Apple has removed a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs and third-party firewalls.
The feature, first uncovered in November in a beta release of the macOS Big Sur feature, was called “ContentFilterExclusionList” and included a list of at least 50 Apple apps – including Maps, Music, FaceTime, the App Store and its software update service. It has been recently removed in macOS Big Sur versions 11.2, Apple experts pointed out this week.
“After lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed,” said Patrick Wardle, principal security researcher with Jamf, this week. “The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2).”
Researchers found these apps were excluded from being controlled by Apple’s NEFilterDataProvider feature. NEFilterDataProvider is a simple network content filter, which is used by third-party application firewalls (such as host-based macOS application firewall Little Snitch) and VPNs to filter data traffic flow on an app-by-app basis.
Because these apps bypassed NEFilterDataProvider, the service could not monitor them to see how much data they were transferring or which IP addresses they were communicating with – and ultimately could not block them if something was amiss.
After discovering the undocumented exclusion list back in November, security researchers criticized Apple, saying it was a liability that can be exploited by threat actors to bypass firewalls, give them access to people’s systems and expose their sensitive data.
“Many (rightfully) asked, ‘What good is a firewall if it can’t block all traffic?’ I of course also wondered if malware could abuse these ‘excluded’ items to generate network traffic that could surreptitiously bypass any socket filter firewall,” said Wardle. “Unfortunately the answer was yes.”
The new change means that firewalls such as LuLu – an open-source firewall that blocks outgoing unknown connections on Macs – can now comprehensively filter and block network traffic for all Apple apps, Wardle said.
Omg we did it! 🤩
Thanks to the community feedback (and ya, bad press) Apple decided to remove the ContentFilterExclusionList (in 11.2 beta 2)
Means socket filter firewalls (e.g. LuLu) can now comprehensively monitor/block all OS traffic!!
Read more: https://t.co/GJXkRA31e7 https://t.co/BCPqdCjkV0
— Patrick Wardle (@patrickwardle) January 13, 2021
Threatpost has reached out to Apple for further information about ContentFilterExclusionList and its removal.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.