Is OS X getting too overextended for its own security?

A few security rules seem to hold good no matter what, which is a welcome relief in a world which seems populated by exceptions. One is that you cannot achieve security by obscurity; another is that the more complex things become, the more vulnerable they are.

OS X, and presumably macOS Sierra, support a lot of odd little plugins and extensions which developers can create. These are neat, because they can extend and customise functionality in Safari and other apps and OS X features without forcing developers to patch the original app. But they are bad because there are now quite a lot of them, and their security mechanisms are becoming disparate, and vulnerable.

The current release version of Apple’s SDK, Xcode, offers three different types of application, four different types of framework/library, and many different system plug-ins and app extensions. The latter include:

  • Action Extension
  • Address Book Action Plug-in
  • Audio Unit Extension
  • Automator Action
  • Finder Sync Extension
  • Generic Kernel Extension
  • Image Unit Plug-in
  • Installer Plug-in
  • IOKit Driver
  • Photo Editing Extension
  • Preference Pane
  • Quartz Composer Plug-in
  • Quick Look Plug-in
  • Safari Extension Companion
  • Screen Saver
  • Share Extension
  • Shared Links Extension
  • Spotlight Importer
  • Today Extension

Security considerations for these different plug-ins and extensions vary widely. Because kernel extensions get very close to the kernel itself, Apple requires them to be signed using specifically authorised certificates for such extensions. Many of the extensions are controlled in the Extensions pane in System Preferences, something that you probably don’t visit too often.


In his fascinating article, Patrick Wardle explains in very clear terms how Finder Sync Extensions could be used to introduce persistent malware to a Mac. This is in spite of them ‘having’ to be signed and placed in a sandbox – the two major system protection mechanisms in El Capitan.

For the moment, no one seems to have exploited this vulnerability. Patrick has also updated his security tool KnockKnock to show all installed and activated extensions of this kind, so you can now check yours against the VirusTotal database. You may wish to install this latest version before someone exploits this vulnerability.


I’d be surprised if some other plug-ins and extensions don’t harbour other vulnerabilities, and hope that Sierra will bring them under common and more robust protection.