The High Sierra 10.13 problem with security data files may now be fixed

Over a week ago it became clear that there was a problem with High Sierra updating some of its security data files, most notably those for Xprotect. It looks as if Apple has fixed this, and all Macs running High Sierra should now be able to update properly to the latest versions.

The original problems rested in the High Sierra installers, all versions including the latest dated 12 October which is still in the App Store. Each of these installed old versions of these files, including version 2094 of the XProtect data files. That in itself is not a problem (although surely the installer should not overwrite more recent versions, should it?).

However, if that Mac had been updated to version 2095 when it was still running Sierra, before High Sierra was installed, the installer left the receipt for versions 2094 and 2095 in the Receipts folder – which is protected by SIP. That was another error in the installer: if it was going to remove more recent updates, then it should also have removed their receipts.

When softwareupdate saw those receipts, it therefore assumed that the 2095 update had been installed, which indeed it had, until the High Sierra installer removed it and installed 2094 instead. This deadlock should have been broken when 2096 was pushed in due course, but Apple has now pushed a metadata-only configuration update, which should enable all High Sierra systems to update correctly to 2095.

My advice then is:

  • If you’re running Sierra or earlier, none of this affects you.
  • If you’re about to upgrade to High Sierra, that should be fine, but use Digita Security’s free UXProtect and my free LockRattler (from Downloads above) to keep a watch on the version numbers of these security data files, until you are fully up to date as listed here.
  • If you’re already running High Sierra, use UXProtect and LockRattler, and check against the list here until you’re happy that your system is fully up to date.

I am very grateful once again to Josh Stein at Digita Security for much of the information about this bug and its resolution.