Release Notes

Improvements

• Improved performance of launching Little Snitch components with large rule sets.
• A connection alert will now point out if it is shown due to a contradiction between two rules about whether a connection should be allowed or denied. This can happen when Little Snitch cannot determine the hostname for a connection and therefore only has an IP address available. Then, if there are two rules with contradictory actions that match that IP address (e.g. allow connections to foo.example.com and deny connections to bar.example.com, both hostnames resolve to the same IP address), Little Snitch shows a connection alert asking what should be done.

Bug Fixes

• Fixed an issue where Little Snitch Agent could crash after wake from sleep.
• Fixed rules not becoming active and operation mode not being switched when deactivating a profile. Activating a profile or switching from one profile to another worked, though.
• Fixed an issue where the connection alert showed an internal error when a running application was replaced on disk without restarting afterwards. This can happen for apps that update themselves while running.
• Fixed an issue where no connection alerts were shown for connections established by the kernel itself.
• Fixed issues with Java apps that would cause problems with code signature checks and incorrect app icons and process paths to be shown.
• Fixed an issue in Little Snitch Configuration’s rule inspector where selecting “Any Port” or “Any Protocol” from the drop down menu did not work.
• Corrected the number of ticks for the “Capacity” slider in the preferences for Little Snitch Network Monitor.

Bug Fixes & Improvements

• Fixed a memory leak in the Little Snitch kernel extension that could amount to high kernel memory usage.
• Fixed an issue that could occur when writing files to NFS network shares (“nfs send error 89” would appear in the system log).

Bug Fixes & Improvements

• Renamed status menu item from “Litte Snitch Configuration” to “Little Snitch Rules”.
• Fixed an issue that could cause the system to hang for a while when reading a version 4.0.x configuration file in version 4.1.
• Connection Alert: Fixed an issue causing the update of a rule’s code signature information to fail under some circumstances, leading to repeated “code signature mismatch” warnings.
• Little Snitch Configuration: Editing a rule’s “Require valid code signature” setting now better handles the case when an exutable’s code signature on disk no longer satisfies the code signature requirement of the rule.

Rule Group Subscriptions

Rule Groups are sets of rules that anyone can create and publish on their web server for others to subscribe to. Whenever changes to the rules are made by the publisher, subscribers receive these changes.

This is useful for providing automatically updating blocklists, distributing a common set of rules to multiple computers in a corporate network, or for app developers who want to provide a set of rules to their customers to make it work seamlessly with Little Snitch.

To let you test this feature we provide an example rule group. To subscribe to this group, open Little Snitch Configuration, choose New Rule Group Subscription from the File menu, and enter the following URL:

https://obdev.at/resources/littlesnitch/blocklist-example.lsrules
                

You can find more information about subscribing and publishing in the documentation chapter Rule group subscriptions.

Other New Features and Improvements

• Improved display of inactive rules in Little Snitch Configuration. If a rule is inactive for whatever reason — either if it’s not enabled, if it’s part of a profile that’s currently not activated, if it’s in a rule group that’s currently not activated, or if the entire network filter is turned off — the rule is now consistently displayed with a gray text color.
• Focus Mode: Little Snitch Configuration has a new mode that allows you to focus on a specific subset of rules. Selecting one or more rules and then choosing Focus on Selected Rules or Focus on Rules Affecting Selection from the View menu will focus on just the rules you want to see, while leaving the search field free for further filtering. Focus Mode is also used for revealing matching rules from the connection alert or Network Monitor (e.g. by right-clicking a connection and choosing Show Corresponding Rules).
• The rule groups “iCloud Services” and “macOS Services” (previously named “Managed Rules”) can now be activated and deactivated using a checkbox next to their name in Little Snitch Configuration’s left sidebar (previously, these checkboxes could be found in the preferences window). This allows you to see what rules these sets contain before activating them.
• Profiles can now be activated and deactivated in Little Snitch Configuration’s left sidebar using a checkbox next to the profile.
• The special “Code Signature Issue Override Rules” that Little Snitch creates under certain circumstances can now be edited in Little Snitch Configuration just like normal rules. This should make it less confusing to deal with situations where an application is reported to have no valid code signature. See Code signature issues > Special Code Signature Issue Override Rules for more details.
• Connection alerts for applications that have an issue with their code signature now include direct links to the relevant section of the online documentation. The relevant chapter Code signature issues has been extended to provide much more details and examples for how Little Snitch behaves when an application without a valid code signature tries to establish a connection.
• Added support for the current version of the QUIC protocol. This fixes an issue with connections from Google Chrome, where the connection alert only showed the IP address instead of the hostname under some circumstances.
• In addition to checking that an application’s code signature is valid, Little Snitch now also checks the code signing certificate that was used to create the signature. Only certificates that were issued by Apple are currently accepted.
• Improved Little Snitch Installer to prevent malicious software from hijacking the installation procedure. Credit to Patrick Wardle (Digita Security LLC) for discovering this possibility.
• Many more minor improvements.

