Hi there, I was working on some stuff and suddently I got a BlockBlock popup saying “shove” wants to install a Kernel extension in the /System/Library/Extensions/ directory. Its name is AppleKextExcludeList.kext which basically include a blacklist (.plist) for kexts with known issues.
The reason I write this article is because I’ve seen no traces of it in the App Store, got no warning, nothing. Without BlockBlock, I could not even knew that a Kernel extension has been automatically updated on my machine without even restarting.
So OK. Maybe it was a good thing to update the blacklist but these times with the FBI San Bernardino case, the FBI could easily ask to Apple to sign a silent update and ship it to some Macs… So I think it’s pretty dangerous to have a such thing in OS X, even iOS does not have that.
Q: Do you have automatic updates?
A: Yes, I have automatic updates and more precisely “Install system data files and security updates” checked (which is the defaults). The reason I worry about it is even the NTPd security update showed a trace in the App Store and a warning when it came out. And it was a binary. This time this is a kext and as I said there is traces of the update nowhere, not even in the Console.app.
I hope Apple will ask or at least warn the user before doing a such thing. Macs users, you probably have this updated extension too now.
Edit (9:45AM UTC): Thanks to @rtrouton. According to https://derflounder.wordpress.com/2016/02/28/apple-security-update-blocks-apple-ethernet-drivers-on-el-capitan/ (I will not talk about the Ethernet driver fail here) and https://derflounder.wordpress.com/2014/12/27/managing-automatic-installation-of-configdata-and-security-software-updates-on-yosemite/ it’s not a bug, it’s a feature. This is still disturbing because of what I said above so here is what you can do to prevent this from ever happening:
This way OS X will not install this kind of patches OTA, silently and automatically. If there is any security updates, OS X will warn you first to install it via the App Store. I still hope that Apple will push at least a notification when those kind of silent updates are made and this checkbox, checked.
Edit (9:50AM UTC): Opened an issue in osxlockdown repository, a tool that reduce attack surface of your Mac https://github.com/SummitRoute/osxlockdown/issues/34