Apple Kills MacOS Feature Allowing Apps to Bypass Firewalls

[MrGuvernment]

Apple Kills MacOS Feature Allowing Apps to Bypass Firewalls
https://threatpost.com/apple-kills-macos-feature-allowing-apps-to-bypass-firewalls/163099/

Security researchers lambasted the controversial macOS Big Sur feature for exposing users’ sensitive data.
Apple has removed a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs and third-party firewalls.
The feature, first uncovered in November in a beta release of the macOS Big Sur feature, was called “ContentFilterExclusionList” and included a list of at least 50 Apple apps – including Maps, Music, FaceTime, the App Store and its software update service. It has been recently removed in macOS Big Sur versions 11.2, Apple experts pointed out this week.
“After lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed,” said Patrick Wardle, principal security researcher with Jamf, this week. “The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2).”

Researchers found these apps were excluded from being controlled by Apple’s NEFilterDataProvider feature. NEFilterDataProvider is a simple network content filter, which is used by third-party application firewalls (such as host-based macOS application firewall Little Snitch) and VPNs to filter data traffic flow on an app-by-app basis.
Because these apps bypassed NEFilterDataProvider, the service could not monitor them to see how much data they were transferring or which IP addresses they were communicating with – and ultimately could not block them if something was amiss.
After discovering the undocumented exclusion list back in November, security researchers criticized Apple, saying it was a liability that can be exploited by threat actors to bypass firewalls, give them access to people’s systems and expose their sensitive data.
“Many (rightfully) asked, ‘What good is a firewall if it can’t block all traffic?’ I of course also wondered if malware could abuse these ‘excluded’ items to generate network traffic that could surreptitiously bypass any socket filter firewall,” said Wardle. “Unfortunately the answer was yes.”
The new change means that firewalls such as LuLu – an open-source firewall that blocks outgoing unknown connections on Macs – can now comprehensively filter and block network traffic for all Apple apps, Wardle said.

 

[Lakados]

About time.

 

[clockdogg]

Wonder if MS has the courage to copy this new 'feature'

 

[Red Falcon]

Let's hope that this actually sticks.

 

[Aurelius]

The original exclusion was foolish on Apple's part, but as Hanlon's razor goes: never attribute to malice what can be explained by stupidity. Apple is addressing this; I don't think it was as much about creating a double standard as it was the company failing to consider the ways attackers could abuse exceptions for first-party apps.

 

[sfsuphysics]

so what would be the use (other than malicious intent) for allowing a program to bypass a firewall? as opposed to giving it firewall permission?

 

[MrGuvernment]

The original exclusion was foolish on Apple's part, but as Hanlon's razor goes: never attribute to malice what can be explained by stupidity. Apple is addressing this; I don't think it was as much about creating a double standard as it was the company failing to consider the ways attackers could abuse exceptions for first-party apps.

Apple is smart, they knew exactly what they were doing, this wasnt some side though of "lets just bypass the firewall, nothing bad could happen", I beleive it was more of a "lets bypass the firewall because we want to assure our devices can be accessible and our apps will always function to call home "insert need of app here" with out worry of us losing that users data we can track and use as we like"

Apple is as bad as any other company when it comes to data, they want your data, but do not want anyone else to have it.

 

[paradoxical]

Apple is as bad as any other company when it comes to data, they want your data, but do not want anyone else to have it.

Lol, that is exactly why Apple is different than other companies like Microsoft and Google. Apple wants your data, and doesn't want anyone else to have it. MSFT and Google want your data, and want to monetize it by selling it to the whole world.

 

[Red Falcon]

Lol, that is exactly why Apple is different than other companies like Microsoft and Google. Apple wants your data, and doesn't want anyone else to have it. MSFT and Google want your data, and want to monetize it by selling it to the whole world.

At the end of the day, all of these megacorps are the same, and you are their product.

 

[Lakados]

Lol, that is exactly why Apple is different than other companies like Microsoft and Google. Apple wants your data, and doesn't want anyone else to have it. MSFT and Google want your data, and want to monetize it by selling it to the whole world.

well based on the FW logs I keep Apple is by far the smallest amount of outgoing data for the organization, Google and Facebook are by long and far fighting for the top spot, Microsoft and Apple are so far back in the pack that they aren't even worth mentioning. I am currently working with Palo Alto to add the functions to PanOS to better identify and tag their traffic so 1 we can more accurately track it, and 2 allow us to better filter it out of our reports because there is so much of it generated and blocked that it masks any bad activity that may be present on the network.