Bug Fixes

• Fixed CVE-2018-10470: Fixed an issue where some components of Little Snitch would only verify the code signature of the 64 bit slice of a fat binary when performing a code signature check, ignoring the 32 bit slice. With a maliciously crafted binary, this could lead to Little Snitch Configuration and Network Monitor to show that the code signature was valid, while the running process could have a non-valid code signature. Note that this did not affect what connections were allowed or denied. Credit to Josh Pitts (Okta, Inc.) for discovering this issue. For more details, read Josh’s blog post.
• Fixed an issue where a connection alert could sometimes be shown despite an existing rule that allowed the connection. We observed this mainly with Google Chrome.
• Fixed an issue in “Silent Mode – Deny Connections” where incoming TPC connections would sometimes be denied despite an existing rule that allowed the connection.
• Fixed issues with Automatic Profile Switching when joining a new, yet unknown network.
• Fixed an issue in the connection alert in conjunction with terminated processes when the “Confirm connection alert automatically” preferences option was turned on.
• Fixed an issue causing VPN connections to be wrongly considered as local network connections due to an incorrect netmask of the P2P interface set by the IPSec client of macOS.
• Fixed an issue causing the connection alert to repeatedly switch between different, pending connection attempts.
• Fixed multiple issues that could lead to a Code Signature Alert showing an internal error. These alerts should be gone now for universal apps running in 32-bit mode and for Java apps.
• Fixed an issue where a connection alert could disappear when the connecting process terminates.
• Many more minor bug fixes.

Improvements

Made Silent Mode actually silent again. Starting in Little Snitch 4.0.5, processes with certain code signature issues caused connection alerts to appear even during Silent Mode. These appeared in more situations than we originally intended, though, so we redesigned how this works. Now, no connection alerts will appear during Silent Mode (as it was before Little Snitch 4.0.5), but you may see a notification in the top-right corner of the screen about connections being denied due to code signature issues.

Bug Fixes

• Improved reliability when handling responses to DNS requests delivered via TCP instead of UDP. Credit to Samuel Williams of the RubyDNS project for discovering this issue.
• When changing the active profile using Little Snitch’s menu bar item while a connection alert was shown, the active profile’s name was not updated in the connection alert’s profile picker. This works as expected now. Note that the correct profile was used when creating a rule – just the name in the profile picker was not updated.
• Fixed an issue that could cause connection alerts to appear that would show no host or domain names, but IP addresses. This could sometimes happen relatively early after starting the computer for a very small number of users.

Internet Access Policy

• Little Snitch is now smarter in figuring out what information in your app’s IAP is relevant for a particular connection. This results in more concise and more relevant information being shown to the user. This new behavior is documented here.
• You can now specify that a connection description should match if and only if the user selects a connection for a whole domain or “any connection”. You can find the documentation for this here.
• Links in Markdown syntax now render correctly and show the linked URL as their tooltip.

Bug Fixes

• Fixed a kernel panic introduced in Little Snitch 4.0.4 that would occur when a single process established more than two billion outgoing connections.
• Fixed multiple issues causing a connection alert indicating an internal error related to a code signature mismatch from being shown.
• Fixed an issue where scrolling in Little Snitch Network Monitor’s inspector would not work.
• Fixed incorrect sorting of Time Machine Backups in Little Snitch Configuration’s “Import from Backup…” sheet.

