Apple Lets Some Network Traffic Bypass Firewalls on MacOS Big Sur (arstechnica.com) 113
"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened."
"Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure...
Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change.
Apple has yet to explain the reason behind the change.
"Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure...
Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change.
Apple has yet to explain the reason behind the change.
"Feature" (Score:5, Funny)
"Feature"
Re: (Score:3)
Apple looks out for its users' privacy the way a big brother would.
Re: (Score:2)
Monopoly abuse. (Score:2)
Monopoly abuse.
To be expected... (Score:2)
For example, their firewall allows one to automatically allow connectivity for s
Better get a hardware firewall (Score:2)
Between offloading firewall CPU consumption to defend against external penetration attempts, to having the ability to prevent apps from phoning home, wouldn't it make sense to just get a hardware firewall? Maybe there's a market for one that acts as a Wi-Fi firewall/relay, and you could build it into one of those lithium-ion battery packs.
Re: (Score:2)
Re:Better get a hardware firewall (Score:5, Informative)
If you know you're using a vpn, then the firewall doesn't need to allow anything other than access to the vpn endpoints.
Re: Better get a hardware firewall (Score:3)
Re: Better get a hardware firewall (Score:2)
Going to this much effort to not let Apple do this to you after you willingly bought their device is like knowingly marrying a lying, cheating, manipulative gold digger and then trying to figure out how to make her behave.
Re: (Score:2)
The macOS is Linux...
Who wants to tell them?
Re: (Score:2, Informative)
Re: (Score:1)
The macOS is a Mach microkernel pretending to be BSD.
Re: (Score:1)
The macOS has an ill-maintained POSIX user land that was ported over from FreeBSD quite awhile back.
I think you mean UNIX (Score:3)
Mac is UNIX. As in certified, official UNIX. It's very much not Linux.
Re: (Score:1)
Yeah, they should call it minlx
Re: (Score:2)
Most VPN's are split. Traffic to the remote internal network goes to the VPN, traffic to YouTube, Slashdot, and Gmail, and other "public" Ineternet sites goes derectly through your local cable modem to those sites without the VPN involved. _Very_ few VPN's route all traffic through the VPN for performance reasons.
Re: (Score:2)
Re: (Score:2)
The "get around geo-IP"and "hide your traffic VPN's are not rare, but I don't think they're the most common. They also expose your traffic to the intermediat4e VPN, which is its own security issue. We could discuss the prevalence of security agency stolen SSL certificates, for example: I find it very difficult inteed to believe that major CDN and cloud providers, such as Google Cloud and Amazon Web Services, do not hand over customer's private SSL keys on demand of law enforcement, or even provide man-in-th
Re: (Score:1)
Re: (Score:2)
Patriot Act warrants are scary partly because they exist despite the US's generally good reputation as a nation of law and of legal transparancy. If you're overseas, the vulnerabilities enforced by US federal policy affect your hardware and leave it vulnerable to both your government and the US government. If you think backdoors are not federal policy, do look up the various Cisco backdoors published over the last decade.
https://www.tomshardware.com/n... [tomshardware.com]
And in either the US or other nations, the intelligenc
Re: Better get a hardware firewall (Score:2)
I've proposed a few times here a hardware firewall which acts simaler to an anti-virus program, only to stop forced update and telemetry traffic.
It's a fairly obvious idea, and somebody *has* to be working on something like this.
Wow, it wasn't that long ago when we only had to worry about basement hackers and hostile nations putting malware on our computers. :(
Re: (Score:1)
Re: Better get a hardware firewall (Score:2)
Like an anti-virus program, it would have a list of known offenders that the user can download updated versions of. Heuristics, another common anti-virus tool, can be applied here too.
Having something like this on the market which is well advertised will have the side benifit of helping to crush the whole "Trusted [those with the gold] Computing" nonsense, and inform the public that because somebody has a title, or a badge, does not automatically make that person "Trustworthy".
Yes, in light of events of 202
Re: (Score:1)
Hardware firewall integrated in NIC package? (Score:3)
Why didn't this ever become a thing? It seems like it makes sense, an actual firewall independent of the system's OS.
I seem to remember ages ago a hardware firewall as an add-in card, sort of the way the old Voodoo video cards worked, where you looped your NIC through it with a short cable. The card's hardware interface was mostly for power from the slot.
I'm kind of surprised this didn't become a thing, especially with multi-port network cards where the NIC ports could be assigned specific security zones
Re: (Score:2)
You can have it with a "VPN router" and it doesn't have to be installed inside your PC, which was never a good idea from a maintenance standpoint anyway.
Software firewalls (Score:5, Insightful)
Software firewalls are a fucking joke anyway. The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason. I don't even turn the damn things on and only trust firewalls running somewhere else. I carry a pocket firewall with me when I travel.
