Another High Sierra security flaw: Supplemental Update may downgrade security data files (updated – it should be fixed now)

Since updating this, information has advanced again: please read this article, which explains how this problem should now be fixed, and gives further practical advice.

Since writing the article below, further information has come to light which makes it clear that this problem may affect any installation of High Sierra, including those made using latest installers.

You are least likely to suffer from it if your Mac obtained these security updates when running Sierra, prior to updating to High Sierra. If your Mac didn’t obtain them then, it may be very difficult (i.e. you may need to disable SIP and mess with system files) to get it to install them now.

I therefore recommend that all those running High Sierra check the versions installed on their Macs, to ensure that they have the latest protection. If they don’t, perhaps the best way to pursue this is through Apple Support, as it is fundamentally their problem to address. I will post further news as it emerges.

I am very grateful to Josh Stein at Digita Security for keeping me updated on these developments, and for others who have passed information. So here’s what I wrote this morning…

If you have upgraded to High Sierra 10.13 and applied the Supplemental Update, you should check which versions of XProtect and Gatekeeper data files your Mac is now using.

Digita Security has reported that installing the Supplemental Update may downgrade the XProtect data files from the current version, 2095, to the previous one, 2094, removing protection from the malware detailed here. Not only that, but Apple’s push updates may have failed to update that older version to the newer one, because your Mac was already so updated before installing the Supplemental Update!

Digita only refers to XProtect data files, but this problem may extend to Gatekeeper’s data files as well, and possibly MRT. The version of the Gatekeeper configuration data which was bundled with the Supplemental Update is an old one, and does not appear to have been updated to the current version 131, pushed on 5 October.

This should only affect those who installed one of the two original releases of High Sierra, and then applied the Supplemental Update. If you installed the version of High Sierra which came with the Supplemental Update already built into it, this should leave your Mac poised to receive the pushed updates to XProtect and Gatekeeper in the normal way. Unfortunately, as Apple has not changed the version numbers in these different versions of High Sierra, it is hard to distinguish between them.

It is a mystery as to why the Supplemental Update included older versions of these security data files. A further mystery is the fact that the High Sierra installer available now from the App Store has been updated to a version from 12 October 2017, which is more recent than that incorporating the Supplemental Update. There doesn’t appear to be any App Store update to that version – which has the same version number as the first three released versions of High Sierra – and I have been unable to discover what changes, if any, have been made.

To check the currently installed security data files on your Mac, download my free LockRattler from Downloads above. You can check the version numbers against the updated list for High Sierra, Sierra 10.12.6, or those for El Capitan.