Automatic updates of Kernel Extensions in OS X?!

Hi there, I was working on some stuff and suddently I got a BlockBlock popup saying “shove” wants to install a Kernel extension in the /System/Library/Extensions/ directory. Its name is AppleKextExcludeList.kext which basically include a blacklist (.plist) for kexts with known issues.

The reason I write this article is because I’ve seen no traces of it in the App Store, got no warning, nothing. Without BlockBlock, I could not even knew that a Kernel extension has been automatically updated on my machine without even restarting.

No traces on the App Store, last update: Feb 25

But.. This kext file has been modified yesterday

The BlockBlock popup happened exactly at this time. Gzip compression may explain the size difference.

So OK. Maybe it was a good thing to update the blacklist but these times with the FBI San Bernardino case, the FBI could easily ask to Apple to sign a silent update and ship it to some Macs… So I think it’s pretty dangerous to have a such thing in OS X, even iOS does not have that.

Q: Do you have automatic updates?

A: Yes, I have automatic updates and more precisely “Install system data files and security updates” checked (which is the defaults). The reason I worry about it is even the NTPd security update showed a trace in the App Store and a warning when it came out. And it was a binary. This time this is a kext and as I said there is traces of the update nowhere, not even in the Console.app.

I hope Apple will ask or at least warn the user before doing a such thing. Macs users, you probably have this updated extension too now.

S.

Edit (9:45AM UTC): Thanks to @rtrouton. According to https://derflounder.wordpress.com/2016/02/28/apple-security-update-blocks-apple-ethernet-drivers-on-el-capitan/ (I will not talk about the Ethernet driver fail here) and https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-security-software-updates-on-yosemite/ it’s not a bug, it’s a feature. This is still disturbing because of what I said above so here is what you can do to prevent this from ever happening:

Go in Settings > App Store > Uncheck “Install system data files and security updates”

This way OS X will not install this kind of patches OTA, silently and automatically. If there is any security updates, OS X will warn you first to install it via the App Store. I still hope that Apple will push at least a notification when those kind of silent updates are made and this checkbox, checked.

Edit (9:50AM UTC): Opened an issue in osxlockdown repository, a tool that reduce attack surface of your Mac https://github.com/SummitRoute/osxlockdown/issues/34