Apple Removes a Feature Allowing Apps to ByPass Firewall

The Apple ecosystem (macOS, iOS, WatchOS, and iPadOS) is known to be very robust and resistant to outside threats. However, recently Apple removed a feature from Big Sur (the latest version of macOS) that allowed apps to bypass the firewall.

What is the Problem?

The controversial feature allowed only Apple’s first-party apps to bypass content filters, VPNs, and third-party firewalls. The actual feature is called “ ContentFilterExclusionList,” and worked with 50 apps including Apple Maps, Music, HomeKit, FaceTime, iCloud, and the App Store. According to The Hacker News, its “software update service that was routed through Network Extension Framework, effectively circumventing firewall protections.”

As of macOS 11.2 beta 2, this feature has been removed from the Big Sur operating system. 

Discovery

The issue was discovered In November 2020 when a beta version of Big Sur was tested. Critics complained loudly about the problem, and concerns about exposing user data forced Apple to remove the feature in its latest update.

Threatpost explained how the feature worked. “Researchers found these apps were excluded from being controlled by Apple’s NEFilterDataProvider feature. NEFilterDataProvider is a simple network content filter, which is used by third-party application firewalls (such as host-based macOS application firewall Little Snitch) and VPNs to filter data traffic flow on an app-by-app basis.

Because these apps bypassed NEFilterDataProvider, the service could not monitor them to see how much data they were transferring or which IP addresses they were communicating with – and ultimately could not block them if something was amiss.”

Cybersecurity professionals explain that threat actors could bypass the firewall by generating network traffic abusing these “excused” items. The reparation of this vulnerability means that now even third-party firewalls can block all incoming traffic from unknown connections. Using a piggybacking methodology, hackers could easily exploit this feature if left in play.

Principal researcher with Jamf Patrick Wardle tweeted last week, “After lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.”

The Hacker News shared that “Wardle demonstrated an instance of how malicious apps could exploit this firewall bypass to transmit data to an attacker-controlled server using a simple Python script that latched the traffic onto an Apple exempted app despite setting LuLu and Little Snitch to block all outgoing connections on a Mac running Big Sur.”

How Has Apple Responded?

Although Apple has declined to respond to either Threatpost or The Hacker News, nor have they made a public comment about the issue, they did remove the feature in the latest update to Big Sur version 11.2 beta 2.

Historically, Apple has always been a big proponent of privacy and security. With so many threat researchers ringing the warning bell over this one issue, it’s no wonder Apple took quick action to remove the contentious flaw. 

What Should Apple Users Do?

Update your Mac to the latest version of macOS as soon as possible. Although this issue has not yet been seen exploited in the wild, now that there is so much talk about it, anyone who is left un-updated could be at risk. Some other ways to stay safe are:

• Always keep all your Apple devices updated with the latest security patches and operating system updates. And, educate yourself about apple’s privacy and security.

• Keep your firewall turned on at all times.

• Install and run frequently good, strong antivirus software.

• Never download software from untrusted sources.

• Do not click links in email or download attachments, primary way how people fall for phishing scams

• Install network monitoring software to keep an eye on any intrusions and all network traffic in or out.