Friday, September 15, 2017

Kernel Extensions in High Sierra

Felix Schwarz:

Apple has softened its tone regarding #Kext blocking in #HighSierra:

  • No more stop signs
  • “User-Approved” instead of “Secure”. Progress!

Felix Schwarz:

Fun fact: if the Security & Privacy prefs pane is already open while installing a new #kext, no “Allow” text or button is shown.

Felix Schwarz:

Fun fact 2: other than what the TN suggests, #kexts installed together, but in different locations, are approved together. Sometimes. 🙃

Felix Schwarz:

Fun fact 3: This is what happens when you try to “Allow” a #Kext using Screen Sharing: nothing. Remote admins will “love” this.

He’s filed a bug that goes into detail about some of the user experience issues and how it would be better if Apple provided an API for apps to request approval or had a review process for Apple-signed extensions to install without approval:

The “System Extension Blocked” alert gives the average user the impression that an app tried to do something fishy or dangerous and was stopped by the operating system. Or - even worse - that this is a trick alert brought up by the app that tries to trick users into opening System Preferences and removing safeguards there.


In its current state Secure Kernel Extension Loading in macOS 10.13 does not provide a good experience for either users or developers. In fact, if this feature ships as it is now, shipping a kext becomes a risk for the reputation of legitimate developers due to the optics of this feature's implementation.

Previously: Little Snitch 4 Public Beta.

Update (2018-08-14): Thomas Reed:

So many of the problems with kext restrictions in High Sierra fall on the developer. Allow button doesn’t respond, or doesn’t appear? Kext left behind in StagedExtensions? It’s seen as the dev’s fault. 😒 We’re doing Apple’s tech support.

Update (2018-08-30): Felix Schwarz:

#Mojave’s #kext approval prompt added a much needed “Open Security Preferences” button. Thanks to the engineer who did this! ❤️

It’s a real improvement over High Sierra[…]

Update (2019-03-22): Felix Schwarz:

User Approved Kext Loading after ~ 2 years:

- still has no API to provide a good user experience

- still ignores clicks on “Approve” – and still gives the user no feedback as to why it ignores them.

- still fills my support inbox & kills my sales 😭

Update (2019-08-15): Patrick Wardle:

Apple’s “User-Approved Kext” loading, is a pain for 3rd-party developers, but aims to thwart exactly this type of (real) attack.

5 Comments RSS · Twitter

Has the security design flaw reported in b9 that allowed to load a kext without the user approval (*) been fixed in the GM candidate?

* this user approval thing is so stupid.

@stephane I imagine you’re talking about this, but since Wardle didn’t disclose what the vulnerability is, I guess we’ll need him to confirm whether it’s fixed.

This is ridiculous too:

Allows programatically approving Kextsz

Leave a Comment