Late last year, Apple found itself at the center of a scandal when independent developers figured out that dozens of Apple apps could bypass firewalls and VPNs in macOS Big Sur. These Apple apps bypass network extensions and VPN apps: cards, for example, can directly access the Internet, bypassing any running filters and proxies. The company has not officially commented on this issue, although many began to fear that such an exception could negatively affect Mac’s security. Of course, if Apple sets rules for apps, why doesn’t it want to follow them independently?
Vulnerability in macOS Big Sur
How did this problem come to light? After some macOS applications stopped working due to a crash on Apple servers on the day Big Sur was launched, the developers tried to block the computer from communicating with them. But they found that Apple gave its official apps the right to have full network access even with a firewall configured.
It turned out that macOS Big Sur added an internal file called ContentFilterExclusionList, a list of several Apple applications and services that can bypass any firewall and VPN installed on the Mac. These apps include the App Store, FaceTime, a software update service, and even the Music app.
What’s new in macOS Big Sur 11.2
As this could lead to potential security and privacy issues, Apple removed this list of exceptions from macOS Big Sur 11.2. In the new beta, which was released yesterday, there is no longer a list of “special” applications; now, they all obey the firewall and VPN.
However, since macOS Big Sur 11.2 is currently only available as a beta version, we do not yet know when this change will affect all users.
It’s unclear why Apple even made a list of select apps that can bypass firewalls and VPNs. Perhaps this is due to the innovations in macOS Big Sur, where writing kernel extensions has been changed. This, in particular, led to VPN and firewall problems, and Apple did not seem to want these failures to affect the performance of its applications.
Apple often talks about the value of privacy and how much the company is doing to protect its users from being snooped by advertisers and others. However, the inability to see and block all outgoing traffic from the computer should in no way be interpreted as improving security or protecting privacy. Apparently, the company also realized the scale of this problem and therefore decided to remove the privileges for its own applications.
But it’s worth remembering that while macOS Big Sur 11.2 isn’t out for everyone and is in beta status, millions of Macs worldwide still pass Apple apps through firewalls and VPNs. There are ways to “do justice” yourself – using an external firewall or VPN client on the router, but this requires the appropriate skills. It’s probably easier to wait for Apple to roll out the new version of macOS Big Sur to everyone.