The second beta version of MacOS 11.2 will no longer allow Apple software to circumvent socket firewalls and virtual private networks.
"ContentFilterExclusionList," first noticed by Mac security researchers in October, allowed around 50 Apple-brand programs to access the internet without going through the network extension framework that allowed several security products to work. The software essentially exempted Apple's own programs from being routed through its Network Extension Framework, which the company created to ensure security products (such as firewalls) could comprehensively monitor and filter network traffic in lieu of third-party kernel extensions.
Researchers like Patrick Wardle, who spied the changes to MacOS 11.2 beta, noted that "it was (unsurprisingly) trivial" for malware to take advantage of the exclusion list, and circumvent the security products as well.
"Due to the ContentFilterExclusionList list any traffic generated from these 'excluded' items could not be filtered or blocked by a socket filter firewall," blogged Wardle, who designed the firewall LuLu. He confirmed that the 11.2 beta release does not contain ContentFilterExclusionList, which means socket filter firewalls (such as LuLu) can filter/block all network traffic.