Improvements

• The connection alert now points out if a connection is to or from the local network and offers a new option to create a rule for “Only local network”. Creating such a rule was possible in Little Snitch Configuration, but now you can do this in the connection alert, too.
• For hostnames that end in .local, the connection alert will now create host rules, not domain rules. These rules worked as intended, but it makes more sense to create host rules instead.
• A connection alert informing about a code signature mismatch is now shown even if Silent Mode is active. This is to prevent processes with an invalid code signature from communicating even in Silent Mode.
• If an app changes its bundle identifier in an update, Little Snitch will update any existing rules for that app if the new version is located at the same path and is signed by the same developer. Previously, a connection alert indicating a code signature mismatch was shown.
• Improved a button label in connection alert in case of a code signature mismatch to avoid possible confusion. Previously, it read “Require New Code Signature…” and now it’s “Accept New Code Signature…”.
• Improved alert when macOS blocks Little Snitch’s kernel extension from being loaded. In addition to opening the “Security & Privacy” preferences panel, it also switches to the “General” tab, where it must be allowed.
• Prevented multiple notifications about incoming connections from the local network to processes without a code signature being shown. Details: In earlier versions, if “Ignore code signature for local network connections” was enabled (in Little Snitch Configuration > Preferences > Security), an allow rule for only the specific IP address of the connecting peer was created and a notification was shown each time this happened. With this change, an allow rule for any incoming connection for the local network will be created and only a single notification will be shown. Note that this does not change what connections are accepted, only how many notifications are shown.
• Improved performance when duplicating a large number of rules in Little Snitch Configuration.
• Double-clicking an unapproved rule in Little Snitch Configuration to show the rule inspector now only approves the rule if the inspector is closed with the “OK” button, not with the “Cancel” button.
• Fixed Little Snitch Network Monitor sometimes showing incorrect hostnames for incoming UDP data. Note that only the names shown were incorrect – the network filter and rules were not affected by this.

Internet Access Policy

• Developers can now specify their name that will be shown to users as the source of the IAP information. Previous versions of Little Snitch used the name as defined in the code signing certificate, but this does not work for apps downloaded from the App Store. See the specification of keys for details.
• If the developer’s name is read from the app’s code signing certificate, Little Snitch now shows the name without the country. For example, it’s now “Objective Development”, not “Objective Development, AT”.
• Added support for Internet Access Policy files written in JSON format (in addition to the Property List format). See section File format for more information.
• Added support for Internet Access Policy files embedded in XPC services. See the section Support for XPC services in the developer documentation for details.
• Fixed an issue where developers testing the Internet Access Policy in their apps would not see up-to-date information in Little Snitch, specifically in localizations. Cache invalidation is hard.

Internet Access Policy

In Little Snitch 4 we’ve introduced a new Internet Access Policy (IAP) standard, allowing third party app developers to bundle a policy file with their application containing information about the Internet connections their program is about to establish.

This gives developers the opportunity to describe the purpose of these connections, why they are necessary and why it’s recommended or necessary to allow them.

With Little Snitch 4.0.4 we’ve extended the policy format to allow providing dedicated information about potential consequences when denying a particular connection.

Whenever you choose to deny a connection via Little Snitch — either in the connection alert or in Network Monitor — we now display that information helping you to make a better informed decision.

IAP Improvements

• Little Snitch now includes Internet Access Policies for several Apple processes shipped with macOS.
• Fixed an issue with localized IAP files.
• Added support for Markdown-style links.

Network Monitor

• Blocked connections are now indicated in the map with a red flashing connection line.
• Significantly improved performance when handling large amounts of connects.
• Improved performance in case of large file downloads.
• New action: “Show Recently Used Rule(s)”. Accessible by holding down the Option key while right-clicking a line in the list.
• Fixed an issue causing heavy flickering of the map during zooming or panning on macOS 10.13 High Sierra.
• Fixed locations on Little Snitch Network Monitor’s map being drawn too large on macOS 10.13.
• Fixed: The menu bar did not respond immediately after opening the Network Monitor window.
• Fixed: Network Monitor no longer flashes connection lines that are currently invisible due to filtering.
• The data rate display in the inspector pane now respects the Bits/s vs. Bytes/s user preference.
• The experimental “Handle Connection Attempts in Monitor” preferences option has been removed.

