MacOS High Sierra protections can be bypassed, but will make security researchers and companies work more difficult
Hackers can bypass a new security feature in MacOS High Sierra to load malicious kernel extensions.
According to security researchers at Synack, the forthcoming update to MacOS features something called Secure Kernel Extension Loading” (SKEL). Patrick Wardle, chief security researcher at Synack, said that while the feature was “wrapped in good intentions”, in its current implementation, SKEL “merely hampers the efforts of the ‘good guys’” (ie 3rd-party MacOS developers such as those that design security products).
“Due to flaws in its implementation, the bad guys (hackers/malware) will likely remain unaffected,” he said in a blog post.
According to Apple’s Technical Note TN2459, Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.”
Wardle said that while we might initially assume that that the main attack vector SKEL attempts to thwart is the (direct) loading of malicious kernel extensions (ie rootkits), he believed this is not the case.
“First, observe that (AFAIK), we have yet to see any signed kernel-mode MacOS malware! Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate,” he said.
Interesting article can be found here: