Leopard 'Firewall' Breaks Skype, Warcraft

Say goodbye to packet level filtering.

Get It Try It

Jürgen Schmidt of Heise Security has taken a third look at the Leopard firewall. He's not overjoyed.

'Maybe it wasn't such a bad idea Apple decided the firewall in Mac OS X Leopard should be deactivated by default', he writes sarcastically.

Based as it is not on packets but on applications it can 'sign' applications at runtime - thereby breaking consistency checks these applications perform on themselves.

This can happen if the firewall it put into 'set access for specific services and applications' mode and 'allow all' is not used.

But considering 'allow all' leaves the user with no protection it's not a choice option.

Code Signatures

Starting with Leopard Apple are featuring 'code signatures'. 'Signed' applications are thereby able to bypass the firewall without being detected - even with the 'firewall' set to 'block all incoming connections'.

If connections are blocked and a new application launches the Leopard firewall will on approval 'sign' the application. Should the application be tampered with the firewall will again deny access.

The punch line is it's not a secret that a lot of software - for several reasons - performs consistency checks on startup and once they've been 'signed' by the Leopard firewall they'll fail that check.

Applications found to break in this fashion include Skype and World of Warcraft.

See Also
Heise: Mac OS X Leopard firewall breaks programs
WoW Forums: Unable to Validate Game Version after Leopard