Sonoma version 14.4 is the most substantial update of this cycle so far, and includes extensive new bundles and changes throughout the System/Library folder, which has grown in size by around 150 items since 14.3.1.

Its security release notes are available from here, and list around 64 entries, of which three are in the kernel. One of those has apparently already been exploited, and another in RTKit is also believed to have been exploited maliciously.

Apple’s list of general changes is brief and bland. Inevitably it leads with some more emoji, and includes the introduction of searchable Podcasts Episode text, and an added option to Safari Favourites Bar to show only icons for websites. Apart from the security content, it would be easy to dismiss this update as of little significance.

Sonoma’s KEXT block version number rises from 19.0.0 to 19.4.0, implying that it now blocks more kernel extensions.

There are firmware updates for most if not all models. T2 firmware is updated to 2022.100.22.0.0 (iBridge: 21.16.4222.0.0,0), and iBoot is also updated for Apple silicon Macs to 10151.101.3.

However, there are several increments in version numbers among the bundled apps, including:

• Books, version 6.3
• Freeform, version 2.4
• Music, version 1.4.4
• News, version 9.3.1
• Safari, version 17.4 (19618.1.15.11.12)
• Screen Sharing, version 4.3
• Stocks, version 6.2.2
• TV, version 1.4.4
• Weather, version 4.2.2.

Looking in System/Library, though, there’s a great deal more worthy of note, including:

• Archive Utility, build increment
• ManagedClient.app, version 16.4
• RemoteManagement ARDAgent, AppleVNCServer have bundle changes, and a new Remote Desktop Message app
• AGX series kernel extensions and several audio-related kexts have version changes, and SoftRAID is updated to version 8.0
• APFS is updated to version 2236.101.1
• There are updates to many Frameworks, including most of the Core… series, and FileProvider to a new version
• There are new LightweightCodeRequirements and Translation frameworks.

Throughout System/Library, there are extensive changes to iCloud (both CloudKit and iCloud Drive) components, and many to sound and audio too.

Most surprising is the number of new Private Frameworks, including:

• ASRBridge
• BusinessFoundation
• BusinessServices
• CascadeEngine
• CascadeSets
• Dendrite
• DendriteIngest
• EDPSecurity
• EnhancedLoggingState
• NearFieldPrivateServices
• several Poirot… frameworks
• Recount
• SemanticPerception
• SonicKit
• SonicFoundation
• VDAF
• libmalloc_exclaves_introspector.

There are also many new kernel extensions, including:

• DMAChannelProxy
• EXBrightKext
• EXDisplayPipe
• ExclaveSEPManagerProxy
• ExclavesAudioKext
• IISAudioIsolatedStreamECProxy
• Several IOPAudio… kexts
• SCDPProxy
• SCodecKext
• SecureRTBuddyProxy.

Several of these use the word exclave, a geographical term used to describe a piece of a country’s territory that is isolated from the main part. Thanks to @jimmyjamesuk123 for pointing me to an article from DataFlow Forensics explaining it in the context of the iOS 17 kernel. Exclaves are domains isolated from the kernel itself so that should the kernel become compromised in any way, components in exclaves should remain protected.

I welcome suggestions as what all these new components do, and wonder whether Poirot, a reference to Agatha Christie’s fictional detective, might be related to search, and hark back to Watson perhaps.