Code Signature Check Improvements

• Fixed an issue that could incorrectly lead to a connection alert indicating a code signature mismatch between a running process and an existing rule.
• Fixed an incorrect message “Incoming Connection Denied due to invalid code signature” being shown, usually for the process netbiosd.
• Improved a confusing code signature mismatch message in connection alert when the bundle identifier of the connecting app changed.
• When a rule is created using the connection alert’s “Deny Any Connection” button (only shown in case of a code signature mismatch or an invalid code signature), that rule is now permanent instead of “Until Quit”.
• Fixed an issue where a deny rule labelled “override due to code signature issue” could inadvertently be turned into a permanent allow rule.
• Fixed an issue where the connection alert would show that an XPC process’ parent app had no code signature. This would happen when the parent app was already terminated at the time when the XPC process tried to establish a connection.

General

• Improved handling and presentation of code signature issues.
• Improved help text of rule suggestions covering multiple connection attempts.
• Improved handling of incoming ssh connections.
• Improved handling of denied incoming connections.
• Improved display of connection alerts on small displays.
• Improved creation of diagnostics reports.
• Improved protection against malware attempting to modify Little Snitch.
• Improved reliability of showing connection alerts in cases where a process only opens a connection, but never actually sends or receives any data.
• For improved privacy the Little Snitch configuration file is now saved in an encrypted format.
• Fixed a vulnerability where the process name in Little Snitch Configuration’s rule inspector could be constructed to execute as a shell command. Security impact: If users follow malicious instructions, they can enter a text string in Little Snitch Configuration which is unexpectedly executed in a shell under the user’s privileges. Not exploitable from remote or by local processes.
• Added a preference option allowing to choose whether OpenVPN remote servers should be distinguished or not.
• Added “Port 22 (SSH)” to the port popup list in the rule editor of Little Snitch Configuration.
• Due to a bug in macOS, applications may hang for a while when they attempt to show animated graphics. Little Snitch detects when important components stop responding and used to generate diagnostics info. Since this further slowed down the machine, we no longer generate these diagnostics and simply restart the affected component.
• Fixed a rare kernel panic.
• Fixed an issue when choosing the “Once” option in the connection alert.
• Fixed an issue related to handling connections via VPN.
• Fixed a rare crash of Little Snitch Network Monitor that could occur when an app would use a network socket in an unusual, but still correct way. This could happen when using the PS4 Remote Play app.
• Fixed a kernel panic by making Little Snitch’s kernel extension more robust when other third party kernel extensions overwrite memory that belongs to Little Snitch.
• Fixed outdated message in installer log when boot cache update failed due to a full Recovery HD.
• Improved detection of which app uses an XPC helper.
• Fixed some unexpected but harmless messages from the kernel in the system log that would occur only on MacBook Pro with TouchBar.
• Several other bug fixes and improvements.

Privacy Note

For improved privacy the Little Snitch configuration file is now stored in an encrypted format. When switching to the encrypted format, a backup of the old, unencrypted configuration file is made. If you prefer to have only encrypted configuration files stored on disk, we recommend to remove any unencrypted backup files. Their filename contains a date and timestamp, and they are located in the following folders:

/Library/Application Support/Objective Development/Little Snitch/
~/Library/Application Support/Little Snitch/

To open these folders you can use Finder’s Go to Folder… command (⇧⌘G).

Downgrading Note

Since this version stores all configuration files in encrypted format, previous versions cannot read them. If you downgrade, all your rules and preferences are lost. In order to prevent data loss, this version makes a backup of your configuration at /Library/Application Support/Objetive Development/Little Snitch/configuration_<dateandtime>.xpl before encrypting. Previous versions can restore from this backup via Little Snitch Configuration > Rules > Import from Backup….

Alternatively, you can make a backup of your configuration even in the new version (via Little Snitch Configuration > Rules > Backup…) and restore it after downgrading. Backups are not encrypted in order to keep them backward-compatible.

Network Monitor

• Added preferences option for showing data rates either in Bytes/s or Bits/s.
• More prominent indication if a filter is currently active.
• Added support for full screen mode.

