Some Apple Apps on macOS Big Sur Bypass Content Filters, VPNs

Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs. They say it is a liability that can be exploited by threat actors to bypass firewalls and give them access to people’s systems and expose their sensitive data.

A Big Sur beta user named Maxwell (@mxswd) was the first to point out the issue back in October on Twitter. Despite concerns and questions among security professionals, Apple released Big Sur to the public on Nov. 12.

“Some Apple apps bypass some network extensions and VPN Apps,” he tweeted. “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”

His tweet triggered a rash of comments decrying the issue and accusing Apple, which long has touted its concern for user privacy and the overall security of its products over those of its rivals, about having a double standard when it comes to the company’s privacy policies and those of its customers and partners.

> Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒
>
> — Maxwell (@mxswd) October 19, 2020

Discomfort with Apple’s choice to bypass its NEFilterDataProvider were also echoed on the Apple’s Developer Forum.

50 Apple Apps Excluded?

“We found out that traffic from about 50 Apple processes is excluded from being seen and controlled by NEFilterDataProvider, due to an undocumented Apple exclusion list. This is a regression from what was possible with NKEs,” wrote a developer that goes by Dok. “We believe it has a high number of drawbacks, and we already know this is negatively affecting our end users.”

Apple describes the NEFilterDataProvider as such:

Network content is delivered to the Filter Data Provider in the form of NEFilterFlow objects. Each NEFilterFlow object corresponds to a network connection opened by an application running on the device. The Filter Data Provider can choose to pass or block the data when it receives a new flow, or it can ask the system to see more of the flow’s data in either the outbound or inbound direction before making a pass or block decision.

In addition to passing or blocking network data, the Filter Data Provider can tell the system that it needs more information before it can make a decision about a particular flow of data. The system will then ask the Filter Control Provider to update the current set of rules and place them in a location on disk that is readable from the Filter Data Provider extension.

Apple’s NEFilterDataProvider is used by application firewalls and VPNs to filter traffic on an app-by-app basis. Bypassing NEFilterDataProvider makes it hard for VPNs to block Apple applications. Worse, researchers say the bypass can leave systems open to attack.

Bypassing Firewalls

While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn’t appear to have happened. Patrick Wardle (@patrickwardle) principal security researcher at Jamf, elaborated on the issue on Twitter just last week, demonstrating how the vulnerability that remains in the public release of the OS can be exploited by malware.

“In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.),” he tweeted, posing the question, “Could this be (ab)used by malware to also bypass such firewalls?”

> In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
>
> Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
>
> A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
>
> — patrick wardle (@patrickwardle) November 14, 2020

Answering his own question, Wardle posted a simple graphic demonstrating how easily malware could exploit the issue by sending data from apps directly to the internet rather than using a firewall or VPN to first affirm or deny if the traffic is legitimate.

Moreover, he said it appears that Apple knew of the dangers of allowing such a feature to make it into the final release of the OS. Wardle posted an excerpt from an Apple Support document that stresses the critical nature of giving an OS the ability to monitor and filter network traffic for privacy and security reasons.

Apple did not respond to request for comment on the issue at the time this was written.

Indeed, Apple recently revealed that developers of apps for its hardware and devices will have to reveal how data is shared with any “third-party partners,” which include analytics tools, advertising networks, third-party SDKs or other external vendors. The move came after complaints about over-permissioned apps that collect, use and share private user information.

“One rule for them and another for the rest of the peasants,” tweeted Sean Parsons (@seanparsons), a developer and senior engineer at Momentum Works.

The VPN and firewall bypass isn’t the only problem being reported by users of Big Sur. A report in MacRumors based on user posts on one of its forums that claim that “a large number of late 2013 and mid 2014 13-inch MacBook Pro owners” reported that the OS is bricking this machines. Similar reports were found across Reddit and Apple Support Communities, according to the report.

Hackers Put Bullseye on Healthcare:On Nov. 18 at 2 p.m. EDT** find out why hospitals are getting hammered by ransomware attacks in 2020.Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this**LIVE, limited-engagement webinar.