Re: (Score:3)
Software firewalls are a fucking joke anyway. The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason. I don't even turn the damn things on and only trust firewalls running somewhere else. I carry a pocket firewall with me when I travel.
You would be a fool to turn off the stateful firewall on a machine just because it's behind another firewall. I hope that pocket firewall of yours isn't just running static settings.
Re: (Score:3)
In many cases a firewall is pointless security theatre anyway..
To stop inbound connections?
Your client machine only usually makes outbound connections, it shouldn't have any listening services by default so there is nothing to connect to.
On those instances where you do want inbound connections, you have extra hassle to enable firewall rules in addition to explicitly turning on the program that listens for inbound connections. This can inconvenience games, voip, etc, and encourages the use of third party ser
Re: (Score:2)
You obviously didn't read why Apple users are using Little Snitch in the first place.
Re: (Score:2)
Very rarely are firewalls used to block outbound except in corporate environments... In most end user scenarios, everything is allowed out.
Then it is not a firewall, at least not in the sense what that word is supposed to mean in internet jargon.
Re: (Score:2)
Most machines have listening services on by default because users expect to e.g. be able to share files easily. They expect their iPhone to be able to talk to their iTunes seamlessly. Their TV box to be able to stream files from their Plex server. Admins like the convenience of RDP, rather than having to walk down to the server and plug in a keyboard, mouse and monitor.
Aside from anything else a basic firewall that limits inbound connections to ones coming from your LAN subnet save a lot of computing resour
Re: (Score:2)
None of these services are, or need to be enabled by default.
If the user intends to use these services, then they will explicitly turn them on. Especially if someone has gone to the additional effort of setting up something like a plex server - the key is in the name "server".
Having a firewall actually breaks the seemless nature of these services, as in addition to turning on the service they also have to create an allow rule. If the service does this on its own then its somewhat defeating the point of havi
Re:Software firewalls (Score:4, Insightful)
That is not correct with regard to Mac users, at least not the "very rarely" part. There is a rater popular program called Little Snitch for which many Mac users pay good money, in order to be able to send and approve/disapprove traffic going out of their systems. This change by Apple breaks Little Snitch and similar programs, at least with regard to traffic to Apple servers. Even if you don't want to block traffic to Apple's servers 100% of the time, there might still be times where you would want certain programs to not have the ability to connect (such as anything that sends out your Apple login while you are using an insecure public connection), and Little Snitch was great for that until Apple did this.
I know of at least one Mac user that has been buying Macs since the days of the Power PC but has said he will never buy another unless Apple either reverses this or the developers of Little Snitch figure out a workaround that makes their product work again for those connections (apparently they are working on it).
For me, this just makes me feel like Apple is trying to take over ownership of MY computer. I paid good money to Apple to PURCHASE a computer, not lease one or rent one, and Apple should not be trying to basically install malware to block the effectiveness of security-related software that I want to run. Maybe you feel that such software does nothing useful, but that is your opinion which which I strongly disagree. But I am more concerned about the arrogance of Apple trying to subvert the functioning of that software. If a third party did this we'd all be properly labeling it as malware but because some people seem to think Apple can do no wrong (obviously I'm not one of them) they are willing to overlook this intrusive behavior in MacOS Big Suck.
Re: (Score:2)
It's not correct for Windows users, either. Windows 7 frequently prompts me as to whether I want to permit a program to traverse the software firewall.
Re: Software firewalls (Score:1)
Re:Software firewalls (Score:5, Informative)
All firewalls are software firewalls
Chain 2 different Software firewalls (Score:2)
Perhaps best to cascade firewalls from different vendors.
If you chain a Cisco firewall with a Huawei firewall, sure, each may allow some traffic through.
But unless they collude they will probably block each other's backdoors.
Re: (Score:2)
Re: (Score:2)
That is also adding points of failure in your local network. And it adds an hour to the time dealing with your local network vendor on every call, proving painfully that the problem is, indeed, their fault.
Re: (Score:1)
As a Security Eng for a large telco who works with Palo's as gateway walls ... your ether full of shit or sorely lacking.
Re: (Score:2)
As someone who has been working with networks for over 35 years, performing network analysis since before TCP/IP was in wide distribution, I would offer that you are should familiarize yourself with the basic text on the topic, TCP/IP Illustrated Volume 1, before you stick your foot further into your mouth.
A firewall is a "computer" with routing rules and MAYBE multiple interfaces.
period.
Re: Software firewalls (Score:2)
Wow, network people... it's all software, no it's hardware, no they're all computers.
Sure, and some have specialized hardware tailored to their role, like content addressed memory, packet filtering logic in silicon, whatever. Those are hardware solutions, and they are almost entirely implemented with software solutions driving the hardware, and whatever, end the debate and call everything a computer, fuck it all.
The OP's point was about having a dedicated firewall separate from the things it was meant to p
Re: (Score:2)
>All the firewall logic is implemented in software.
Nope, there is definitely custom silicon in the products of big network equipment manufacturers that perform some of the logic of firewalls. Usually things like classification, pattern matching and other things that would be less efficient in software.
Re: (Score:2)
Technically correct, but also needless hairsplitting. It's quite obvious what OP meant: a firewall running on dedicated hardware independent of the devices whose traffic it's filtering.
Re: (Score:3)
The whole idea of a firewall running on the machine that may get compromised was the butt of many jokes in security circles for good reason.
Maybe if you're the NSA or securing corporate network entry, but back in the real world we don't let perfect be the enemy of good. Software firewalls have done more to improve security than any other single security concept by giving us an additional layer between Mallory and the hundreds of pieces of software with open ports and potential security holes that Bob is running on his machine.
Is it perfect? Fuck no, but then neither is any hardware firewall. But only a complete moron who doesn't belong anywhere
Re:Software firewalls (Score:5, Insightful)
Software firewalls have some major benefits over firewalls running on other machines. The main one is that they can operate on a per-app basis. If an app has no reason to need internet access you don't give it internet access. If it only needs to talk to one specific IP address that's all it gets.
Restricting on a per-app basis mitigates a lot of attacks. Even if the app gets compromised it can't download further payloads, it can't exfiltrate data, and the fact that it even tried can set off alarm bells.
Re: (Score:1)
Re: (Score:2)
Software firewalls have some major benefits over firewalls running on other machines. The main one is that they can operate on a per-app basis. If an app has no reason to need internet access you don't give it internet access. If it only needs to talk to one specific IP address that's all it gets.
Restricting on a per-app basis mitigates a lot of attacks. Even if the app gets compromised it can't download further payloads, it can't exfiltrate data, and the fact that it even tried can set off alarm bells.
Application-aware hardware firewalls have been around for ages.
Re: (Score:2)
And they suck. They have to try to guess the application based on packet analysis.
Re: (Score:2)
I carry a pocket firewall with me when I travel.
Any recommendations on brands or models?
Re: (Score:2)
Yes. Any miniature router that can have OpenWRT installed. There are some that are 1/4 the size of a pack of playing cards.
Re: (Score:2)
This shit again? (Score:3, Informative)
Re: This shit again? (Score:3)
What the heck? From your first link :
"Itâ(TM)s worth noting that Big Sur and its predecessors are built to assume that they can talk to Apple at any time, but when we donâ(TM)t allow it, a few unwanted side effects pop up. For example, the keyboard sometimes takes longer to wake up from sleep mode"
I don't know why nor how to write software that makes "prompt resume from sleep" continent upon phoning home.
Re: (Score:2)
Maybe it's trying to verify authenticity of keyboard. Like what if you have a usb keyboard mail ordered from China with a keylogger built into it. While I agree in theory, if you are talking about the keyboard I think I would like it to be checked.
Re: (Score:1)
Re: (Score:1)
In order to comply with the Apple secure validation protocol, a keylogger keyboard must set the evil bit to 1, obviously.
Re: (Score:2)
Goodness, I can picture dozens of ways to do this. Most of the legitimate ones involve phoning home at wake-up time to get driver updates for the hardware, which may have been replaced or re-arranged during powerdown. Many illegitimate ones involve reporting to the mothership the status and location of your hardware.
Complicity with LE/government agencies? (Score:2)
WTF? (Score:2)
There is a real issue here. Okay, I can understand Apple wanting to have some control even if the users installs a broken VPN. But, this is not the way.
It is very reasonable to have a personal VPN (at home on a static IP, or from a co-location hosting provider), and have your phone in your local LAN, even while you are roaming. In fact this is not too difficult to do.
However that assumes the OS on your devices adheres to your settings.
(Note to Apple: Just show a notification like "something is wrong with yo
Re: (Score:3)
At first glance, this seems like this could be a real-world security problem for many people living under oppresive governments, given that communications apps may not be behaving in the manner a reasonable person would expect.
I guess the solution is to avoid Apple's apps.
Re: (Score:1)
Undocumented Exemptions (Score:2)
Undocumented exemptions are just as much a part of the fabric of the operating system as any other feature.
Re: (Score:1)
OpenBSD's pf is built-in (Score:4, Interesting)
Re: (Score:1)
No dumb dumb. its not freebsd. Its Darwin.
Re: (Score:2)
Re: (Score:3)
macOS's pf implementation is weird. I agree you can do what you state, but first you have to rip out all the dynamic pf rule handling macOS has enabled by default.
