Apple has taken off a controversial attribute from its macOS functioning technique that permitted the company’s possess very first-get together applications to bypass content filters, VPNs, and 3rd-social gathering firewalls.
Referred to as “ContentFilterExclusionList,” it provided a record of as many as 50 Apple apps like iCloud, Maps, New music, FaceTime, HomeKit, the Application Store, and its software package update company that were routed by way of Community Extension Framework, correctly circumventing firewall protections.
This exclusion record has been scrubbed now from macOS 11.2 beta 2.
The situation to start with came to mild previous October next the release of macOS Major Sur, prompting worries from protection researchers who stated the element was ripe for abuse, adding it could be leveraged by an attacker to exfiltrate delicate data by piggybacking it on to respectable Apple apps integrated on the listing and then bypass firewalls and safety software program.
“Immediately after tons of bad push and a lot of responses/bug stories to Apple from builders this sort of as myself, it would seem wiser (more protection conscious) minds at Cupertino prevailed,” explained Patrick Wardle, a principal protection researcher with Jamf, final week.
Researchers, together with Wardle, discovered previous 12 months that Apple’s apps had been staying excluded from NEFilterDataProvider, a network information filter that will make it doable for firewall and VPN apps such as LuLu and Tiny Snitch to check and manage info traffic from mounted apps on the process.
Wardle demonstrated an occasion of how destructive apps could exploit this firewall bypass to transmit data to an attacker-controlled server working with a straightforward Python script that latched the targeted traffic onto an Apple exempted app inspite of placing LuLu and Very little Snitch to block all outgoing connections on a Mac working Significant Sur.
With this new adjust, socket filter firewalls this sort of as LuLu can now comprehensively filter/block all community site visitors, including those people from Apple applications.
The updates appear as Apple deprecated help for Community Kernel Extensions in 2019 in favor of Community Extensions Framework.
We have achieved out to Apple, and we are going to update the story if we hear back.