Apple added a new security feature in macOS High Sierra 10.13, named “Secure Kernel Extension Loading” (SKEL). The new feature can bypass to allow the loading of malicious kernel extensions.
Like Linux and Windows, macOS allows applications to load third-party kernel extensions whenever they need to perform actions that require access to lower levels of the operating system.
Developers who want to load kernel extensions (KEXT files), to sign the kernel extension with a special kernel code-signing certificate, which Apple very careful to whom it issues.
Apple soon to release macOS High Sierra introduces the SKEL feature to improve the security of the KEXT loading process. The SKEL feature works by showing a pop-up like the one pictured below whenever apps try to load kernel extensions.
The pop-up does not trigger for a few applications known to come from trusted developers. MacOS users would be satisfied with Apple’s efforts to improve the security of its operating system by deploying SKEL.
Patrick Wardle, a well-known Apple security researcher and Chief Security Researcher at Synack claims that due to flaws in its implementation, the hackers will likely remain unaffected by SKEL’s intended protection measures.
To prove his point, Wardle explains how an attacker could bypass SKEL protection in macOS High Sierra on the Synack website.
“Unfortunately, when such ‘security’ features introduced even if done with the noblest of intentions. They often just complicate the lives of 3rd-party developers and users without affecting the bad guys, Wardle says. High Sierra’s SKEL’s flawed implementation is a perfect example of this.
More information: [Apple]