Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Desktops (Apple) Operating Systems Security Apple

Apple Removes Feature That Allowed Its Apps To Bypass macOS Firewalls and VPNs (zdnet.com) 29

Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. From a report: Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist.

Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software.

This discussion has been archived. No new comments can be posted.

Apple Removes Feature That Allowed Its Apps To Bypass macOS Firewalls and VPNs

Comments Filter:
  • ATM machine
    LCD display
    PIN number

    what other RAP phrases can you come up with?
  • by bmimatt ( 1021295 ) on Thursday January 14, 2021 @09:28AM (#60942908)

    macOS is more chatty with each new version, it has literally dozens of processes/daemons that periodically call the mothership. I filter those I could identify as non-essential for 'normal' functionality I require, but there are still a large number of others that periodically execute calls to Apple's servers, some by IP.
    It seems to be the industry standard now. It is similar to how Google, Microsoft, etc. operate, with a large number of calls going out to seemingly unrelated domains. Like why does the browser make a call to youtube when I'm loading goog maps? I understand that complex systems are intertwined and cross-referenced as to, at the very least, avoid functionality duplication, but this methodology seems to keep sprawling beyond reason. While I haven't tracked it that deep, I suspect cookies are set/read across all of these domains. The hunger for data appears to be growing quite fast.

    • Re:Chattiness (Score:4, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday January 14, 2021 @09:35AM (#60942954) Homepage Journal

      Like why does the browser make a call to youtube when I'm loading goog maps?

      If I had to guess, and let me make it clear that I am doing so, it's that there's some kind of video-of-places-related functionality in maps which is based on embedding videos from youtube.

      That sort of thing is understandable. What is "not" is that your PC should be calling home for anything other than updates, or for that matter, for anything without your permission. Yes, I can understand that they are trying to monetize you by collecting your data, but it should be considered wholly unacceptable. As in, there ought to be a law prohibiting it.

      (Yes, HAHAHAHAHA etc. Governments love your metadata, they're not going to stop corporations from collecting it.)

    • Re:Chattiness (Score:4, Informative)

      by Aczlan ( 636310 ) on Thursday January 14, 2021 @09:44AM (#60942990)

      Not sure if its still the case, but at one point authentication for Google appeared to be going through Youtube (so to log into Gmail it was talking to Youtube auth servers), not sure if that is still the case, but it would explain that.

      Aaron Z

    • by antdude ( 79039 )

      Same with others like Windows, Linux, third party softwares, etc. I have to use a firewall to check and block unwanted connections. What are the good ones for iOS, macOS, and Linux?

  • So what if you just deleted/removed all the entries in the exclusion list, or the list itself? Problem solved? By temporarily turning SIP off you could definitely do this. Not really a technique available to the masses but had I upgraded to BS I'm pretty sure I would have tried it out.
    • I'm not sure disabling SIP is enough. This is on a read-only partition, and I'm not sure it's possible to force-mount it RW. Maybe in single-user mode, but I think I heard rumblings that Macs with T2 chips no longer allow single user mode.

      I'd really love to revert to the pre-Big Sur Finder sounds, but in the end it just seemed like less of a PITA than just learning to accept them.

    • That does not solve the problem of malware using this mechanism to bypass the firewall. Better remove this unwanted "feature" completely.

  • It is nice that they making the playing feiod more level. One thing that I hated about MS Dos programming is that you could not use the top level hooks to the OS. You had to use direct system calls. It Hebe MS an advantage in reliability. The next thing to look for is Google making all android apps equal.
    • by Tora ( 65882 )

      What??

      I think you have some typos sir.

      such as feiod, for starters.

      • by dgatwood ( 11270 )

        Despite the negative post covefe, feiod is a perfectly cromulent word.

        Holy crap. Apple's spell checker didn't flag "cromulent" as a misspelling. :-D

  • by Luthair ( 847766 ) on Thursday January 14, 2021 @10:25AM (#60943220)
    is not a physical address :)
  • So glad to hear it. I really wanted to buy a new Macbook Air, but this was honestly the main reason to hold off on that purchase.

    I currently use Little Snitch to also limit what Apple apps phone home. I don't have any comparison to other OS's on this front, but MacOS is pretty chatty.

    • by tlhIngan ( 30335 )

      Yeah, I'm really surprised Apple didn't double-down on this, but simply removed it completely. I mean, it was enabled for a reason so you'd expect it to stay.

      I wonder if someone had a burst of inspiration that it simply was too big an attack surface - or the granularity was too big because many of those apps took plugins and that means it's way too easy to hitch a ride.

  • So, the plist is gone, but has it been verified that the underlying bypass functionality has ALSO been removed?

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...