|Home » Industry Watch
Tiger Phone Home?
It's not just the sneaky tricks - as with Microsoft and Sony, it's the stupid way they're done.
That OS X 10.4 'Tiger' Server does a bit of 'phoning' has been known for some time, but the recent 10.4.7 upgrade pulls things down to a new nadir.
As noted at MacInTouch, OS X Server 10.4 probes LAN connections looking for duplicate serial numbers. But Jonathan Rentzsch discovered the hole goes deeper still.
OS X Server namely overrides explicit firewall settings to keep its copy protection scheme running.
UDP port 626 is listed as 'serial number support' [sic] under OS X server. The network administrator can of course close the port through firewall configuration. But the serialnumberd daemon, lurking there on your system, will notice the change and silently open the port again.
As noted by Rentzsch, this results not only in a security hole but in a user interface bug: the server administration interface will claim UDP 626 is closed but the 'active rules' pane will show it as open.
This means every OS X Server 10.4 deployment, regardless of its firewall setting, will accept and attempt to act on UDP packets sent to port 626. Given the fact serialnumberd runs as root and is known to not be free of bugs, I find this worrisome.
Rentzsch has a QuickTime 7.3 movie (3.4 MB) available which demonstrates this 'OS X Server Firewall Serial Hole'.
Yes It's Open!
Administrators are already up in arms. Says Peter T from Down Under:
As a system administrator it annoys me when someone tries to tell me what
ports I can and cannot block on my own network. And it annoys me even more
when I find out they are resetting these ports behind my back.
The OS X Server Firewall Serial Hole
The OS X Server Firewall Serial Hole Movie
Server 10.4.7: Phoning Home (30 July 2006)Server 10.4.7: Phoning Home (31 July 2006)Server 10.4.7: Phoning Home (1 August 2006)