
High Sierra’s ‘Secure Kernel Extension Loading’ Is Broken - teilo
https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
======
pilif
_> Of course if Apple’s ultimate goal is simply to continue to wrestle control
of the system away from it users, under the guise of ‘security’, I’m not sure
any of this even matters_

I disagree with this conclusion. All of these features are turnoffable by
booting into the recovery system which is available on all macs.

So people who want or need to constantly run unsigned code and load unsigned
kernel extensions, they certainly can.

But people who can live with the system protected binaries in the state the
Apple shipped them (which is probably the majority of the users) can relax,
knowing that (minus issues like the one reported here) malware will have a
much harder time to run, much less hide itself.

As long as I can right-click and "open" any binary and as long as I know that
I can load unsigned kexts if I really need do, I really don't see a huge issue
with this.

~~~
varenc
That the user can turn off these features by booting into safe mode is beside
the point...users can't be expected to do that when installing an app.

Imagine the drop-off rate in your funnel if one of your steps was "boot into
safe mode and run these special commands to turn off SIP". Apps that need
kernel extensions are rare, but the ones that do aren't just niche developer
apps. The office worker running VMWare Fusion to run an old Windows program or
any Dropbox user with the Smart Sync feature are all semi-technical audiences
that need kernel extensions for their programs to work.

IMHO, the end game for this is that Apple will continue to lock down what apps
can do until they have the same level of control on Mac that they do on iOS.

~~~
hyperpape
The much more plausible hypothesis is that Apple doesn't care about the Mac
app store because they realize it's failed.

The users that can't be expected to boot into recovery mode are the users who
shouldn't be loading kernel extensions. Making the system relatively safe by
default, with obnoxious ways of subverting those protections for people who
(unlike me) want the option of a foot-gun seems like a good balancing act.

~~~
Razengan
I prefer to get all my software, and games, from the Mac App Store if
possible. Every time I use a new Mac I'm always glad for the immense
convenience; just go into my Purchased items list and click Install on each of
the apps I want there, knowing they'll be fully updated and relatively secure
compared to downloading from the app's website (see the Transmission
ransomware fiasco.)

I just wish Apple brought it into feature-parity with the iOS App Store.

------
jsjohnst
So glad I read to the end of an overly wordy post just to find:

> can’t release technical details at this time

Then what was the point of the very long post? To grandstand?

~~~
yAak
I assume he'll publish the details after Apple has fixed it.

~~~
jsjohnst
If I understand the situation right, we are no less secure than before High
Sierra, just not “more secure” as Apple intended. As such, the obscurity
doesn’t buy anything imho.

------
yifanlu
The post was from 16 days ago right? Did Apple fix it?

------
teilo
Possibly related to this?:
[https://news.ycombinator.com/item?id=15329527#15330589](https://news.ycombinator.com/item?id=15329527#15330589)

