hoakley October 13, 2017 Macs, Technology

Another High Sierra security flaw: Supplemental Update may downgrade security data files (updated – it should be fixed now)

Since updating this, information has advanced again: please read this article, which explains how this problem should now be fixed, and gives further practical advice.

Since writing the article below, further information has come to light which makes it clear that this problem may affect any installation of High Sierra, including those made using latest installers.

You are least likely to suffer from it if your Mac obtained these security updates when running Sierra, prior to updating to High Sierra. If your Mac didn’t obtain them then, it may be very difficult (i.e. you may need to disable SIP and mess with system files) to get it to install them now.

I therefore recommend that all those running High Sierra check the versions installed on their Macs, to ensure that they have the latest protection. If they don’t, perhaps the best way to pursue this is through Apple Support, as it is fundamentally their problem to address. I will post further news as it emerges.

I am very grateful to Josh Stein at Digita Security for keeping me updated on these developments, and for others who have passed information. So here’s what I wrote this morning…

If you have upgraded to High Sierra 10.13 and applied the Supplemental Update, you should check which versions of XProtect and Gatekeeper data files your Mac is now using.

Digita Security has reported that installing the Supplemental Update may downgrade the XProtect data files from the current version, 2095, to the previous one, 2094, removing protection from the malware detailed here. Not only that, but Apple’s push updates may have failed to update that older version to the newer one, because your Mac was already so updated before installing the Supplemental Update!

Digita only refers to XProtect data files, but this problem may extend to Gatekeeper’s data files as well, and possibly MRT. The version of the Gatekeeper configuration data which was bundled with the Supplemental Update is an old one, and does not appear to have been updated to the current version 131, pushed on 5 October.

This should only affect those who installed one of the two original releases of High Sierra, and then applied the Supplemental Update. If you installed the version of High Sierra which came with the Supplemental Update already built into it, this should leave your Mac poised to receive the pushed updates to XProtect and Gatekeeper in the normal way. Unfortunately, as Apple has not changed the version numbers in these different versions of High Sierra, it is hard to distinguish between them.

It is a mystery as to why the Supplemental Update included older versions of these security data files. A further mystery is the fact that the High Sierra installer available now from the App Store has been updated to a version from 12 October 2017, which is more recent than that incorporating the Supplemental Update. There doesn’t appear to be any App Store update to that version – which has the same version number as the first three released versions of High Sierra – and I have been unable to discover what changes, if any, have been made.

To check the currently installed security data files on your Mac, download my free LockRattler from Downloads above. You can check the version numbers against the updated list for High Sierra, Sierra 10.12.6, or those for El Capitan.

8Comments

Add yours

1

Philip Noguchi on October 13, 2017 at 2:26 pm

FWIW, I downloaded the Oct 12 HS installer three times, eliminating all residual downloads. The installer get info said it was created 2 October 2017, with build number 24 and installer version 13.0.66. Have not gone any further, but not sure the October 12 update is any different from the October 2 installer.

You always have such novel discoveries!

LikeLiked by 1 person
- 2
  
  hoakley on October 13, 2017 at 2:29 pm
  
  Thank you for that helpful information. That looks like it is unchanged.
  Howard
  
  LikeLike
3

Tony on October 14, 2017 at 10:57 pm

I downloaded and installed High Sierra today (14-10). I intended to report on the security issues you raise but there are other murky things too. The following is tonight’s status, for information.

The HS Installer remains where I copied it to before running the version downloaded to applications. Spotlight reports it as version 13.0.66 but, when launched in HS, it claims to be 13.0.57. Hmm.

I downloaded LockRattler too, v3.5 (5). That reports my XProtect version as 2094 but System Information > Software > Installations records, on 29-9-17, installation of 2095; there is no record there of 2094 being installed. They both agree on MRT 1.23 being installed (System Information shows it being installed on 29-9-17 and again today). Both also agree on Gatekeeper 131 (installed on 4-10-17 but at 23:21 that may explain the discrepancy on dates).

The discrepancy on XProtect is odd. I did deny LockRattler the ability to make changes when it asked but it had already fetched the data by then. Are there two version numbers for this too?

LikeLiked by 1 person
- 4
  
  hoakley on October 15, 2017 at 8:31 am
  
  Thank you, Tony. In theory, as you had already had those updates installed before upgrading to High Sierra, opinion is that you should have stayed with them. So I am puzzled that it looks as if your High Sierra installation has downgraded XProtect to the version supplied with the original HS installers, 2094.
  You can get fuller details on XProtect using the excellent free UXProtect: that is what I would check next. If that also says that it is stuck at 2094, then I think you may have the problem that has been reported.
  The only thing that you can do is try forcing a pushed update using
  sudo softwareupdate --background-critical
  at the command line. Within a couple of hours 2095 should be installed, unless High Sierra is somehow blocking it.
  Howard.
  
  LikeLike
  - 5
    
    Tony on October 15, 2017 at 2:35 pm
    
    UXProtect concurs, update started. Thanks. Any thoughts on the Installer’s identity crisis?
    
    sudo, in Terminal, prompted me for a password but not a user name. Since my user account does not have Admin privilege, that is clearly doomed. Am I misremembering, surely it used to prompt for both in the past so it was usable from any account? Unless I’m missing something, it can’t now be used outside an Admin account.
    
    LikeLike
    - 6
      
      hoakley on October 15, 2017 at 3:26 pm
      
      There was a suggestion that a couple of receipts were jamming the process, but it looks more like bad scripting in the installers to me.
      You should be able to
      sudo -u adminusername
      and then get prompted for that admin user’s password.
      Howard.
      
      LikeLike
  - 7
    
    Tony on October 18, 2017 at 10:07 am
    
    For information (though other suggestions are welcome of course):
    I tried the sudo, from an Admin account and latterly as you suggested with the -u parameter from my user account, I have also tried UXProtect’s update option several times but my Mac remains stubbornly on 2094 (according to both LockRattler and UXProtect).
    
    I guess there’ll be another update along soon and hopefully that will clear the issue. In the meantime, I am advising all to wait for the .1 before updating!
    
    LikeLiked by 1 person
    - 8
      
      hoakley on October 18, 2017 at 11:43 am
      
      Thank you, Tony. Maybe when the next update is pushed, it will clear whatever is stopping the 2095 update.
      Howard.
      
      LikeLike

·Comments are closed.

Share this:

Related