Automatic updates of Kernel Extensions in OS X?!

Sabri H.
Sabri H.
Feb 28, 2016 · 3 min read

Hi there, I was working on some stuff and suddently I got a BlockBlock popup saying “shove” wants to install a Kernel extension in the /System/Library/Extensions/ directory. Its name is AppleKextExcludeList.kext which basically include a blacklist (.plist) for kexts with known issues.

The reason I write this article is because I’ve seen no traces of it in the App Store, got no warning, nothing. Without BlockBlock, I could not even knew that a Kernel extension has been automatically updated on my machine without even restarting.

No traces on the App Store, last update: Feb 25
But.. This kext file has been modified yesterday
The BlockBlock popup happened exactly at this time. Gzip compression may explain the size difference.

So OK. Maybe it was a good thing to update the blacklist but these times with the FBI San Bernardino case, the FBI could easily ask to Apple to sign a silent update and ship it to some Macs… So I think it’s pretty dangerous to have a such thing in OS X, even iOS does not have that.

Q: Do you have automatic updates?

A: Yes, I have automatic updates and more precisely “Install system data files and security updates” checked (which is the defaults). The reason I worry about it is even the NTPd security update showed a trace in the App Store and a warning when it came out. And it was a binary. This time this is a kext and as I said there is traces of the update nowhere, not even in the

I hope Apple will ask or at least warn the user before doing a such thing. Macs users, you probably have this updated extension too now.


Edit (9:45AM UTC): Thanks to @rtrouton. According to (I will not talk about the Ethernet driver fail here) and it’s not a bug, it’s a feature. This is still disturbing because of what I said above so here is what you can do to prevent this from ever happening:

Go in Settings > App Store > Uncheck “Install system data files and security updates”

This way OS X will not install this kind of patches OTA, silently and automatically. If there is any security updates, OS X will warn you first to install it via the App Store. I still hope that Apple will push at least a notification when those kind of silent updates are made and this checkbox, checked.

Edit (9:50AM UTC): Opened an issue in osxlockdown repository, a tool that reduce attack surface of your Mac

Sabri H.

Written by

Sabri H.

Twitter: @pwnsdx

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade