A somewhat cartoonish diagram illustrates issues with a firewall.

Patrick Wardle

Firewalls aren’t only for company networks. Giant numbers of security- or privacy-conscious individuals additionally use them to filter or redirect visitors flowing out and in of their computer systems. Apple not too long ago made a significant change to macOS that frustrates these efforts.

Starting with Massive Sur launched final week, some 50 Apple-specific apps and processes are now not routed by way of firewalls like Little Snitch and Lulu. The undocumented exemption got here to gentle solely after Patrick Wardle, a safety researcher at a Mac and iOS enterprise developer Jamf, disclosed the change over the weekend.

“100% blind”

To exhibit the dangers that include this transfer, Wardle—a former hacker for the NSA—demonstrated how malware builders may exploit the change to make an end-run round a tried-and-true safety measure. He set Lulu to dam all outgoing visitors on a Mac working Massive Sur after which ran a small programming script that interacted with one of many apps that Apple exempted. The python script had no hassle reaching a command and management server he set as much as simulate one generally utilized by malware to obtain instructions and exfiltrate delicate information.

“It kindly requested (coerced?) one of many trusted Apple gadgets to generate community visitors to an attacker-controlled server and will (ab)use this to exfiltrate recordsdata,” Wardle, referring to the script, advised me. “Principally, ‘Hey, Mr. Apple Merchandise, are you able to please ship this file to Patrick’s distant server?’ And it will kindly agree. And because the visitors was coming from the trusted merchandise, it will by no means be routed by way of the firewall… that means the firewall is 100% blind.”

Wardle tweeted a portion of a bug report he submitted to Apple throughout the Massive Sur beta part. It particularly warns that “important safety instruments comparable to firewalls are ineffective” beneath the change.

Apple has but to elucidate the explanation behind the change. Firewall misconfigurations are sometimes the supply of software program not working correctly. One chance is that Apple carried out the transfer to scale back the variety of assist requests it receives and make the Mac expertise higher for individuals not schooled in establishing efficient firewall guidelines. It’s common for firewalls to exempt their very own visitors. Apple could also be making use of the identical rationale.

However the incapability to override the settings violates a core tenet that folks ought to have the ability to selectively limit visitors flowing from their very own computer systems. Within the occasion {that a} Mac does turn into contaminated, the change additionally provides hackers a option to bypass what for a lot of is an efficient mitigation towards such assaults.

“The difficulty I see is that it opens the door for doing precisely what Patrick demoed… malware authors can use this to sneak information round a firewall,” Thomas Reed, director of Mac and cellular choices at safety agency Malwarebytes, stated. “Plus, there’s at all times the potential that somebody could have a reputable want to dam some Apple visitors for some motive, however this takes away that potential with out utilizing some sort of {hardware} community filter outdoors the Mac.”

Individuals who wish to know what apps and processes are exempt can open the macOS terminal and enter sudo defaults learn /System/Library/Frameworks/NetworkExtension.framework/Sources/Information.plist ContentFilterExclusionList.


The change got here as Apple deprecated macOS kernel extensions, which software program builders used to make apps work together immediately with the OS. The deprecation included NKEs—brief for community kernel extensions—that third-party firewall merchandise used to observe incoming and outgoing visitors.

Rather than NKEs, Apple launched a brand new user-mode framework known as the Community Extension Framework. To run on Massive Sur, all third-party firewalls that used NKEs needed to be rewritten to make use of the brand new framework.

Apple representatives didn’t reply to emailed questions on this modification. This publish will likely be up to date in the event that they reply later. Within the meantime, individuals who wish to override this new exemption will, as Reed famous above, must depend on a community filter that runs from outdoors their Mac.


Please enter your comment!
Please enter your name here