viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Apple lets some Big Sur network traffic bypass firewalls
Technology

Apple lets some Big Sur network traffic bypass firewalls

17/11/2020

A somewhat cartoonish diagram illustrates issues with a firewall.

Patrick Wardle

Firewalls aren’t just for corporate networks. Large numbers of security- or privacy-conscious people also use them to filter or redirect traffic flowing in and out of their computers. Apple recently made a major change to macOS that frustrates these efforts.

Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu. The undocumented exemption, which didn’t take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend.

In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) 🧐

Q: Could this be (ab)used by malware to also bypass such firewalls? 🤔

A: Apparently yes, and trivially so 😬😱😭 pic.twitter.com/CCNcnGPFIB

— patrick wardle (@patrickwardle) November 14, 2020

“100% blind”

To demonstrate the risks that come with this move, Wardle—a former hacker for the NSA—demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure. He set Lulu and Little Snitch to block all outgoing traffic on a Mac running Big Sur and then ran a small programming script that had exploit code interact with one of the apps that Apple exempted. The python script had no trouble reaching a command and control server he set up to simulate one commonly used by malware to exfiltrate sensitive data.

“It kindly asked (coerced?) one of the trusted Apple items to generate network traffic to an attacker-controlled server and could (ab)use this to exfiltrate files,” Wardle, referring to the script, told me. “Basically, ‘Hey, Mr. Apple Item, can you please send this file to Patrick’s remote server?’ And it would kindly agree. And since the traffic was coming from the trusted item, it would never be routed through the firewall… meaning the firewall is 100% blind.”

Advertisement

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that “essential security tools such as firewalls are ineffective” under the change.

Apple has yet to explain the reason behind the change. Firewall misconfigurations are often the source of software not working properly. One possibility is that Apple implemented the move to reduce the number of support requests it receives and make the Mac experience better for people not schooled in setting up effective firewall rules. It’s not unusual for firewalls to exempt their own traffic. Apple may be applying the same rationale.

But the inability to override the settings violates a core tenet that people ought to be able to selectively restrict traffic flowing from their own computers. In the event that a Mac does become infected, the change also gives hackers a way to bypass what for many is an effective mitigation against such attacks.

“The issue I see is that it opens the door for doing exactly what Patrick demoed… malware authors can use this to sneak data around a firewall,” Thomas Reed, director of Mac and mobile offerings at security firm Malwarebytes, said. “Plus, there’s always the potential that someone may have a legitimate need to block some Apple traffic for some reason, but this takes away that ability without using some kind of hardware network filter outside the Mac.”

People who want to know what apps and processes are exempt can open the macOS terminal and enter sudo defaults read /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList.

NKEs

The change came as Apple deprecated macOS kernel extensions, which software developers used to make apps interact directly with the OS. The deprecation included NKEs—short for network kernel extensions—that third-party firewall products used to monitor incoming and outgoing traffic.

In place of NKEs, Apple introduced a new user-mode framework called the Network Extension Framework. To run on Big Sur, all third-party firewalls that used NKEs had to be rewritten to use the new framework.

Apple representatives didn’t respond to emailed questions about this change. This post will be updated if they respond later. In the meantime, people who want to override this new exemption will have to find alternatives. As Reed noted above, one option is to rely on a network filter that runs from outside their Mac. Another possibility is to rely on PF, or Packet Filter firewall built into macOS.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Beat Saber is now an Oculus studio after Facebook acquisition
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

Want to survive the downturn? Better build a platform

TechCrunch’s Favorite Things of 2019
TechCrunch ist jetzt Teil der Verizon Media-Familie. Wir (Verizon Media) …

Twitter’s new reply blockers could let Trump hide critics

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • Fast & Furious: Crossroads lives video games a quarter-mile at a time
    Twitter broadly bans any COVID-19 tweets that …
    19/03/2020
  • RootMetrics: Verizon’s 5G blazes past wider, slower T-Mobile and AT&T
    RootMetrics: Verizon’s 5G blazes past wider, slower …
    11/03/2020
  • Rocket Lab readies Electron for the first launch with rocket recovery systems on board – TechCrunch
    Rocket Lab readies Electron for the first …
    25/11/2019
  • ProBeat: Why Google is really calling for AI regulation
    Google’s federated analytics method could analyze end …
    27/05/2020
  • You can’t unsee Tedlexa, the Internet of Things/AI bear of your nightmares
    You can’t unsee Tedlexa, the Internet of …
    02/01/2021

Popular Posts

  • SpaceX Starlink to go South for first time with planned deployment in Texas
    SpaceX adds laser links to Starlink satellites …
    26/01/2021 0
  • Top 10 Final Deaths of Major Wars …
    28/12/2020 0
  • Microsoft is reportedly added to the growing list of victims in SolarWinds hack
    2020 had its share of memorable hacks …
    28/12/2020 0
  • 5 IPOs that show the importance of data in 2020
    5 IPOs that show the importance of …
    28/12/2020 0
  • IMVU: Making the coin of the realm for the metaverse
    IMVU: Making the coin of the realm …
    28/12/2020 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2021 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.I AgreePrivacy policy