Home News Why Apple Dropped macOS Big Sur Feature ‘ContentFilterExclusionList’

Why Apple Dropped macOS Big Sur Feature ‘ContentFilterExclusionList’

The controversial feature - ContentFilterExclusionList - that Apple recently dropped from its macOS Big Sur, allowed over 53 of its apps to bypass third-party firewalls and security tools.

Apple App Store, Apple vulnerabilities

Apple has dropped a controversial feature from its macOS Big Sur 11.2 beta 2 that allowed 53 of its applications to evade security scans, third-party firewalls, and VPNs. The feature, dubbed ContentFilterExclusionList, allowed popular apps like App Store, iCloud, FaceTime, Music app, and Maps to bypass the security protocols, which could be exploited by cybercriminals.

The Controversial Feature

In the latest versions of macOS, Apple deprecated third-party Kernel Extensions, including the Network Kernel Extensions (NKEs), which are used to comprehensively monitor and filter the network traffic. Apple launched the user-mode Network Extension Framework to support such products on modern versions of macOS (10.15+). However, it exempted more than 50 of its applications from being routed through the Network Extension Framework.

What Researchers Say…

The issue came to light in October 2020, after several security experts and app developers reported that their security tools failed to monitor/filter the traffic of the apps listed under ContentFilterExclusionList.

According to security researcher Patrick Wardle, cybercriminals can create malicious codes to exploit the legitimate Apple apps present in the list and then bypass the security tools and firewalls. He said, “Due to the ContentFilterExclusionList list, any traffic generated from these ‘excluded items’ could not be filtered or blocked by a socket filter firewall (such as LuLu).”

Users of macOS are also concerned about exposing their actual IP address and locations while using these apps.

Wardle Tweets…

“The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2). This means socket filter firewalls (such as LuLu) can now comprehensively monitor & block all network traffic). In Big Sur, Apple decided to exempt many of its apps from being routed thru the frameworks they now require third-party firewalls to use (LuLu, Little Snitch, etc.),” Wardle added.