back to article Mac OS X firewall blocks Skype and online gamers

The list of problems with the firewall bundled with Mac OS X Leopard operating system is growing. Not only is Leopard's firewall deactivated upon installation it also trips up Skype and online gaming applications. Both German security news service Heise and security blogger Rich Mogull encountered the problem, the latest in a …

COMMENTS

This topic is closed for new posts.
  1. yeah, right.

    Leopard = Vista?

    I wonder what happened to Apple? Did they decide that since Microsoft got to call Vista "an outstanding success" that they too should leave their customers out standing in a field of bugs somewhere?

    Or have they gotten just big enough that they think they really don't need to give a shit about the customer anymore? Not that I think they every did - they just care about design and doing things THEIR way. They've got great design skills though, so they've gotten away with it so far.

    Ah well, that's why I'll never be an early adopter. Let's see how long it takes for Apple to fix this latest pile of buggy cack. They'll have to be really slow to win the "how slowly can you fix your crap" contest with Microsoft...

  2. Scott
    Joke

    Why bother...

    turning on the firewall in the first place? OS X isn't riddled with security holes like Windows.

  3. Dan

    WoW

    World of Warcraft worked perfectly the first time I started it up in Leopard.

    However, this may be do to the fact I had the blue screen problem after install, and had to manually transfer all of my accounts, apps, preferences, and everything else the install should have done automatically.

    Enabling the firewall for WoW isn't hard anyway, so most people who actually use it should have no problem figuring out the problem from WoW error messages and simply turn on the right port. I believe which is stated in the original documentation.

  4. Anonymous Coward
    Jobs Halo

    To be fair...

    ...applications should really be creating/changing settings per-user in the user's home directory, not fiddling around with their app bundles.

    Apple's completely on the money with this one and that Skype needs to get into the mindset to build OSX apps properly.

  5. Anonymous Coward
    Joke

    Is this lame-duck . . .

    one of those 'secret features' Jobs didn't want to talk about when he previewed Leopard? If so, too late -- Microsoft already has this!!!!

    (Apple: Smarten up -- you should know better. Too much time with the iPod toys.)

  6. Ed

    Well, they were warned

    Apple have warned developers for over a year that they shouldn't modify their own app bundles while running for exactly this reason...

  7. James
    Dead Vulture

    online gamers use Mac?

    since when? who gives a crap about the OS X firewall?

  8. Anonymous Coward
    Anonymous Coward

    I think you'll find...

    Skype doesn't, I believe, modify itself (part of Skype's startup regime is to see whether it has been modified). Leopard slaps a "CodeResources" file inside the application directory as well as modifying (signing at a guess) the Skype binary when you tell the firewall to permit Skype.

    The irritating thing is that the code signing stuff is clearly running with a certain degree of privilege: I can't stop it modifying the files with a swift chmod 555.

    Anyhoo, Leopard is much less of a beta than Vista...

  9. Anonymous Coward
    Coat

    Make up your mind!

    Ok, so first of all, it's not strict enough, and "insecure". Now this, and it's TOO strict! Make up your mind, whiners!

  10. Webster Phreaky
    Jobs Horns

    I TOLD YOU SO!! Bwah ha ha ha ha ha ha ha ha ....

    OS X doens't = Vista or Windows ....... it's TEN TIMES WORSE!!

    Apple = Bug-o-matic Coders

    I TOLD YOU SO!! Bwah ha ha ha ha ha ha ha ha ....

  11. Anonymous Coward
    Stop

    Well, to be fair, I think YOU'll find that...

    ... Skype does modify itself. How else does auto-update work except by replacing one executable with another?

    And it's not like you can fix a bug or security hole by changing a "per-user" configuration option.

  12. Andy Bright
    Happy

    Yes online gamers use macs

    I know several people that do, and have even replaced Ventrilo codecs to accomodate them.

    As for Leopard blocking WoW, not sure that's a big deal, several firewalls do that on my Windows box, and it's a fairly quick fix to sort it out. I would think the same is true of Skype.

    No one seems to have a problem with Vent, which is by far the best online communications package I know of, the quality is superb, so I don't see why this should be more than a minor "look it up on their respective websites for info" sort of thing.

