I am still waiting for Rogue Amoeba to update Pulsar…
So you are saying Apple is not consistent? 
Two words: share sheets.
By whom? You’re not going to install some other kernel driver by accident. If there’s some possibility that someone else is going to install a kernel driver on your computer, then you’ve got much bigger problems.
For a couple of decades Rogue Amoeba has provided applications that reroute audio that apparently many people find useful. Apple has changed the system such that installing software that does this is much more complicated. If you need to reroute audio, then you’ll put up with this. Apple has left no other path to providing this functionality. Rogue Amoeba has no competition in this area – if you want to reroute audio, you’re a Rogue Amoeba customer.
It sounds like you don’t really need to reroute audio. In that case, yes, you definitely shouldn’t buy or install this software. But there are users, myself included, find this ability useful and are glad that Rogue Amoeba is putting in the work to continue to make this feature available, in spite of the significant roadblocks Apple is putting in their path.
These are giving you permission to access features that are already built into the operating system (yes, screen recording is now built into the system – it didn’t use to be). Rerouting audio is not built into the operating system. Instead, Rogue Amoeba is essentially adding this feature to the operating system. It would be very nice if Apple made rerouting audio a feature built into the system (probably with an associated permission), but it doesn’t seem like they have any interest in that. Fortunately, they haven’t locked down the system in a way that Rogue Amoeba is prevented from adding this feature – though they almost have. I’m guessing that Rogue Amoeba holds their breath each year to see if this is still possible – and so do their users. Note that adding this feature IS impossible in iOS. So there is no way to make a product like this for an iPad.
1 Like
Did you read any of the examples from the Security Now show notes? Granted this is a more serious problem on Windows. I’m not a knowledgable security guy but with only a moment of searching I found a description of such a kernel issue on the Mac. Now maybe you know this is impossible, but I don’t. And it is my decision to accept or avoid a threat on my machine.
A kernel privilege escalation vulnerability exists in the current macOS Big Sur 11. An attacker can execute arbitrary code with Kernel privileges within the ‘AppleAVD” kernel extension that enables audio and video decoding. This vulnerability has been categorized as zero-day, indicating that it was an unknown flaw. Cybersecurity Threat Advisory: Apple macOS Critical Privilege Escalation Vulnerability
1 Like
This vulnerability has nothing to do with third party kernel extensions, rather this is a “first party” kernel extension. AppleAVD is a kernel extension that is written by Apple and included in every copy of the operating system. The AppleAVD extension is enabled no matter what security setting you are running. You cannot avoid this vulnerability by using a high security setting, and enabling Rogue Amoeba software does not increase your risk of a problem from this security flaw. A programmer at Apple made a mistake, and you are vulnerable until you install the fixed version of the operating system.
Additional kernal extensions are not just going to fly onto your machine. They can’t be installed by simply visiting a web site, or in any other accidental way. A kernal extension is only going to be installed deliberately by you. The standard security setting you mention adds an extra step to this process – that is the point of this setting, to make sure that you are deliberate and informed when you install a kext. You’ve always had to deliberately install a kext, now with recent versions of macOS there is one extra step.
Of course that is absolutely true. But I think your original post implies that it used to be safe to run Rogue Amoeba audio apps but now it isn’t. I don’t think that is the case, and I don’t see anything in the Security Now! show notes that indicates that this is riskier than it used to be.
