Apple removed a controversial feature in its macOS operating system that allowed more than 50 of its apps to fully bypass third-party security tools like firewalls and virtual private networks (VPNs).
The ContentFilterExclusionList, implemented in macOS 11 Big Sur, was classified as a possible security risk by the security community and developers late last year. This list in macOS meant that a firewall socket filter could not block traffic created by Apple applications such as Maps and iCloud.
The Little Snitch firewall tool developer, Norbert Heger, described this action as "a hole in the wall."
Patrick Wardle, a security researcher with Jamf software company, also showed how it could be possible for malware to abuse "excluded" web traffic apps to circumvent firewalls.
Those who initially sounded the alarm, including Heger, Wardle, and others, have now accepted Apple's decision to drop ContentFilterExclusionList with the release of macOS 11.2 beta 2.
The exclusion list first arose as part of Apple's move away from third-party kernel extensions, including network kernel extensions (NKEs), which allowed developers to load code directly into the macOS operating system. However, these NKEs have been used by a range of third-party security platforms, including firewalls such as LuLu and Little Snitch.
To continue supporting such products on modern macOS iterations, Apple introduced the User Mode Network Extension Framework (NEF) that developers could use instead to preserve macOS compatibility for their firewalls and VPNs.
Apple then exempted more than 50 of its applications and daemons from being routed through the NEF by implementing the ContentFilterExclusionList. This meant that third-party firewalls that used this new system were unable to block traffic from them.
"Many (rightly) asked, "What good is a firewall if it can't stop all traffic?" Wardle said in a blog post. "Well, after a lot of bad press and a lot of feedback/bug reports from developers like myself, the Cupertino mind seems to have prevailed."
"The list of ContentFilterExclusionLists has been deleted (in macOS 11.2 beta 2). This means (socket filter) firewalls such as LuLu can now completely filter/block all network traffic."
Researchers also speculated that Apple had removed its software from third-party firewalls' supervision in the name of overall security. For example, if excluded, these services can continue to receive updates until all web traffic has been blocked.