The correct and current version of MRT can be either 1.26 or 1.27

For the moment, until Apple pushes a future update to bring it to version 1.28 at least, your Mac could be quite correctly running either version 1.26 or 1.27 of its malware removal tool, MRT, as these two different versions are functionally identical.

If your Mac is still running Sierra 10.12.6 or earlier, it can only be running MRT version 1.26, which is the latest release for those systems. It should have received that update around 1 December 2017.

If your Mac is running High Sierra 10.13 or later, it could be running MRT version 1.26 or 1.27, depending on when you updated to 10.13.2:

  • if your Mac ran 10.13.1 around 4-6 December, over that period it was most probably updated to version 1.27;
  • if your Mac wasn’t online much over that period and was then updated to 10.13.2, it may well still be running version 1.26, quite correctly.

No Mac should still be running version 1.25, which has been superceded by 1.26/1.27 now.

The reason given for this in a comment very kindly posted here by Al Varnell, is that the 1.27 update didn’t actually contain a new version of MRT, but its installation scripts performed some additional cleanup to the updates which fixed the High Sierra root user vulnerability. That version was, therefore, only pushed to Macs running 10.13 or 10.13.1 at that time. Once the 10.13.2 updated was installed, that cleanup was no longer necessary, so any Mac running 10.13.2 should be left running MRT version 1.26.

Apple’s use of a version increment to a security tool like this, to perform unrelated cleanup for an earlier vulnerability, is cavalier to say the least. This has caused great confusion, and many sysadmins must have been tearing their hair out as a result. Let’s hope that this sees an end to such bad practices.