In macOS Big Sur, Apple deprecated third-party kernel extensions including Network Kernel Extensions (NKEs). NKEs are used by apps like firewalls to monitor network traffic. Apple’s new user-mode Network Extension Framework had a side-effect: Apple’s own apps wouldn’t be routed through it and thus could bypass third-party firewalls. But now that has changed.
I of course also wondered if malware could abuse these “excluded” items to generate network traffic that could surreptitiously bypass any socket filter firewall. Â Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic.
Check It Out: Apple Apps No Longer Bypass macOS Big Sur Firewalls
