Apple Begins Warning Users That 'Legacy System Extensions' Won't Work With a Future Version of macOS

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,604
9,395


Apple has shared a new support document that indicates kernel extensions -- which it calls "legacy system extensions" -- will not be compatible with a future version of macOS because they "aren't as secure or reliable as modern alternatives."
System extensions are a category of software that works in the background to extend the functionality of your Mac. Some apps install kernel extensions, which are a kind of system extension that works using older methods that aren't as secure or reliable as modern alternatives. Your Mac identifies these as legacy system extensions.
Starting in macOS 10.15.4, released this week, a warning will now appear when a kernel extension first loads, and again periodically while the extension remains in use. Users began noticing the warning during beta testing.


Apple says it began informing developers that macOS Catalina will be the last macOS to fully support kernel extensions in 2019, adding that it has been working with developers to transition their software. A final transition date has not yet been set, but some developers are assuming that kernel extensions will be deprecated in macOS 10.16.

Apps with kernel extensions will continue to work in macOS Catalina.

"By moving beyond these extensions, developers are helping to further modernize the Mac, improve its security and reliability, and enable more user-friendly software distribution methods," the support document reads.

One affected app is Malwarebytes, which said that "a significant percentage of our total support case volume" was related to the new kernel extension warning less than 24 hours after the public release of macOS 10.15.4.


Malwarebytes director Thomas Reed said Apple has a new EndpointSecurity framework as a replacement for kernel extensions:
We are aware of this, and have been working on replacing our kernel extension since late last year. We plan to replace it with Apple's new EndpointSecurity framework before the release of macOS 10.16, when it is assumed that kernel extensions will no longer work, in part or in full. (We only know that Apple has said they "will not work without compromise" in "a future version of macOS." But we'd rather not find out the hard way exactly what that means.)

The kernel extension will continue to be supported for macOS 10.14 (Mojave) and earlier, but macOS 10.15 (and later) will no longer need it, once we have an update available.

So, no need to panic. We've still got your back, and won't let your protection falter. All you've got to do is make sure you're keeping Malwarebytes for Mac up-to-date. If you have updated to at least version 4.2, and have not disabled the new auto-update feature, it'll update itself in the background without you needing to do anything. To ensure you're up-to-date, just open Malwarebytes and choose Check for Updates from the Malwarebytes menu.
Technical details for developers are available in an Apple document titled "Deprecated Kernel Extensions and System Extension Alternatives."

Article Link: Apple Begins Warning Users That 'Legacy System Extensions' Won't Work With a Future Version of macOS
 
  • Like
Reactions: DeepIn2U

mlody

macrumors 65816
Nov 11, 2012
1,040
650
Windy City
Got the same pop up for Cisco AnyConnect VPN, but i know i am not running the latest version. Wonder if Cisco addressed this already?
 
  • Like
Reactions: DeepIn2U

Mascots

macrumors 68000
Sep 5, 2009
1,603
1,294
So what's the easiest way to view what Kernel Extensions are in use?

I have a feeling that a bunch of my older software will stop working.
If you open System Report, Extensions under the Software group will give you an overview of the extension and their status. They may appear in Legacy Software as well but unsure since I don't have any custom on this machine.
 

bbzzz

macrumors member
Mar 7, 2008
30
18
It's specifically about stability and also security.
The new system extensions will not have sufficiently low level access to the system to cause kernel panics. That's a big improvement regardless of the motivation.
That's an excuse, if one is a problem it can be removed. It's just locking down so it become more like IOS and only approved apps from the app store (with Apple taking a cut) can be run. That may be a reasonable goal for Apple but it's spoiling the utility of having a proper UNIX like OS which many bought into it for.

Easy answer is to stick to old OS versions but Apple have that covered with updated apps lacking backwards compatibility so you get forced to update eventually.

This may suit Apple and many users so I doubt they'll change their plan for a few users like me.
 

venom600

macrumors 6502a
Mar 23, 2003
901
570
Los Angeles, CA
"Sandboxing software is nothing to do with security"

You heard it here first folks. 🙄
So it is just a coincidence that the method of improving security they chose and continue to implement just happens to also reduce user control and limit how the machine can be used, right? I bet you think they removed the headphone jack out of courage too.
 

ApfelKuchen

macrumors 68040
Aug 28, 2012
3,418
2,073
Between the coasts
This is going to spawn loads of threads over the next year or two! Considering kexts are part of plenty of modern apps it'll likely be much bigger than Apple deprecating 32-bit apps. We'll have "forced to pay for upgrades," "I won't upgrade to 10.16 (or 10.17)," and "Can I install Catalina on a 2022 MBP?" posts for years to come.

But I definitely get it. Far fewer "Your Mac shut down due to a problem..." incidents. Far more security for the OS kernel (goes hand-in-hand with Catalina's read-only volume for the system). One less major chink in the armor.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,996
9,650
California
So what's the easiest way to view what Kernel Extensions are in use?

