When Apple shipped macOS Big Sur in November, researchers quickly spotted a strange anomaly in the system’s security protection that could have left Macs insecure. Apple now seems to be dealing with this problem, introducing a fix in the latest public beta release.
What was wrong?
For some strange reason, Big Sur introduced a controversial and potentially insecure change that meant Apple’s own apps could still access the internet even when a user blocked all access from that Mac using a firewall. This wasn’t in tune with Apple’s traditional security stance. What made this worse is that when those apps (and there were 56 in all) did access the ‘Net, user and network traffic monitoring applications were unable to monitor this use.
It meant Apple apps could access the Internet to gain Gatekeeper privileges while other applications could not, posing a potential security challenge, as they were included on the ContentFilterExclusionList.
It was subsequently shown that this protection could be subverted to give apps — including malware — similar special powers. Rogue applications could be running in the background, bypassing Getekeeper protection, even when the user believed their Mac was protected by a Firewall.
This exploit wasn’t especially trivial, and it comprised a security threat.
If you are running the current public version of Big Sur, you can see the list for yourself at /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist file, just look for “ContentFilterExclusionList.”
What has changed?
Apple has fixed this problem in its latest public beta, as noted by Patrick Wardle. The company has removed the ContentFilterExclusionList from macOS 11.2 Big Sur beta 2, which means firewalls and activity filters can now monitor the behavior of Apple’s apps, and also makes for a reduction in the potential attack vulnerability.
We know why Apple attempted this. When the company removed support for kernel extensions (kexts) from Macs, it also built a new architecture to support extensions that relied on kexts.
However, it also chose to make its own apps exempt from these frameworks, which is why software that relied on the new extensions architecture couldn’t spot or block the traffic they generated.
Why might it make sense?
I can imagine some reasons it might make sense for some Apple applications to be enabled to run in some kind of super-secret mode. Specifically, I’m thinking about FindMy and how useful that might be if left to run surreptitiously on a lost or stolen Mac. But even in that instance, it seems more appropriate (and far more in tune with Apple’s growing stance on privacy and user control) to give users control of that interaction, perhaps with something like a “run secretly in the background and resist firewalls” button.
In the future, as Apple moves toward mesh-based coverage, particularly for Find My, the challenge engineers will need to solve is how to enable traffic — finding other Apple devices or sharing information about their location, for example — to safely and securely be maintained as a discrete background process without generating additional user friction (security messages) and maintaining privacy and security across the chain.
I’ve a feeling this may have been an attempt in that direction, but the fact it could be subverted to penetrate Mac security is unsustainable. I’m sure Apple will be seeking better solutions to such conundra.
When will Big Sur be updated?
The current edition of Big Sur hasn’t yet deployed this fix, but the fact that it is now available within the latest public beta suggests it will ship more widely in the next couple of weeks.
When it arrives, it also introduces another useful layer of protection for M1 Macs, which will no longer be able to side load potentially unapproved iOS apps as the capacity to bypass the firewall will have been removed.