IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple drops controversial firewall-bypass feature on macOS

Researchers claim the ContentFilterExlusionList posed a huge cyber security risk

Apple has removed a controversial feature in its macOS operating system that allowed more than 50 of its own apps to completely bypass third-party security tools like firewalls and virtual private networks (VPNs).

The ContentFilterExclusionList, introduced in macOS 11 Big Sur, was flagged by the security community and developers late last year as being a potential security risk. This list’s existence in macOS meant traffic generated from Apple software such as Maps and iCloud couldn’t be blocked by a socket filter firewall.

The developer of the Little Snitch firewall tool, Norbert Heger, described this behaviour as “a hole in the wall”.

Patrick Wardle, a security researcher with software firm Jamf, even demonstrated how it may be possible for malware to abuse “excluded” apps to generate web traffic to bypass firewalls. 

Those who initially sounded the alarm, including Heger, Wardle and others, have now welcomed Apple’s decision to remove ContentFilterExclusionList with the release macOS 11.2 beta 2.

The exclusion list fist emerged as part of Apple’s shift away from third-party kernel extensions, including network kernel extensions (NKEs), which allowed developers to load code directly into the macOS operating system. These NKEs, however, were used by a number of third-party security platforms, including firewalls such as LuLu and Little Snitch.

To continue to support such products on modern iterations of macOS, Apple introduced the user-mode Network Extension Framework (NEF), which developers could use instead to retain macOS compatibility for their firewalls and VPNs.

Apple then exempted more than 50 of its own applications and daemons from being routed through the NEF by introducing the ContentFilterExclusionList. This meant third-party firewalls that used this new framework weren’t able to block traffic from them.

“Many (rightfully) asked, "What good is a firewall if it can't block all traffic?",” Wardle said in a blog post. “Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed.”

“The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2). Which means, (socket filter) firewalls such as LuLu can now comprehensively filter/block all network traffic.”

Researchers have speculated that Apple excluded its own apps from the oversight of third-party firewalls in the name of overall security. For example, if excluded, these services may continue to receive updates when all web traffic is blocked.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022