By the way, I’m not sure that there even are any third party kexts available to install. I just did some searching on Google and couldn’t find any. Note that the Rogue Amoeba software is NOT a kernel extension. I actually verified that by using the terminal to list all of the kexts on my computer. There are 248, and every single one is from Apple (the previously mentioned AppleAVD was number 137). If you want to list the kexts installed on your system, just open the terminal and run this command:
kextstat -l
FWIW - I see a few non-apple kexts on my system. These relate to:
SoftRaid (Software Raid from Other World Computing)
Nuords (Remote access software)
Olympus (Driver software for dictation equipment)
Highpoint-Tech (Thunderbolt RAID equipment)
213 0 0xffffff7f97224000 0x2f000 0x2f000 com.softraid.driver.SoftRAID (6.3.1) BD0AAC77-5824-33A4-BDE2-A9295B0159E8 <35 7 6 3>
214 2 0xffffff8002ebf000 0xbffd 0xbffd com.apple.iokit.IOSCSIParallelFamily (3.0.0) 5CDE06F7-5509-36C1-B489-11EC2EF2FF4F <34 7 6 3 1>
215 0 0xffffff7f97195000 0x7e000 0x7e000 com.highpoint-tech.kext.HighPointRR (4.22.1) 6DF47B93-DB65-36BD-9392-0101CFDDDDFF <214 17 7 6 3>
216 0 0xffffff7f97220000 0x1ff5 0x1ff5 com.olympus.DSSBlockCommandsDevice (3.2.0) A81D474A-B16D-3F34-94F5-0A861481B6BA <36 34 7 6 3 1>
217 0 0xffffff7f97264000 0x6ff5 0x6ff5 com.nuords.nrdfs (5.0) 77F1EF7C-166D-3C2F-9BC0-1CA0C796DF7C <7 6 3 1>
218 0 0xffffff7f97186000 0xb000 0xb000 com.highpoint-tech.kext.HighPointIOP (4.4.5) 571AEA63-3845-3A83-B37F-5FD117C0FFDE <214 17 7 6 3>
219 0 0xffffff7f9661e000 0xdff3 0xdff3 com.apple.filesystems.msdosfs (1.10) A00EBEA9-F87B-3E8C-AE39-54ED788D4C8D <9 8 7 6 3 1>
Richards-Pro:~ richardkaplan$
1 Like
Thanks! I’m not currently using any of these, though I’ve used SoftRaid in the past.
The installation instructions for SoftRAID also show that you must set the macOS security policy to “Allow user management of kernel extensions from identified developers”, just like the Rogue Amoeba apps.
Noticed that only extensions from identified developers are allowed. This means the software must be notarized by Apple. Which doesn’t guarantee that there are no problems (as I mentioned in my last post, even Apple engineers can make mistakes), but helps to mitigate the risk.
Since Apple hasn’t managed to include every possible feature in macOS, there are still valuable functions that can only be performed with a kernel extension. Personally, I am glad that Apple continues to allow this flexibility, and that macOS isn’t completely locked down like iOS and iPadOS are.
Except intercepting audio is part & parcel of screen recording, isn’t it? I would guess there’s something about that functionality that Rogue Amoeba can’t quite use as-is, but it doesn’t feel like it should be that far of a leap. Especially since Rogue Amoeba isn’t installing a kernel extension - they’re installing something else that has to go through the kernel extension process.
That’s a fair comment, but doesn’t that just reinforce the problem? An Apple kext was exploited in such a way that, by my reading, additional kernel-level software could absolutely be installed without prompting the user.
I agree with you that as long as it’s otherwise secure, there doesn’t seem to be an “extra” risk in installing Rogue Amoeba software on the current OS vs. previous OS’s. It’s just given users visibility into what was seemingly already happening.
That said, I also respect users saying “oh, wait…that’s what it’s doing? Um…nevermind”, because it’s definitely giving RA’s software some pretty serious access to the system.
1 Like
Does the installation of RA’s apps require a Mac to remain running with “reduced security” or is that something that is required only during installation?
I believe it has to continue running with reduced security.
1 Like
Karabiner Elements used to require a kext, but apparently that already changed quite some time ago:
(I migrated to Hyperkey.app because I thought KE still did… 
)
Apple added a built in feature that Karabiner Elements can tap into to receive keystrokes and simulate them. So it’s no longer necessary to write a kext to do this.
I’m sure if Apple adds an audio routing feature to macOS then Rogue Amoeba will drop their current system in a heartbeat. It can’t be fun to be a tech support person at Rogue Amoeba! In the meantime, the only choices they have are to discontinue their audio routing products or to continue as they are now.
I appreciate everybody joining in with information and opinion.
I have tried to state clearly that I have nothing against Rogue Amoeba software. RA provides valuable features in the face of a changing security environment and tightened security on Macs.
And I have only ever given reasons why I did not want to run software that must follow the reduced security path that Apple mandates. All others are free to make their own decision. (Of course!)
And finally, I don’t care if RA’s software is technically not a kernel extension. Apple forces you to reduce security as if it were a true kernel extension, so I don’t see the difference.
2 Likes
For what it’s worth, I wasn’t questioning your opinions; I was just trying learn exactly what is required in terms of security control circumvention in order to run RA’s software. I tend to agree with you and I think that those controls are there for very good reasons. If running RA’s software were something highly beneficial to me, I’d probably do so on a computer dedicated to that work. (I’m also not running down RA or their software or how it operates)
Sorry, I did not think you were questioning my opinions. I thought your posts were supportive of some of my concerns. I apologize for not being clearer. I liked the posts by you and @webwalrus that I quoted establishing that “reduced security” persists even after installing of software that requires it. I see now that I should have separated my last post into two parts.
2 Likes