Re: (Score:3)
/etc/pf.conf
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
/etc/pf.anchors/com.apple
anchor "200.AirDrop/*"
anchor "250.ApplicationFirewall/*"
Here's what pfctl -s all shows
# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat-anchor "com.apple/*"
Re: (Score:2)
It's a freebsd kernel
Mac's kernel has as much in common with Freebsd as Windows 10's does with Windows 95. Mac isn't freeBSD, it was just based upon it some 19 years ago.
Re: (Score:2)
I believe you mean "as much as Windows 10's kernel does with VMS". Windows 10 used the NT kernel, which had much of its structure lifted by David Cutler and his kernel crew from DEC when they were hired by Microsoft.
Re: (Score:2)
No I mean Windows 95, don't underestimate how different the Mac kernel is now compared to the old BSD kernel. Darwin was sufficiently different from the base kernel back 19 years ago.
Mind you these days the Windows 10 kernel probably has equal amounts in common with VMS and the old 9x kernels. It's been through so many re-writes and had entire stacks thrown out over the years.
Re: (Score:2)
https://developer.apple.com/li... [apple.com] has a note mentioning FreeBSD and "BSD" is all over the place.
Fixed (Score:1)
Just filter on an off-box parent device
Can we just take in the irony for a moment? (Score:2)
Can we just take in the irony for one moment, of this heap of shit being called Big Sur? Anybody who's ever been there, or even read about the place should get what I'm saying.
Re: (Score:2)
Thought maybe for a moment you were referencing Jack Kerouac.
Design by Marketing (Score:2)
This is serious (Score:4, Insightful)
It changes the situation from "cautiously trusted" to "untrustworthy"
I won't be surprised to see lawsuits about it.
Re: (Score:3)
I won't be surprised to see lawsuits about it.
I would. I mean this has been standard practice for MS for over 10 years now in their firewall, why would Apple get sued for something "normal" in the computing world?
Re: (Score:2)
They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?
Re: This is serious (Score:2)
They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?
This thread was about lawsuits? So legally, any part that Microsoft feels like?
Technically? Any part Microsoft feels like?
In practice? IDK, ask Microsoft.
Re: (Score:2)
He asserted Windows had been ignoring firewall settings for 10 years, I can't recall any instance.
Re: (Score:2)
They override some DNS names in the hosts file, what part of windows ignores the defender firewall though?
Any rules blocking their update servers or block the defender service itself. That's a basic built in security measure to prevent malware creating rules that prevent new malware definitions being downloaded.
Re: This is serious (Score:2)
It changes the situation from "cautiously trusted" to "untrustworthy"
I won't be surprised to see lawsuits about it.
Slashdot ate your sarcasm tag
Yes, surely there will be lawsuits over how the system-provided interface for third party application firewalls doesn't do what third party developers want - block applications that shipped with the system, get out your monopoly busting hammers, Apple haters. *yawn*
unfortunately nothing will change, see Microsoft (Score:1)
Re: (Score:1)
firewall (Score:2)
Not your computer
You shouldn't bypass your own security measures (Score:2)
While Apple should had been constant on how all traffic leaves it system, and doing this for some Apps is just bad for security and in design. I do want to bring up, that most people should have an external firewall outside your PC. Heck even a cheap wireless router has many basic firewall features built in, enough to keep you relativity safe. Unlike back in my College days, where every student got an Open External IP Address that was wide open to the internet.
Paternalism (Score:2)
I assume Apple did this because there was some malware vector using VPNs and they think this was a good idea to protect users against themselves. But that's one step too far. It's not iOS, people can hurt themselves on macOS and that's how it should be ... trying to limit them like this just produces unexpected behaviour, which can also hurt them.
Maybe Apple should make an iOS for Mac where they can just outright limit users by app certification, rather than try to limit users by this kind of roundabout und
Wizard of Apple (Score:3)
LTE-MiFi gateway as a travel solution (Score:2)
Well, that does it.
Might as well drag along a nice dual-port Raspberry Pi configured as a LTE-MiFi for your traveling portable gateway/VPN/Wireguard/router to carry all of your networkable Apple products.
I really don't see any way around this at this point.
Firewall neutered until you stop using it against (Score:2)
Firewall will be continually neutered until you stop using it to stop Apples own antics.
The very thing many warned about when you trust a vendors tool to block their other tool expecting they can't just add "exceptions" later. Same problem as "updates" you can't turn off.
Too much "trust".
Re: The Internet has stopped being useful. (Score:1)
Re: The Internet has stopped being useful. (Score:1)
It's fairly obvious this is APK, but at least no 20 soft quilted swastika toilet sheet rolls from him.
I've noticed a few user hostile things about the 'net and devices in general, but most of these issues have been brought up as Slashdot articles.