    As for Vista, there are several easy solutions to making it trouble free for online gaming - none are particularly desirable, but they are simple. You can make folders writable under your regular login account, or you can run these games in admin mode when they need to install patches. I don't see that this makes you any less secure than say WinXP - but Linux and Mac users are probably cringing.

    Probably the best solution, albeit the most time consuming, is to wipe any Vista computer and re-install XP. At least the antivirus and antispyware apps will work again - instead of needing permission to prevent malware from being installed.

  13. Warren
    Jobs Halo

    Not a problem on either count

    I'm not sure where the data for these reports comes from?

    I can run Skype and WoW perfectly in Leopard, with the firewall enabled.

    The only need was to install both programs after the leopard install. (I did archive & install and both didn't work after)

    Anyone with a clean install method, or bought the machine pre-installed won't have this problem.

    Research, research, research!

  14. Tim Blair
    Jobs Horns

    Why bother...

    "turning on the firewall in the first place? OS X isn't riddled with security holes like Windows"

    good point, and drive a Wartberg, be a smackhead,

    no one will want to mug you either !

    No security holes ? it's just that no one can be arsed to dig through a nerds trash !

  15. swokm
    Go

    Well then...

    "Unfortunately, some applications, such as Skype, may change as they run."

    There's your problem! No binary should really be continually shifting; that is just perverse.

    Signing is a good tool. Skype need to use the OS X layout (that Apple's been promoting for... oh, around 7 years now?) if it wants to store data.

  16. E

    @To be fair...

    Got that right. OS 10 has a well defined mechanism to store per user settings (~/Library) and global settings (/Library). Windows has this in c:\<something mumble mumble> and UNIX has it as dot-files in ~ or /etc.

    Anyone who writes an app that alters it's own app bundle or (God forbid) binaries is very uninformed, or very lazy.

  17. David Wilkinson
    Gates Horns

    No security holes.

    OSX has security holes, many not as many but its hard to tell because there are a lot less people looking.

    Speaking of security know about the Mac Admin Hack. Single User mode, delete one file, next boot OSX walks you through setting up an admin account.

    If you can't Command+S at boot, just reset the firmware by removing a memory module.

    Not saying you can't do the same on XP/Vista, but it takes 5 times longer and requires a linux boot CD. OSX already includes everything you need to hack your way in.

  18. Steven Hewittt
    Thumb Up

    ROLF

    I just love the way that if application break under these super new features under OS X then it's the developers fault. Same for the BSOD.

    Think you'll find ladies and gentlemen that this is the same reason as when you get UAC prompts in Vista. (Other than when you are accessing any system wide configurations). Many dev's haven't bothered with MS's coding standards - even though they have been around for a good 7 years too. Thus many apps try to write to system wide areas rather than user only area's. Whilst Vista proactively redirects the vast bulk of these commands to virtualised folders, some do slip through creating UAC prompts. (Take Dreamweaver MX 2004 for example)

    Love the difference in comments compared to Vista and OS X. Although at least with Vista I don't need to drop to a terminal to tell the OS that the app is OK to be let through the firewall - which of course is on by default.

  19. Anonymous Coward
    Joke

    There are no issues

    I dont run windows and as such my choice of OSX was clearly the right choice and dosn't have any bugs coz thats what I run Hmmk.

    Also this feature you call an issue is what we users requested and is down to poor applications.

    We have no bugs in our code - move along now as were better than you.

  20. Adam Harris
    Happy

    Block Skype?

    Wow, finally an inexpensive and effective way of blocking Skype.

    IT Admins around the country must be rejoicing!

  21. Anonymous Coward
    Jobs Halo

    Re: @To be fair...

    OS X == Unix! Says in their web site:

    "Leopard is an Open Brand UNIX 03 Registered Product, conforming to the SUSv3 and POSIX 1003.1 specifications for the C API, Shell Utilities, and Threads."

  22. Andy Worth

    We'll see...

    The day that hackers start looking at Mac systems (if they ever bother) in earnest, I'd be willing to bet that hundreds of security holes are found. Mac users like to think they are safe, even the adverts try and fool you so but what the adverts don't point out is that it is just because people don't try. The bug-riddled "Leopard" just goes to show that Apple are not immune from software "features" which would also suggest that they are not immune from malware and security flaws.

