Jump to content
MAXBAR1

macOS 10.15.4 will deprecate kernel extensions (KEXT)

Recommended Posts

Google Translation:

Quote

 

From macOS 10.15.4 Apple will block extensions for the kernel (KEXT)
Of Mauro Notarianni Feb 8 2020


At last year's WWDC 2019 Worldwide Developers Conference, Apple announced plans to deprecate - advise against a previously documented and official feature - KEXTs (kernel extensions) and replace them with a new mechanism called "system extensions".

The first step in this direction began with the arrival of macOS 10.15 Catalina in September 2019, with the arrival of the system extensions, supported together with the kernel extensions.

Apple's plan now continues and with macOS 10.15.4 (currently in the hands of developers) the use of various third-party extensions in the kernel will trigger a notification to users to explain that the software uses deprecated APIs, inviting you to contact with the developer for updates or alternatives.

How KEXT and system extensions work

Kernel extensions and system extensions have the same purpose: to allow the user to install apps that extend the native functionality of the operating system. The apps install kext / system extensions to offer functionality or allow the execution of operations that the operating system does not offer natively.

From macOS 10.15.4 Apple will block extensions for the kernel (KEXT)

Among the software that installs kernel extensions are: firewalls, VPN clients, DNS proxies, USB drivers and others. The difference between system extensions and old kernel extensions is that they are run at the macOS kernel level, while new system extensions are run in the more isolated and controlled environment of the user space (isolated in its own space). memory).

"From Apple's perspective, this is an important step forward in improving macOS security," Jamf Principal Security Researcher Patrick Wardle told ZDNet. "Third-party kernel extensions are a succulent attack vector for attackers targeting macOS."

The researcher explained that if a cybercriminal somehow manages to install a dangerous KEXT, there is no defense mechanism that holds; much less dangerous to allow execution in user space: user space is a kind of sandboxing (technology that limits the types of operations that an application can perform), in which user agents can only access the memory that was theirs assigned and cannot ruin other programs and the kernel.

Among the negative aspects of the inability to install the KEXTs, Apple's greater control over the entire system, on a par with what the company already does with iOS.

Until now it was possible to develop extensions for the kernel allowing developers to extend the functionality made available by the operating system; this possibility was also exploited by various security software. Wardle however reports that Apple provides "great user-space frameworks" with all the useful features for security tool developers. We'll see if they are all roses and if certain software developers complain ...

 

I am certain that Malwarebytes v4 has already adapted to the change so there won't be any impact to users (as have the most/all developers who's applications I currently use with Catalina). Looks like v3 was adapted earlier, but I'm no longer using it.

Share this post


Link to post
Share on other sites

Thanks for your prompt reply but

I asked it because, at least on my system, with MWB 4 there is still a KEXT

See path:

/Library/Application Support/Malwarebytes/MBAM/Kext/MB_MBAM_Protection.kext

and installing MWB is a clean install and not an app update

Share this post


Link to post
Share on other sites

Yes, it’s still labeled as a .kext, but it’s actually built as a System Extension, running in user space (not the kernel) and does not use any of the former API’s that give no longer allowed accesses. There’s lots of information available in Apple’s developer area, but I suspect you won’t be able to access that.

The outlawed .kext used to always appear in /System/Library/Extensions which is now off-limits.

Edited by alvarnell

Share this post


Link to post
Share on other sites

Thanks for the clarifications. Back then, the 3.x version was already like that

Share this post


Link to post
Share on other sites
1 hour ago, MAXBAR1 said:

Back then, the 3.x version was already like that

Yes, that’s what I meant by “Looks like v3 was adapted earlier” but I’m not certain whether that was always true of v3 or if implemented after originally released.

Share this post


Link to post
Share on other sites

After reading this blog article tonight When you can’t run an app because its extension(s) won’t load, I'm not confident of my answers. 

Apparently System Extensions should end in .sext and in searching my Catalina drives, I don't have any yet from any developer.

I'm also seeing some traffic asking if anybody has received one of those warnings about deprecated KEXT API's and nobody indicates they have.

The article seems to hint that if you have a non-compliant KEXT installed before updating to Catalina 10.15.4, it might still work, but nobody really knows yet.

We should hear from the staff shortly on whether or not they feel their KEXT is compliant, and if not whether they believe it will be before 10.15.4 is released.

It's also possible that Apple will back off the deadline if too many developers are not able to comply when 10.15.4 is released this Spring.

Share this post


Link to post
Share on other sites

In my personal case, the only two software that have requested kernel extension privacy panel approval are the HP multifunction laser printer drivers and Malwarebytes.

From what I understand, the following app should use a system extension and not a kernel extension Firewall - Network Monitor created by Paragon Software GmbH available on the Mac AppStore for free

 

Share this post


Link to post
Share on other sites

Malwarebytes for Mac does NOT actually use a System Extension yet. Work on that is underway, and has been for some time, but it is not ready yet.

Also, to clarify some other things...

1) Apple has not, strictly speaking, changed anything regarding deprecation of kexts. Technically, the KAUTH and other APIs used by kexts have been deprecated for some time. Deprecation does not mean they no longer work, just that they are in danger of not working in the future. Because there were no other options, historically, most companies that have software that relied on KAUTH continued to use it anyway.

2) Nothing is changing regarding the availability of these APIs in macOS 10.15.4.

3) We know that things will change in macOS 10.16, but it's still not entirely certain how they will change. We'd really rather not find out, and are planning to have a System Extension before then.

4) As far as I can tell, the only change in 10.15.4 appears to be that the warning message that is displayed when the software tries to activate the kext has changed from this:

945017509_kextwarning10_15_1to3.png.cd38dbfe02cd3392092d37074711305e.png

to this:

1822571222_kextwarning10_15.4beta1.png.931a0fe80919ba4e983d4c8c93f4ba77.png

Share this post


Link to post
Share on other sites

Ok, thanks.

Then zero worries, because probably my Mac being a 13" mid 2012 (not Retina display) will not see macOS 10.16.

Anyway, I'll find out at WWDC in June

Share this post


Link to post
Share on other sites

It's true, it appears at the first post installation reboot, but I tried to restart and the second time it doesn't appear anymore. It's just a warning.
We await news from @treed

Share this post


Link to post
Share on other sites
5 hours ago, treed said:

I've posted some information here:

 

I just received the OS 10.15.4 upgrade and got the notice upon the restart. The notice said it would appear periodically as a reminder and to contact the developer. Any idea when the developers at MWB will do an update of MWB that takes care of any real or possible issue? Has any functionality of MWB been crippled?  

Thanks

Share this post


Link to post
Share on other sites

There has been no change in functionality as a result of the 10.15.4 update, simply the expected display of the warning. You may see this warning repeated every 30 days.

Developers have been working on an update for several months now, but it has proven to be difficult to implement and external testing has not yet begun. It's Malwarebytes policy not to comment on when such an update might be available, but be assured they are striving to have it before that "future version of macOS" is available. The article posted today that you referenced contains everything that Malwarebytes plans to officially say on the matter for now. Best guess is that the update will be macOS 10.16, available to developers in June and the public in the Fall.

Edited by alvarnell

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.