Last Week on My Mac: Invisible security is no security

We take it for granted that our Macs automagically keep up to date with Apple’s pushed security updates. Like those who, a year ago, bought a brand new MacBook Pro, and assumed that it was fully locked down and protected by Sierra’s System Integrity Protection (SIP), only to discover it wasn’t. And just like those who have this week discovered that their shiny new High Sierra upgrades have outdated old security data files, and can’t seem to update to new ones.

As in many other matters, Apple behaves like the worldly-wise uncle patting a twelve-year-old on the back and saying “Don’t worry about it, son. I’ll see you’re alright. Have I ever let you down before?” We aren’t told when security updates are pushed out, nor what they improve or protect us from, nor when they should be installed, but aren’t. If they don’t arrive automagically, there’s little that we can do apart from kick macOS at the command line, and hope that something happens.

They’re not entirely invisible, of course. When they are successfully received and installed, their byline is added to the list of Installations, in System Information. If you’re fastidious, you can check that daily to see what gets updated so silently. Or at least you could if Apple was prepared to tell us when it has pushed each security update.

Look in the obvious places, like the Security & Privacy pane, or rummage through the Software lists in System Information, and you’ll see no mention of key security tools like Gatekeeper, MRT, and XProtect, as if they’re some dark secret not for the eyes of users. I fancy the appearance of SIP in System Information was Apple’s response to the accident with those unprotected MacBook Pros a year ago, but could be misremembering.

This all came to a head last week when it became clear that some High Sierra systems were neither using the latest data files, nor showing any signs of installing them. Because of the nature of High Sierra at this early stage, it is very hard to know whether this is a more general problem, or confined to a small number.

In just a few weeks, High Sierra has become the most à la carte single-vendor operating system I know of, because of its four different installers and a ‘Supplemental Update’. A given Mac could have arrived at its current state by any of at least six different combinations of installers and that update, and each of those could be running either HFS+ or APFS as it startup file system. That is before you have considered whether it has been installed afresh or as an upgrade to 10.12 or earlier. Yet every one of these will claim that it is running macOS 10.13, with a choice of two different build numbers.

So working out what might have gone wrong is fraught with uncontrolled variables, and dominated by chance. In any case, most affected users will most probably be oblivious to their Mac’s security failings unless they have been curious or suspicious enough to have installed specialist third-party software to check.

Thanks to a couple of third-party tools, we can keep better watch over Apple’s security protection. Digita Security’s UXProtect provides extensive information about XProtect’s data files, and what they protect a Mac against. My own LockRattler (from Downloads above) extends coverage to most of the other security protection built into macOS, and I support that here by maintaining lists of current versions of those data files, and announcements of when I see updates, as far as I can tell.

This is not the first time that I have heard of Macs which have suddenly fallen behind in their security protection. It doesn’t seem particularly common, but if users don’t know that there’s a problem, it is going to pass undetected.

Running LockRattler has already picked up one Mac which the user thought was protected by FileVault, but wasn’t. Several others have discovered SIP had somehow been turned off (one remembered later that he had turned it off for a reason, and forgotten to turn it back on), and other users have found that their Macs had mysteriously been disabled from obtaining Apple’s pushed updates. These things happen, yet macOS doesn’t warn us of the dangers into which we are steering.

What we need are periodic checks – for these data files, perhaps daily – of the current installed version against what Apple considers we should be using. These might be wrapped into a security traffic light at the far right of the menu bar. We could then drop down a short list summarising the state of each security protection system, and any discrepancies with respect to their updating.

It seems both absurd and dangerous to wrap these key features of macOS in a misplaced blanket of secrecy. It does a great disservice to the security engineers who design and implement them, and those who now ensure their maintenance. It is also very bad for users to be kept in the dark like this, as security which is hidden away in whispers and winks too easily lets us down when we need it most.

If macOS and we can’t keep a watchful eye, then it is no security.