    "Maccers" should hope that macs remain the "small fry" in the computing world because the more attention they draw to themselves, the more people will start breaking the code.

  23. Nick Fisher

    Strange

    I've been playing WoW with the Leopard firewall enabled for the past week or so with absolutely no problems whatsoever.

    But why let the facts get in the way of a good story?

  24. Giles Jones Gold badge

    @Webster Phreaky

    If there's anything worse than a Mac fan boy it's a Windows fan boy.

    Your argument falls down seriously when you see that most electronic musicians use Apple on stage, this is proof of the reliability of their software.

  25. Cameron Colley

    Does OSX really need a firewall?

    After managing to run Windows 2000 and XP for a couple of years without a firewall installed, and with no problems, I'm not sure I understand why an Apple user would need a firewall?

    Surely most people are sitting behind a NAT anyhow, to prevent the port-probing, so where's the issue? Similarly for outbound traffice -- on Windows XP and earlier, with nasty things like ActiveX (or whatever it's called nowadays) and a system setup that means one stray click and you have a root-kit I can understand this, but on a system that's locked-down by default, is this really necessary?

    Also, surely the firewall blocking executables that have been modified without it's knowledge is a good thing, on the whole? How would it detect hijacked programs if it didn't do this?

    Wow! I just said some positive things about Apple -- I feel dirty now, I need a shower.

  26. Justin
    Flame

    I'm not so sure...

    "They've got great design skills though, so they've gotten away with it so far."

    ...incorrect, the only thing they have gotten away with is a good PR engine and an extremely gullible customer base. Their design ‘skills’ aren’t worthy of such title. Example: Their design ‘skills’ conceive a phone with no buttons, no picture messaging, no video capture & out-dated, slow internet connectivity (no 3G) – but no fear, their PR guys will be able to spin this off as a mobile phone revolution and flog it for the same price as a half decent laptop. Similarly their design ‘skills’ neglected to include a screen in one of their MP3 players, but this was soon turned into a ‘cool’ feature by PR, and lapped up by non-thinking idiots who thought it would make them a bit more ‘spontaneous’ and ‘less boring’.

  27. Anonymous Coward
    Jobs Horns

    No different from Vista then....

    "...applications should really be creating/changing settings per-user in the user's home directory, not fiddling around with their app bundles.

    Apple's completely on the money with this one and that Skype needs to get into the mindset to build OSX apps properly."

    That is what MS has been saying for years with XP but now fully enforced in Vista (non-Admin apps should not and now cannot write to \Program Files etc) - yet all the Mac fans (and Apple via their ads) slated Microsoft for 'breaking all the apps', Vista incompatibility etc. If *developers* actually followed MS advice (see MS Patterns + Practices site) then the apps wouldn't have this problem.

    It really seems that Apple are getting hit with the same 'issues' MS had with Vista - it's just that the minority (but highly vocal) Mac users seem more forgiving of Jobs than of Gates.

  28. Anonymous Coward
    Unhappy

    I use my routers firewall

    I mean seriously who the hell uses software firewalls in this day and age?

    I mean what dsl router does not come with firewall software built in???

  29. Anonymous Coward
    Coat

    @No different from Vista then....

    Typical Mac user comment.. Not worth further comment as you obviously haven't a clue what you're talking about!

    (Sits back and waits for the rocks to start flying!)

    I'll get me coat.

  30. Shakje
    Stop

    Is this something like...

    developers complaining because Vista enforces the MS development guidelines?

    It seems obvious to me that if the executable is updated, there is going to be a short time between the update rolling out, and Apple updating its signing rules before you can run it through the firewall, so anyone trying those apps now probably won't have a problem. Of course if those apps update the executable then you'll have the same problem again. If I've got that wrong then please correct me, I don't mind.

    @Andy Bright

    I play plenty of online games, old and new and I've only had to do two things, one was installing a hotfix because Vista and DirectX10 try to move away from the memory caching idea, and second to run Vent as admin. Other than that I've had absolutely no problems (granted I haven't installed or played WoW for a long time, not since before I used Vista). As for UAC, simpler solution is to just turn it off. I'd think that UAC is more for people like me who use an AV to scan once every few days and may make a mistake occasionally (although I have yet to make a serious mistake virus-wise). If you have a good AV, and competent users, just turn it off.

