on the firewall of Mac OS X Leopard proved, that the firewall is altering binaries on the disc -- in some cases they refuse to work after that.

In contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities.
In order to unambiguously identify applications, Apple uses code signatures. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections". (see: http://www.heise-security.co.uk/articles/98120).

By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In restricted mode, simply trying to start a service brings up a window asking the user for permission. The system records this choice and enters it into the firewall's exceptions list. Hitherto Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn.

Code signing becomes a problem when an application performs its own self-integrity check and determines that the file on the hard disk has been changed. The firewall's code signature changes the checksum of Skype's binary on the disc:

MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11 MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa

after which, if the user attempts to start Skype from the command line it displays the following message:

Main starting
Check 1 failed. Can't run Skype

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Similar behaviour has been observed by World of Warcraft users.

For more see:

http://www.heise-security.co.uk/news/98492

Code Signing is documented in:

http://developer.apple.com/releasenotes/Security/RN-CodeSigning/ http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html

bye, ju

--
Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk
GPG-Key: 0x38EA4970,  5D7B 476D 84D5 94FF E7C5  67BE F895 0A18 38EA 4970