Hello, welcome to the Wednesday, November 18th, 2020 edition of the Sansaernet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

So if you installed macOS 11 bixer, you probably noticed that some network security software like Little Snitch, for example,

had to be updated.

This software is no longer able to use kernel modules in order to intercept network traffic.

Instead, Apple made available a special API, the network extension API,

that is supposed to be used to inspect network traffic,

and the latest version of Little Snitch, Little Snitch 5,

is taking advantage of this API.

So the switch to the API was mandated by Apple by removing the ability to load

kernel modules. And in the end, it looked all fine. We now have a nice API to inspect network

traffic. But the side effect of this is that Apple exempted some of its own software from inspection.

So all you have to do is you have to find an Apple application that is in this content filter exclusion list, as they call it, pick a back traffic on it, and you have a nice covert channel that bypasses any kind of

third-party filtering products.

Now, Patrick Wardle has been communicating with Apple about this problem.

He has filed a vulnerability report about this, but this hasn't been addressed in the final release

of macOS 11. So now he tweeted a couple of proof of concept exploits that show how he was able

to exfiltrate data, essentially set up a command control channel by piggybacking traffic

on software that is in Apple's content filter exclusion list.

Apple is kind of typical, has not released any comments about this.

Aside from a couple of tweets from Patrick Wardle, there are no additional details, so I don't think he has released any tools at this point.

And I'm using Little Snitcher as an example.

...