macOS 10.15.4 will deprecate kernel extensions (KEXT)

[Massimiliano]

macOS 10.15.4 will deprecate kernel extensions (KEXT)   Da macOS 10.15.4 Apple bloccherà le estensioni per il kernel (KEXT) (It's an italian blog article)

What will this mean for Malwarebytes and for the users?

Thanks

Edited February 8, 2020 by MAXBAR1
Correct sentence

[alvarnell]

Google Translation:

Quote

 

From macOS 10.15.4 Apple will block extensions for the kernel (KEXT)
Of Mauro Notarianni Feb 8 2020

At last year's WWDC 2019 Worldwide Developers Conference, Apple announced plans to deprecate - advise against a previously documented and official feature - KEXTs (kernel extensions) and replace them with a new mechanism called "system extensions".

The first step in this direction began with the arrival of macOS 10.15 Catalina in September 2019, with the arrival of the system extensions, supported together with the kernel extensions.

Apple's plan now continues and with macOS 10.15.4 (currently in the hands of developers) the use of various third-party extensions in the kernel will trigger a notification to users to explain that the software uses deprecated APIs, inviting you to contact with the developer for updates or alternatives.

How KEXT and system extensions work

Kernel extensions and system extensions have the same purpose: to allow the user to install apps that extend the native functionality of the operating system. The apps install kext / system extensions to offer functionality or allow the execution of operations that the operating system does not offer natively.

From macOS 10.15.4 Apple will block extensions for the kernel (KEXT)

Among the software that installs kernel extensions are: firewalls, VPN clients, DNS proxies, USB drivers and others. The difference between system extensions and old kernel extensions is that they are run at the macOS kernel level, while new system extensions are run in the more isolated and controlled environment of the user space (isolated in its own space). memory).

"From Apple's perspective, this is an important step forward in improving macOS security," Jamf Principal Security Researcher Patrick Wardle told ZDNet. "Third-party kernel extensions are a succulent attack vector for attackers targeting macOS."

The researcher explained that if a cybercriminal somehow manages to install a dangerous KEXT, there is no defense mechanism that holds; much less dangerous to allow execution in user space: user space is a kind of sandboxing (technology that limits the types of operations that an application can perform), in which user agents can only access the memory that was theirs assigned and cannot ruin other programs and the kernel.

Among the negative aspects of the inability to install the KEXTs, Apple's greater control over the entire system, on a par with what the company already does with iOS.

Until now it was possible to develop extensions for the kernel allowing developers to extend the functionality made available by the operating system; this possibility was also exploited by various security software. Wardle however reports that Apple provides "great user-space frameworks" with all the useful features for security tool developers. We'll see if they are all roses and if certain software developers complain ...

 

I am certain that Malwarebytes v4 has already adapted to the change so there won't be any impact to users (as have the most/all developers who's applications I currently use with Catalina). Looks like v3 was adapted earlier, but I'm no longer using it.

[Massimiliano]

Thanks for your prompt reply but

I asked it because, at least on my system, with MWB 4 there is still a KEXT

See path:

/Library/Application Support/Malwarebytes/MBAM/Kext/MB_MBAM_Protection.kext

and installing MWB is a clean install and not an app update

[alvarnell]

Yes, it’s still labeled as a .kext, but it’s actually built as a System Extension, running in user space (not the kernel) and does not use any of the former API’s that give no longer allowed accesses. There’s lots of information available in Apple’s developer area, but I suspect you won’t be able to access that.

The outlawed .kext used to always appear in /System/Library/Extensions which is now off-limits.

Edited February 9, 2020 by alvarnell

[Massimiliano]

Thanks for the clarifications. Back then, the 3.x version was already like that

[alvarnell]

1 hour ago, MAXBAR1 said:

Back then, the 3.x version was already like that

Yes, that’s what I meant by “Looks like v3 was adapted earlier” but I’m not certain whether that was always true of v3 or if implemented after originally released.

[alvarnell]

After reading this blog article tonight When you can’t run an app because its extension(s) won’t load, I'm not confident of my answers. 

Apparently System Extensions should end in .sext and in searching my Catalina drives, I don't have any yet from any developer.

I'm also seeing some traffic asking if anybody has received one of those warnings about deprecated KEXT API's and nobody indicates they have.

The article seems to hint that if you have a non-compliant KEXT installed before updating to Catalina 10.15.4, it might still work, but nobody really knows yet.

We should hear from the staff shortly on whether or not they feel their KEXT is compliant, and if not whether they believe it will be before 10.15.4 is released.

It's also possible that Apple will back off the deadline if too many developers are not able to comply when 10.15.4 is released this Spring.

[Massimiliano]

In my personal case, the only two software that have requested kernel extension privacy panel approval are the HP multifunction laser printer drivers and Malwarebytes.

From what I understand, the following app should use a system extension and not a kernel extension Firewall - Network Monitor created by Paragon Software GmbH available on the Mac AppStore for free

 

[treed]

Malwarebytes for Mac does NOT actually use a System Extension yet. Work on that is underway, and has been for some time, but it is not ready yet.

Also, to clarify some other things...

1) Apple has not, strictly speaking, changed anything regarding deprecation of kexts. Technically, the KAUTH and other APIs used by kexts have been deprecated for some time. Deprecation does not mean they no longer work, just that they are in danger of not working in the future. Because there were no other options, historically, most companies that have software that relied on KAUTH continued to use it anyway.

2) Nothing is changing regarding the availability of these APIs in macOS 10.15.4.

3) We know that things will change in macOS 10.16, but it's still not entirely certain how they will change. We'd really rather not find out, and are planning to have a System Extension before then.

4) As far as I can tell, the only change in 10.15.4 appears to be that the warning message that is displayed when the software tries to activate the kext has changed from this:

to this:

[Massimiliano]

Ok, thanks.

Then zero worries, because probably my Mac being a 13" mid 2012 (not Retina display) will not see macOS 10.16.

Anyway, I'll find out at WWDC in June

[GuruGuy]

Updated Mac today and after reboot, got this little text box as shown in this apple article.  I'm on the latest Malwarebytes release

 

https://support.apple.com/en-us/HT210999

[Massimiliano]

It's true, it appears at the first post installation reboot, but I tried to restart and the second time it doesn't appear anymore. It's just a warning.
We await news from @treed

[treed]

I've posted some information here:

 

[brcd]

5 hours ago, treed said:

I've posted some information here:

 

I just received the OS 10.15.4 upgrade and got the notice upon the restart. The notice said it would appear periodically as a reminder and to contact the developer. Any idea when the developers at MWB will do an update of MWB that takes care of any real or possible issue? Has any functionality of MWB been crippled?  

Thanks

[alvarnell]

There has been no change in functionality as a result of the 10.15.4 update, simply the expected display of the warning. You may see this warning repeated every 30 days.

Developers have been working on an update for several months now, but it has proven to be difficult to implement and external testing has not yet begun. It's Malwarebytes policy not to comment on when such an update might be available, but be assured they are striving to have it before that "future version of macOS" is available. The article posted today that you referenced contains everything that Malwarebytes plans to officially say on the matter for now. Best guess is that the update will be macOS 10.16, available to developers in June and the public in the Fall.

Edited March 25, 2020 by alvarnell

[brcd]

Thank you for the quick reply.  Brain is resting easy.  Thanks again