  31. Ted Treen
    Jobs Halo

    @Phreakster

    Come on now, Webster old boy:- you won't get better if you don't take your medicine: AND your nurse will be very cross with you.

    Please get your jacket - the nice one whose sleeves tie at the back.........

    There's a good little chappie.

  32. Scott Mckenzie

    Router Firewall...

    [quote]

    I mean seriously who the hell uses software firewalls in this day and age?

    I mean what dsl router does not come with firewall software built in???

    [/quote]

    Where i come from, we call that a contradiction in terms.

  33. Pascal Monett Silver badge

    @Giles Jones

    Aww, ain't you being a nice one ! Phreaky didn't make an _argument_ at all.

    He just cackled madly.

  34. Anonymous Coward
    Paris Hilton

    All new Mac OS...

    The first incarnation has bugs....but wait for for OSX.5.1. That will fix them.. and what's the problem with blocking bandwidth hogging gamers and Skype, if I had my way, they'd be banned for all time.

    Stops me downloading pics of Paris Hilton!!!

  35. Shell

    Are you kidding?

    Year sure you enable a firewall and it blocks stuff. So what!? That's what it's supposed to do. Same happens under Windows XP. By default, most games will NOT get out of the Windows firewall so you have to add the ports games use to the exceptions list... including WoW. I had to do this on my old PC (before I got a router with a firewall). Same thing for the Apple firewall. You really expect Apple to go around unblocking all the ports games could possibly use, just in case? Everyone would then accuse them of having a firewall full of holes!

  36. Francis Fish
    Stop

    Reinstall WoW?

    Are they nuts?

    My son plays it - 4 DVD's and then about half an hour to update itself.

    And the add on pack we got for his birthday was about the same.

    I don't think so.

  37. Stewart Atkins
    Stop

    wow on leopard

    if you aren't having problems with wow on the firewall, give it a week. it gets patched next Wednesday and that will probably cause a few problems

  38. Paul
    Jobs Horns

    Mac OSX is getting like Linex...

    Except for price. "if you just change the port settings etc" No I wont! XP has never needed me to do this. I could if I needed to, but I dont. When Im at home, playing a game, I just want to put it in the drive, let it run and play the game. Not F about with ports etc. Face it Fanbois, Mac OSX has problems.

  39. Anonymous Coward
    Thumb Up

    @ Scott Mckenzie

    Dude, well played!

  40. Peter W

    do my eyes deceive me

    some people actually like the horrible, patronising OS that is Vista?

  41. Ross

    Not an Apple prob

    Ofc OS X has security holes. The fact they haven't been discovered or publicly released doesn't mean they don't exist. Take format string vulnerabilities for example - it turned out that Sendmail had been vulnerable to them for 10 years by the time they were actively published. It may have been exploited using them during that time, it may not, but it was vulneralble to them all the same.

    This particular issue seems to be a case of working as intended. If Apple leave the firewall as it is and force developers to patch their software it'll set a good precedant and in the future any developer that doesn't want problems will follow the specs.

    If they change how the firewall works to help non-conforming apps out then we'll end up with a massive mess of hacks and kludges with myriad unforseen side effects etc and possible security holes.

    I don't have a Mac, don't want one either, but I'd side with Jobs and Co on this one.

  42. Paul
    Jobs Horns

    Mac OSX is getting like Linex...

    Except for price. "if you just change the port settings etc" No I wont! XP has never needed me to do this. I could if I needed to, but I dont. When Im at home, playing a game, I just want to put it in the drive, let it run and play the game. Not F about with ports etc. Face it Fanbois, Mac OSX has problems.

  43. Jeff
    Thumb Down

    Making assumptions about application behaviour...

    ...is exactly what broke hundreds of apps under Vista. Personally I agree that a self-altering binary is a silly idea unless you want to very specifically distribute a single-file application. Of course OS makers can encourage better practices by creating incompatibilities with (in the majority of cases) silly ideas, but, for example, where's the scope for altering the contents of a self-extracting archive in Apple's idealism? The OSX could do is prompt a user that the file's contents have changed or pop up a warning icon somewhere.

