Apple’s exclusion list was able to allow malicious software to avoid the bypass of local firewalls in MacOS 11: It was easily possible for malware to build a hidden network connection with the help of an Apple service, even if the user is actually blocking all outgoing connections with a firewall like Little Snitch, Warns the security researcher Patrick Wardle.
"Piggyback"-Connection for malware
With a small self-written tool, it has been successful to transfer a file from its Mac desk unhindered to a remote server, although a local firewall-based outgoing traffic blocked.
The tool obviously held itself "piggyback" To one of the Apple services that are on the exclusion list built into the operating system for Content Filter and whose network activities are used for firewalls – the Apple’s new, prescribed frameworks – are not long visible. Such bypass of firewall had been trivial, so Wardle. He had already warned Apple before the publication of Macos 11 Big Sur in a Bug Report previously. Further details did not call the security researcher so far, so it remains unclear which Apple service used the tool for the unobstructed network connection.
Exclusion list for over 50 Apple services
Apple has been setting since Macos 10.15 Catalina Uber 50 of his own apps and services on an exclusion list. It makes its network activities invisible for third-party apps, which use Apple’s Network Extensions NefilterDataProvider and NapPproxyProviders.
Firewalls like Little Snitch or Wardles Lulu must use the new extensions in MacOS 11 Big Sur, which also applies to data saving software such as TRIPMODE, which can not prevent the possibly significant traffic of Apple services if it is no longer reliable. The reuse of previous kernel extensions, which allows deeper intervention to the system, is no longer allowed to apps.
Little Snitch is currently looking for a way to make the connections of services on the exclusion list but still visible and hopes that Apple still reduces the implementation.