Mac Research
News

Mac feature that could bypass Firewalls removed

Mac feature that could bypass Firewalls removed

A controversial macOS feature that allowed 50 Apple apps to bypass web traffic filters such as third-party Firewalls and VPNs was removed with the latest beta version of the macOS Big Sur update after the severe backlash Apple received after first introducing this feature with the macOS Big Sur operating system back in November last year.

Called “ContentFilterExclusionList,” it included a list of as many as 50 Apple apps like iCloud, Maps, Music, FaceTime, HomeKit, the App Store, and its software update service that were routed through Network Extension Framework, effectively circumventing firewall protections.

The name of the feature that allowed Apple apps to bypass third-party content/traffic filters is ContentFilterExclusionsList and many of the apps included in that list are popular and commonly used ones such as FaceTime, Music, Maps, App Store, and iCloud. The ContentFilterExclusionsList reroutes the traffic from those apps through the Network Extension Framework which allows the listed apps to fully circumvent any form of traffic filtering imposed by Firewalls, VPNs, etc.

This feature and the problems it could potentially cause were first noticed once the beta version of Big Sur was released back in October 2020. Twitter user Maxwell tweeted that some native Apple apps are able to bypass VPNs and network extensions. Since then, other researchers have also expressed their concerns regarding the questionable feature, suggesting that malicious software could exploit it to bypass the system’s defenses against online attacks and enter the computer unnoticed.

Last week, Patrick Wardle, a security researcher at Jamf (an IT company that works with Apple on configuring macOS and iOS), stated that the backlash Apple received from researchers and the press as well as the security concerns raised by the ContentFIlterExclusionsList feature has lead to the decision to remove the latter from macOS with the introduction of its latest update – macOS Big Sur 11.2.

The reason third-party Firewall apps and VPNs are unable to control and monitor the traffic of those 50 Apple apps is that the controversial feature excludes the apps from the NEFilterDataProvider and NEAppProxyProviders network content filters thus allowing the applications to bypass and evade control and monitoring from any filtering apps.

Wardle gave an example of how the exclusions list feature could be exploited by malicious software and used to circumvent the user’s firewall. He stated that a Python script could be used to latch onto one of the apps from the exclusions list and thus bypass any the Firewall protection on machines with the macOS Big Sur system.

With this new change, socket filter firewalls such as LuLu can now comprehensively filter/block all network traffic, including those from Apple apps.

After users update the operating systems of their Macs to Big Sur 11.2, the exclusions list would no longer be present in the system and traffic filtering apps like LuLu and Little Snitch would be able to effectively monitor and block unsafe traffic to and from all apps on the computer, including the ones that used to be included in the exclusions list.

If you are interested in learning more about what changes macOS Big Sur 11.2 will bring or how you could try out its Beta version right now, click on the respective links where you will find more information on those topics.

Exit mobile version