I have a feeling that a bunch of my older software will stop working.
If you open System Report, Extensions under the Software group will give you an overview of the extension and their status. They may appear in Legacy Software as well but unsure since I don't have any custom on this machine.
Screen Shot 2020-03-25 at 10.47.47 AM.png


Just to tag on to what @Mascots posted there... if you look at that extensions section you can click the loaded column to sort by running extensions and that will show you any extensions that are being used. Then you can scroll down and see if you have any third party extensions running. You can see in my screenshot those listed are from Apple.
 

123

macrumors 6502
Mar 3, 2002
367
152
It's nothing to do with security. It's about total control of the hardware & software experience, like on iOS.
They can only win this battle by making it too difficult to adapt the software to non-Apple hardware. Just blocking certain types of kexts can itself be patched.

Luckily, they are still using more or less standard hardware components. And also, much better and/or cheaper hardware is available, unlike for iOS. So, instead of only having the option to try to get out of Apple's software jail, we can actually "fix" the whole thing before installation.
 

mdriftmeyer

macrumors 68040
Feb 2, 2004
3,140
811
Pacific Northwest
That's an excuse, if one is a problem it can be removed. It's just locking down so it become more like IOS and only approved apps from the app store (with Apple taking a cut) can be run. That may be a reasonable goal for Apple but it's spoiling the utility of having a proper UNIX like OS which many bought into it for.

Easy answer is to stick to old OS versions but Apple have that covered with updated apps lacking backwards compatibility so you get forced to update eventually.

This may suit Apple and many users so I doubt they'll change their plan for a few users like me.
Back before the XNU kernel and we had the strict Mach Microkernel you wouldn't have access beyond the message dispatch system. The XNU kernel opened this up for performance gains, at the cost of security.

We're now moving back to the past where it should have remained. The userspace is now where the DriverKit resides, along with the NetworkingKit, AppKit, etc.

There is absolutely zero reason to have your application in a lower level ring of the kernel.
 

cmaier

macrumors P6
Jul 25, 2007
16,094
12,378
California
So it is just a coincidence that the method of improving security they chose and continue to implement just happens to also reduce user control and limit how the machine can be used, right? I bet you think they removed the headphone jack out of courage too.
It's not a coincidence, it's computer science. The more control you let a third-party app have over things outside it's own user space, the more likely it is to cause system instability and to present a security risk.
 

BeatCrazy

macrumors 68000
Jul 20, 2011
1,881
776
View attachment 901271

Just to tag on to what @Mascots posted there... if you look at that extensions section you can click the loaded column to sort by running extensions and that will show you any extensions that are being used. Then you can scroll down and see if you have any third party extensions running. You can see in my screenshot those listed are from Apple.
Right, but you need to scroll down on each extension and look for:

Dependancies: Deprecated

Screen Shot 2020-03-25 at 12.57.56 PM.png


What's crazy is how many Apple extensions have this issue. For example the OEM Apple USB-A to 100M Ethernet adapter!
 

azpc

macrumors regular
Feb 24, 2011
233
73
Norton Security for Mac has the same issue. Unfortunately, the issue is more pressing for Norton customers. I have several associates at work who have been afflicted with sudden reboots. Apple analyzed the logs and came to the following conclusion:

"It appears that a Symantec kext is causing kernel memory corruption.

So for Norton customers the need for a fix is more urgent.
 

MikhailT

macrumors 601
Nov 12, 2007
4,390
965
That's an excuse, if one is a problem it can be removed. It's just locking down so it become more like IOS and only approved apps from the app store (with Apple taking a cut) can be run. That may be a reasonable goal for Apple but it's spoiling the utility of having a proper UNIX like OS which many bought into it for.

Easy answer is to stick to old OS versions but Apple have that covered with updated apps lacking backwards compatibility so you get forced to update eventually.

This may suit Apple and many users so I doubt they'll change their plan for a few users like me.
Pretty much the majority of the OS platforms is going to be removing direct access to the kernel space, they're all moving drivers and system-level stuff to the user-mode. Linux, Windows, etc, will go there as well.

These are major security and stability improvements that can be gained.

Memory protection/isolation is next on that list but it requires hardware level changes but it is coming. Apple is adding support via ARM ISA for their iOS devices. I don't know about Intel yet but what this will also restrict is the ability for one app to inject into another app, that means stuff like cheat engine on Windows that permits trainers for games will not be possible in the future. Or audio hijacking or anything that requires modifying apps like OS theming that's not provided by the OS will not be permitted.

Control can be provided back with APIs, which Apple is doing already with a few APIs like EndPointSecurity framework. It'll take time to write back all of the APIs in a secure manner.

The old wild west of where the user can do everything is no more by default. You'd probably be forced to customize your own kernel in the future to remove these restrictions.
 
Last edited:

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,996
9,650
California
Right, but you need to scroll down on each extension and look for:

Dependancies: Deprecated
View attachment 901276

What's crazy is how many Apple extensions have this issue. For example the OEM Apple USB-A to 100M Ethernet adapter!
Gotcha... there are a bunch like that. I was just trying to show how to see if you are actually using (running) any.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.