Apple may or may not have updated MRT to version 1.27 (updated)

Comments to articles here show that some Mac users have, in the last day or so, received silent pushed updates to bring the installed version of Apple’s malware removal tool, MRT, from version 1.26 to 1.27.

Other Mac users haven’t yet received that update. Neither my Sierra or High Sierra system has been updated yet, and LockRattler confirms that they are still running MRT 1.26. Although such pushed updates take time to propagate to all Macs around the world, I have also tried forcing the update by typing
sudo softwareupdate -ia --include-config-data
in Terminal, only to be told
No updates are available.

It is possible that Apple has pulled the 1.27 update. As it doesn’t tell us anything about these silent updates, we can only guess. When it does arrive here, I will let you know, but for the time being MRT may be current in either version.

I have also noticed another security oddity with High Sierra 10.13.2. In the 10.13.2 update, Apple updated the AppleKextExcludeList kernel extension (listed in LockRattler as the KEXT block version) to 13.2.1, dated from 1 December 2017. However, the kernel extension exclude list within that kernel extension appears to remain the same as that in the previous version of 15 July 2017.

I have updated the list of security settings files for High Sierra accordingly. This does not affect earlier versions of macOS.


MRT version 1.26 was built on 29 November, and pushed to Macs on 1 December.
macOS 10.13.2 update seems to have been largely built on 1 December, but included MRT version 1.25, not 1.26.
MRT version 1.27 started to be pushed to Macs as early as 4 December, but as of 8 December has not even been made available (let alone pushed) to many.
Apple is saying nothing, and we don’t know what differences, if any, there are between these three versions, nor why 1.26 and 1.27 were built so close together, when 1.25 was pushed a month ago, on 7 November.

(Updated 2345 8 December 2017.)