top | item 40410948

(no title)

One thing I learned from using Little Snitch is that a lot of Apple apps are seemingly immune from these types of firewalls, due to Apple shenanigans around k-ext signing etc [0].

Ref also [1]: > In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) > Q: Could this be (ab)used by malware to also bypass such firewalls? > A: Apparently yes, and trivially so

[0] https://x.com/patrickwardle/status/1318437929497235457 [1] https://x.com/patrickwardle/status/1327726496203476992

discuss

lapcat|1 year ago

Apple removed the exclusion list: https://obdev.at/blog/a-wall-without-a-hole/

plausibility|1 year ago

Huh, that was a pretty quick turn around for Apple, glad to know.

Now if only they'd stop trying to get me to enable iCloud Drive just because I use an iPhone for work.

Sporktacular|1 year ago

This is not longer the case.

But another way around is the way VMWare Fusion let you set up networking in Bridged mode. Any traffic from the VM went through without a peep from Little Snitch running on the host. No reason malware couldn't be designed in the same way.

jasomill|1 year ago

VMware Fusion isn't sandboxed and installs daemons running as root (which requires Gatekeeper approval or bypass to run, followed by an admin password to install the daemons).

AFAIK, XProtect is the only remaining line of defense against malware installed in this way.