Attackers can exploit the feature & send people’s data directly to remote servers, posing a privacy & security risk, researchers observed.
Security researchers are lambasting Apple for a feature in the latest Big Sur release of macOS, that allows some Apple apps to bypass content filters & VPNs. They say it is a liability that can be exploited by threat players to bypass firewalls & give them access to people’s systems & expose their sensitive data.
A Big Sur beta user called Maxwell (@mxswd) was the 1st to point out the issue in Oct. on Twitter. Despite concerns & questions among security professionals, Apple released Big Sur to the public on Nov. 12.
“Some Apple apps bypass some network extensions & VPN Apps,” he tweeted. “Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running.”
His tweet triggered a rash of comments decrying the issue & accusing Apple, which long has touted its concern for user privacy & the overall security of its products over those of its rivals, about having a double standard when it comes to the company’s privacy policies & those of its customers & partners.
Some Apple apps bypass some network extensions & VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running 😒
— Maxwell (@mxswd) October 19, 2020
Discomfort with Apple’s choice to bypass its NEFilterDataProvider were also echoed on the Apple’s Developer Forum.
50 Apple Apps Excluded?
“We found out that traffic from about 50 Apple processes is excluded from being seen & controlled by NEFilterDataProvider, due to an undocumented Apple exclusion list. This is a regression from what was possible with NKEs,” wrote a developer that goes as ‘Dok.’
“We believe it has a high number of drawbacks, & we already know this is negatively affecting our end users.”
Apple describes the NEFilterDataProvider as such:
Network content is delivered to the Filter Data Provider in the form of NEFilterFlow objects. Each NEFilterFlow object corresponds to a network connection opened by an application running on the device. The Filter Data Provider can choose to pass or block the data when it receives a new flow, or it can ask the system to see more of the flow’s data in either the outbound or inbound direction before making a pass or block decision.
Filter Data Provider
In addition to passing or blocking network data, the Filter Data Provider can tell the system that it needs more information before it can decide about a particular flow of data. The system will then ask the Filter Control Provider to update the current set of rules and place them in a location on disk that is readable from the Filter Data Provider extension.
Apple’s NEFilterDataProvider is used by application firewalls & VPNs to filter traffic on an app-by-app basis. Bypassing NEFilterDataProvider makes it hard for VPNs to block Apple applications. Worse, researchers say the bypass can leave systems open to attack.
While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this does not appear to have happened. Patrick Wardle (@patrickwardle) principal security researcher at Jamf, elaborated on the issue on Twitter just last week, demonstrating how the vulnerability that remains in the public release of the OS can be exploited by malware.
“In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.),” he tweeted, posing the question, “Could this be abused by malware to also bypass such firewalls?”
In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐
Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔
A: Apparently yes, & trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB
— patrick wardle (@patrickwardle) November 14, 2020
Answering this question, Wardle posted a simple graphic demonstrating how easily malware could exploit the issue by sending data from apps directly to the internet, rather than using a firewall or VPN to first affirm or deny if the traffic is legitimate.
He commented further that it appears that Apple knew of the dangers of allowing such a feature to make it into the final release of the OS. Wardle posted an excerpt from an Apple Support document that stresses the critical nature of giving an OS the ability to monitor & filter network traffic for privacy & security reasons.
Apple recently revealed that developers of apps for its hardware & devices will have to reveal how data is shared with any “3rd-party partners,” which include analytics tools, advertising networks, 3rd-party SDKs or other external vendors. The move came after complaints about over-permissioned apps that collect, use & share private user information.
“One rule for them & another for the rest of the peasants,” tweeted Sean Parsons (@seanparsons), a developer & senior engineer at Momentum Works.
The VPN & firewall bypass is not the only problem being reported by users of Big Sur. A report in MacRumors based on user posts on one of its forums that claim that “a large number of late 2013 & mid 2014 13-inch MacBook Pro owners” reported that the OS is bricking this machines. Similar reports were found across Reddit & Apple Support Communities, says the report.