US-CERT alert - MAC OSX Leopard

"US-CERT is aware of reports of possible flaws in the Application-Based Firewall in Mac OS X Leopard. According to these reports, users may be misinformed of the status of their firewall rule set, thus placing users with listening network services at an increased risk."

What *were* Apple thinking?  "Block all incoming connections" should do exactly that.

Heise Security have a detailed analysis of the Leopard firewall's protections, or more precisely lack thereof, and their verdict is:

"The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto."

Ok, so the Leopard firewall is off by default, even if you had your firewall turned on before upgrading to Leopard; it doesn't distinguish between network types (unlike Vista which allows you to set different security levels for different networks); it is application based (identifying programs via code signatures) and no longer not port based, and there are the reports of applications being unable to access the internet (Skype and World of Warcraft being two that come to mind).