Notifications

• Improved “Simulated Input Ignored” notification.
• Fixed: Notifications weren’t shown under some circumstances.
• Fixed: Silent Mode Notifications are no longer shown when the Network Filter is turned off.

Little Snitch Configuration

• Improved keyboard control in rule editor.
• Fixed broken help links in the right sidebar of the rules window.

General Improvements

• Improved installation procedure on High Sierra.
• Improved code signature checking.
• Improved Deep Packet Inspection.
• Improved Touch Bar support.
• Improved support for “lftp”.
• Improved support for Viscosity OpenVPN client.
• Improved support for FTP and MySQL.
• Fixed an issue when creating via-rules in the connection alert, when the main-process and the via-process are from different users.
• Various bug fixes and performance improvements.
• Overall improved stability.

General Improvements

• Simplified upgrade procedure for owners of Little Snitch 3.
• Improved demo mode indication.
• Fixed a bug that caused the Little Snitch Configuration to freeze.
• Many minor bug fixes.

Menu Bar Icon

• Added demo mode indication.

General Improvements

• Improved Touch Bar support.
• Improved handling of FTP connections.
• Improved upgrade from version 3 to preserve an active Silent Deny Mode.
• Domains and search-domains that are explicitly configured in macOS System Preferences > Network Preferences > Advanced > DNS are now considered.
• Fixed some spelling errors, improved wording and localization.
• Fixed a crash of Little Snitch Agent when turning off the Network Monitor while Silent Mode was active.
• Fixed an issue when creating a new rule or profile in Little Snitch Configuration while the Known Networks window was open.
• Fixed a possible kernel panic.
• Many minor bug fixes.

Connection Alert

• The connection alert now shows a warning when the connecting application is affected by Gatekeeper Path Randomization (which indicates that the app was not correctly installed).
• The alert now also shows a plain text representation of internationalized domain names containing special characters which require encoding. This makes it possible to identify homograph domain name attacks.
• It’s now possible to get the port and protocol specific option preselected in the connection alert (See Little Snitch Configuration > Preferences > Alert).
• The connection alert now allows to create rules for an entire Content Delivery Network domain.
• Fixed the ordering of minimized alerts: When maximizing the alert, the last minimized alert is opened first.

Menu Bar Icon

• Improved indication of active silent mode in menu bar.
• The menu bar icon is now always shown while “Silent Mode — Deny Connections” is active, regardless of the “Show status in menu bar” preference option.

Network Monitor

• Added preferences option to show the Network Monitor when the mouse hovers the menu bar icon.
• Added “Help” menu item.
• Improved Top Countries summary statistics in Connection Inspector.
• Fixed a bug where Network Monitor became unresponsive when Little Snitch Daemon crashed.
• Fixed an issue causing Network Monitor to start with an empty list instead of showing the stored previous connections.

Connection Alert

• Fixed a bug where the profile selection button was not shown although a profile was currently selected.

Little Snitch Configuration

• Fixed a bug where a warning about changing a code signature requirement was erroneously displayed when editing a rule.

Network Monitor

• Fixed a bug where the Summary Connection Inspector displayed a duplicate line in the top countries statistics.

Other Improvements

• Fixed spelling errors and localization.
• Removed unused files from distribution.

Connection Alert

• Added a preference setting for getting the active profile preselected in the connection alert.

Network Monitor

• Fixed a bug causing Rule Management Buttons in Network Monitor to show a wrong allow/deny status.
• Fixed a bug where a traffic dump caused false incoming connection indications for all connections that occurred during the dump.
• Fixed a hang of several seconds when stopping the traffic dump.

Other Improvements and Bug Fixes

• The “numeric traffic rate” display in the menu bar item now uses the system font.
• Rules for iOS Simulator apps can now require a valid code signature.
• Fixed a crash of Little Snitch Daemon when using the “Search for an Older Mac” option in AirDrop.
• Fixed an issue with domain names containing Unicode characters whose code point is greater than 65535. This bug affected some domains containing emoji.
• Added missing localizations.
• Improved wordings.

