Apple Have Removed The ContentFilterExclusionList from MacOS 11.2 Beta 2


After receiving negative reviews from macOS Pre-Tests, Apple decided to remove the ContentFilterExclusionList from macOS 11.2 Beta 2.

According to security researcher Patrick Wardle, in recent versions of macOS, the company has gradually phased out third-party kernel extensions, including network extensions, used by third-party security solutions (such as firewalls) to monitor and filter network traffic.

To ensure that newer versions of macOS (10.15 and up) continue to support the aforementioned security solutions, Apple has introduced a new Network Extension Framework for network extensions. Versions of Wardle's LuLu Firewall 2.0 and later use this framework to ensure compatibility with new releases of macOS.

However, not everything is as smooth as it seems. Unfortunately, Apple decided without warning that more than 50 of its own apps (including the App Store) and daemons should not be routed through the Network Extension Framework. A list of these applications can be found in /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist file (ContentFilterExclusionList key).

Because of the ContentFilterExclusionList, any traffic generated by these "excluded" items cannot be filtered or blocked by a firewall (such as LuLu). The question arises, why do we need such a firewall if it is not able to block all traffic? In addition, Wardle decided to test whether malware can take advantage of these exceptions to generate network traffic that can silently bypass firewalls. Using exceptions to generate hidden network traffic has proven to be very easy.

After some backlash from the media and feedback from macOS pretesters, common sense prevailed and Apple removed the ContentFilterExclusionList from macOS 11.2 beta 2. Now firewalls like LuLu can block all traffic again.

Previous Post Next Post