  44. Shakje

    @Peter W

    Horrible why? Patronising? Maybe a little, I can just think of the times when UAC would be good, just because it's implemented a bit (read a lot) heavy-handedly doesn't mean it won't be useful. The best example I can think of is asking you if you want to run embedded content on websites or allow ActiveX holes to be exploited to run executables. Vista will stop me from having to make the mad dash to close my browser, then run a scan.

    If you don't use it regularly, and are quite happy to spend time picking small holes in the OS then fine, go ahead, but quite frankly I'm more than happy with it, and used to its little quirks.

  45. Jacob Reid
    Jobs Horns

    gamers use macs?

    I didnt think macs even had graphics cards, based no their lack of a decent OS to the point of having to run windows.

  46. Andy Bright
    Thumb Up

    @Shakje

    The problem with Vista and WoW (or indeed addon installers like wowace) is that it requires write permissions to the World of Warcraft directory whenever the launchers wants to install a patch. The common experience is to see the patch downloaded then fail to install, and wow prematurely ends.

    As for wowace and similar software they just fail every time they try to install an addon.

    So you have several choices for wow itself, run in admin mode to install a patch or set the permissions on your wow directory so your regular account can write to it. Running wowace in admin mode doesn't work - the download/install functions are separate tasks and therefore lose the admin priveleges - so you're limited to choice no. 2 (or logging in as administrator just to install addons).

    I don't feel either represents too great a risk, however wow is one of the most attacked games in terms of account theft. This is usually done by cracking php guild websites and taking their user's passwords, unfortunately too many people use the same password or simple variations for everything. However if you fail to use the Blizzard launcher (which detects the most commonly used malware and key loggers), if you're running in admin mode you are opening yourself up a tad. Not too much, but just a bit.

    The reality is the worst I can see happening is you lose your program directory and need to reinstall the game. It's a pain because you'd have to download large numbers of patches, but nothing more problematic than a new user installing WoW for the first time.

    As for other online games, I don't know, I don't play them - but it's good to hear they don't cause these sorts of problems. :)

  47. James

    Good work on the endless platform trolling, everyone

    Because the only thing more retarded than a retard is a retard arguing with a retard.

  48. Ivan Headache

    @ Jacob Reid

    OK Jacob, Go lie down and sober up. Then post that again so that it makes some sense.

  49. Anonymous Coward
    Anonymous Coward

    I wasn't clear enough (I think you'll find)

    In normal use, Skype doesn't modify anything in it's .app folder. The Skype binary in Skype.app/Contents/MacOS/Skype checks itself for consistency. The Leopard firewall alters that binary, thus tripping up Skype's internal consistency check.

    Skype is paranoid. Apple's assumed that developers aren't.

    Anyway, go verify for yourself:-

    Install a fresh copy of skype. Then:-

    cd /Applications

    find Skype.app -type f -exec sum {} \; > 1

    Run Skype. See, it works. Quit it. Run it again. Still works? Yup. Quit it.

    Grab another file of checksums now you've run it once or twice.

    find Skype.app -type f -exec sum {} \; > 2

    diff 1 2

    The diff should show no change in checksums.

    Now turn on the Leopard firewall (I'm using "set access for specific services and applications"), run Skype, and say "always allow" to the firewall prompt. Skype is still working at this point.

    Quit skype and try to relaunch - it's borked. Grab another set of checksums:-

    find Skype.app -type f -exec sum {} \; > 3

    diff 2 3

    See how the binary's changed, and there's a CodeResources file there now.

    system.log says:-

    Nov 7 20:30:44 lapdog com.skype.skype[22549]: Main starting

    Nov 7 20:30:44 lapdog com.skype.skype[22549]: Check 1 failed. Can't run Skype

    Further confirming that it's Skype refusing to run, not Leopard actively blocking it.

    A quick workaround is to run Skype from it's dmg rather than from a conventional location: the dmg is mounted read only so Leopard can't fiddle with it. Of course, if Skype needed to modify itself to run, this would also fail. It doesn't. Or hasn't yet failed for me.

    Sorry to go on at length, but there's a lot of bollocks kicking around here. And no, I'm not a Skype apologist: it fecks me off as much as the next man that it's a bugger to spot on the network.

    Lastly: check out http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf for an old-ish but interesting insight into the paranoia of the Skype app.

This topic is closed for new posts.