Compatibility with macOS High Sierra

• This version is compatible with the beta version of macOS High Sierra 10.13.
• During the Installation of Little Snitch on macOS High Sierra you may see a message: “System Extension Blocked”. This is a new security mechanism in High Sierra, requiring you to explicitly allow the installation of a third party system extension. To complete the installation of Little Snitch you have to allow loading the extension in System Preferences > Security & Privacy > General.
• There’s a known issue in the map view of Network Monitor causing connection endpoints to be shown twice.

Network Monitor

• Fixed a possible crash when zooming to a particular map region in the course of clicking a connection in the list.
• Added further time interval filter options for showing only connections from the last week or the last 30 days.
• The properties shown in the Summary Inspector (denied, unconfirmed, incoming) now correctly correlate to the corresponding filter options.
• Improved pinch-zooming in map: The zooming no longer stops when clusters are expanded into their sites.
• Updated GeoIP database. Network Monitor should now know more locations for IP addresses.

Other Improvements

• Improved texts describing code signature issues.
• Many minor bug fixes and improvements.

Network Monitor

• A status line below the connection list now indicates when only a selection of connections is currently displayed, and it provides a quick way to clear that selection.

Little Snitch Configuration

• The rule editor now warns if an IP address is entered although the input of a host or domain name is expected.
• Automatic software update checks are now always enabled in beta versions.

Other Bug Fixes and Improvements

• Fixed a possible odd behavior if a rule refers to many IP address ranges or host names.
• Fixed an issue were some hosts were not displayed by name, but by IP address only.
• Improved updates of code signature information in rule set.
• Other minor bug fixes.

Network Monitor

• Fixed a possible crash of Network Monitor when selected connections span a broad geographic region on the map.
• Appearance changes (light/dark) are now applied to all windows.
• The context menu now also works for a multiple selection of connections.
• The connection context menu now contains rule editing options. Pressing the Option key allows to create a rule in the current profile.
• Improved undo description for undo/redo of rule manipulation operations.

Little Snitch Configuration

• Fixed: When editing a multiple selection, code signature requirements are no longer removed from edited rules.

First Impression

• Fixed a possible crash of the initial Welcome Window. This crash could prevent Little Snitch Configuration from starting altogether.
• The Network Monitor demo period has been reset to give users upgrading from Little Snitch 3 a chance to try the new version for another month.
• If the Network Monitor demo period has expired and the user turns on Silent Mode, we now show an appropriate message, but no longer ask for starting Network Monitor.

Other Bug Fixes and Improvements

• After confirming a connection alert the keyboard focus is now given back to the previous application. This is the traditional behavior, but was broken due to code refactoring.
• Fixed a crash of Little Snitch Helper when stepping through the connection list in Network Monitor, which triggered lots of code signature checks if the “Code Signature” section was open in the Inspector pane.
• Improved handling of code signature requirements for Apple processes.
• UI graphics and animation improvements.
• Other minor bug fixes.

Network Monitor

• The rule management buttons now always indicate the existence of matching rules. If there’s an exact match for this kind of connections, the buttons are red or green. Otherwise, if the rule matches a subset or superset of connections, the match is indicated in gray.
• The search field has been moved to the top of the window and it now contains a filter menu providing access to various filter options.
• Removed menu button from the window toolbar. The options contained in this menu are now accessible from the main menu and from the filter menu in the search field.
• Significantly improved performance when opening the Network Monitor window.
• “Show Corresponding Rules” in context menu should now work in all cases, no longer reporting that the corresponding rules don’t exist anymore.
• The map now indicates connections that are covered by deny-rules with a red connection line color.
• The map now automatically zooms to the connections that are selected in the list.

Welcome Window

• The initial Welcome Window (which is shown automatically after the first installation) is now kept on top of other windows.
• Connection alerts that occur while the initial Welcome Window is shown are now minimized so they don’t interfere with the initial setup.

General

• Fixed a bug where connections from VirtualBox guest were shown with IP address only.
• Fixed some layout issues on OS X 10.11.
• Fixed an issue with connection alerts for Java applications. The alert always complained about code signature issues.
• Fixed a bug which prevented some web sites from loading when deny-rules blocked some content.
• Many more bug fixes and minor improvements.