Summary: The application firewall, new in Leopard, allows most codesigned applications to automatically accept incoming connections (see rdar://problem/6014948 Code signing makes application firewall useless). Applications that are not codesigned, on the other hand, are supposed to require explicit authorization from the user to accept incoming connections. However, it turns out that it is simple for a rogue, non-codesigned application to bypass the firewall and accept incoming connections. The file "/Library/Preferences/com.apple.alf.plist" contains a list of executables, in the array "explicitauths", that are codesigned but must nonetheless obtain explicit authorization from the user to accept incoming connections. This list includes "/usr/bin/nc". The problem is that (1) the list identifies the executables by path and (2) executables retain their codesigning when copied to a different location on disk. A rogue application can simply copy "/usr/bin/nc" to a location of its choosing and then run the still codesigned nc executable to accept incoming connections on behalf of the rogue application. Steps to Reproduce: 1. Open System Preferences.app, Security Pane, Firewall tab. 2. Select "Set access for specific services and applications". 3. Open Terminal.app 4. cp /usr/bin/nc ~/Desktop/nc 5. codesign --verify --verbose ~/Desktop/nc 6. Verify that ~/Desktop/nc is "valid on disk". 7. ~/Desktop/nc -l 50000 Expected Results: You see a dialog asking, 'Do you want the application "nc" to accept incoming network connections?' Actual Results: No dialog is presented, and ~/Desktop/nc is allowed to accept incoming connections. Workaround: Setting your Firewall preferences to "Allow only essential services" should protect you from this vulnerability. Regression: No regression testing done. Notes: The solution to this problem would be to fix the above mentioned rdar://problem/6014948 Code signing makes application firewall useless. If codesigned applications are not given a free pass, then a rogue application could not use nc to bypass the firewall.