Apple security update blocks Apple Ethernet drivers on OS X El Capitan
Over the weekend, Apple released an update for a kernel extension blacklist used by System Integrity Protection on OS X El Capitan. This blacklist is a security measure to help Apple block kernel extensions which have been found to be harmful or problematic for OS X. This update belonged to a category of updates which Apple has set to install automatically and in the background, so its installation would have been both automatic and invisible.
Unfortunately, this blacklist update appears to have inadvertently contained the kernel extension information for Apple’s own Ethernet drivers. This is a problem because blocking the Ethernet drivers means your Mac will not be able to connect to your network via an Ethernet connection.
Apple appears to have quickly recognized the problem and has released a follow-up update which fixes this issue.
Update – 10-28-2016: Apple has posted a knowledgebase article about this issue: https://support.apple.com/HT6672
The good news:
- This issue does not affect your Mac’s WiFi connection. WiFi has separate drivers which were not affected.
- If the Ethernet drivers are blocked, but the Mac has not yet rebooted, your Ethernet connection will remain working until the next time the Mac reboots.
- The follow-up update which fixes the problem may already be installed on your Mac.
For more information, see below the jump.
To see if you have the problem update installed, use the procedures below:
Checking via the System Information application:
1. Open the System Information application in /Applications/Utilities
2. Go to the Software: Installations section and search for the following entries:
Incompatible Kernel Extension Configuration Data 3.28.1 – This contains the blacklist update which blocks Apple’s Ethernet driver software
Incompatible Kernel Extension Configuration Data 3.28.2 – This contains the follow-up update which removes Apple’s Ethernet driver software from the blacklist.
Checking via the command line:
1. Open Terminal
2. Run the following command:
cat /var/log/install.log | grep com.apple.pkg.IncompatibleKextConfigData.14U2129
If you get a result like this, the Incompatible Kernel Extension Configuration Data 3.28.1 update was installed:
Feb 26 22:02:45 computername system_installd: PackageKit: Writing system content receipt for com.apple.pkg.IncompatibleKextConfigData.14U2129 to /
3. Next, run the following command to see if the Incompatible Kernel Extension Configuration Data 3.28.2 update which fixes this issue was also installed:
cat /var/log/install.log | grep com.apple.pkg.IncompatibleKextConfigData.14U2130
If you get a result like this, the follow-up Incompatible Kernel Extension Configuration Data 3.28.2 update that fixes the problem was installed:
Feb 27 20:28:23 computername system_installd: PackageKit: Writing system content receipt for com.apple.pkg.IncompatibleKextConfigData.14U2130 to /
If you have the Incompatible Kernel Extension Configuration Data 3.28.1 update installed, but do not yet have the Incompatible Kernel Extension Configuration Data 3.28.2 update installed, the Ethernet drivers for your Mac will be blocked from running the next time the Mac is restarted. That will result in your Mac not being able to connect to your network via an Ethernet connection.
To fix this, the Incompatible Kernel Extension Configuration Data 3.28.2 update needs to be installed and the Mac rebooted again. After this reboot, the Ethernet drivers should be enabled again and your Mac’s Ethernet connection should work normally again.
To install the Incompatible Kernel Extension Configuration Data 3.28.2 update:
- Verify you have a working connection to the Internet
- Open Terminal
- Run the following command with root privileges:
Running the softwareupdate –background-critical command forces a check-in with Apple’s software update service and will trigger your Mac to automatically install the Incompatible Kernel Extension Configuration Data 3.28.2 update.
For those interested in checking the affected kernel extension blacklist, it is stored in the following location:
When the Incompatible Kernel Extension Configuration Data 3.28.1 update is installed, the /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist file is updated with the following entries, which add Apple’s Ethernet drivers to the kernel extension blacklist:
<key>com.apple.iokit.AppleBCM5701Ethernet</key> <string>LT 10.2.0</string> <key>com.apple.iokit.AppleYukon2</key> <string>LT 4.0.0</string>
When the Incompatible Kernel Extension Configuration Data 3.28.2 update is installed, those entries are removed: