Last Week on My Mac: A silent silent security update

I hadn’t really taken a great deal of interest in Apple’s ‘silent’ security updates until the morning one kindly disabled my wired Ethernet port. That fiasco – in which Apple had pushed an update to its list of blocked kernel extensions which disabled one of its own Ethernet drivers – taught me that I needed to keep tabs on them. It broke the trust that I had placed in those silent updates.

There hasn’t been a repetition since, but watching what gets installed behind my back enabled me to detect Apple’s nudgeware that is still irritating many users who haven’t yet upgraded to High Sierra.

Now it has brought a mystery: how Apple can push such a silent update that it doesn’t even appear in the list of installations?

silentupd01

It was, again, an accidental discovery when I was rummaging through Bill of Materials (BoM) files in /System/Library/Receipts, on my iMac17,1 running 10.12.6. There, on 4 January 2018, was the BoM for an update to the OSX1012IncompatibleAppList, which doesn’t appear in the system install history. What’s more, that update replaced some files which are protected by SIP.

silentupd02

Now, ten days later, I can’t remember what might have happened at the time. I’ve combed my logs, and there’s no evidence that my Mac was restarted until a couple of days later. There were no other updates installed from Apple even near that date: the last before it was on 14 December 2017, and the next after it was Safari 11.0.2 update on 8 January 2018.

It was quite a substantial update too: according to Suspicious Package (looking at that BoM), there was a total of 89 items weighing in at 1.3 MB. These included a complete new Resources folder for /System/Library/PrivateFrameworks/SystemMigration.framework, and new Contents for /System/Library/Sandbox/Compatibility.bundle. These aren’t of any use in day-to-day security, but determine which files are treated as compatible when migrating systems.

The ‘action’ files in those are MigrationIncompatibleApplicationsList.plist (in SystemMigration.framework), and paths (in Compatibility.bundle). Oddly they, and all the other items installed on 4 January 2018, are listed with modification dates of 24 September 2016. So why on 4 January 2018 was Apple pushing out a silent update to those settings files which it had apparently created over 15 months earlier?

By an odd coicidence, I happen to have a copy of earlier versions of those files: while the paths file in Compatibility.bundle hasn’t changed, MigrationIncompatibleApplicationsList.plist has, adding /usr/lib/libgutenprint.2.0.3.dylib to its blacklist for migration, and changing its internal version number from 10.12.155 to 10.12.156. But those changes were made back on 24 September 2016 too.

By now, I’m wondering whether this is all in my imagination. So I check com.apple.pkg.OSX1012IncompatibleAppList.plist, which accompanied the installation BoM. That file was created on 20 September 2016, but was last opened and modified on 4 January 2018, when this update was installed. For the install date, it clearly says 2018-01-04T22:27:55Z.

silentupd03

There’s nothing equivalent in High Sierra, which has a different set of files in its SystemMigration.framework and Compatibility.bundle which were updated immediately after the 10.13 installation. Besides, High Sierra has had so many supplemental updates, patches, tweaks, and cover-ups that it’s hard to make any sense of its update history now.

As far as I can tell from the evidence remaining, at around 22:25 UTC on 4 January 2018, Apple’s push servers sent my iMac an update to its minor security settings bundles. That update replaced many files which are protected by SIP without apparently changing the status of the Mac, which continued in normal use throughout, and did not restart. The update itself appears to have been sent in error, having originally been installed shortly after initial installation of macOS Sierra 10.12, around 1 October 2016.

I’d be very interested to know whether others using Sierra had a similar pushed update earlier this year, please. Unfortunately you cannot use System Information or my SystHist to tell, but will have to look at /System/Library/Receipts itself, as this flew in under the radar.

I am afraid that this inspires no confidence in Apple’s silent pushed updates, and I will soon be updating SystHist so that it also reports all such silent silent updates.

4Comments

Add yours

1

Larry Rosenblum on January 15, 2018 at 1:59 am

I am running 10.12.6 on an iMac 18,3 with all software updates applied (none pending). I’m in the US. I do not have that receipt on my iMac and nothing on January 11 (nothing since I updated Safari to 11.0.2 on January 8). My wife’s MacBook Air 7,1 with the same OS also has no receipts since the Safari update.

Thank you for all you are doing to shed light on Apple.

LikeLiked by 1 person
- 2
  
  hoakley on January 15, 2018 at 8:52 am
  
  Thank you for that information.
  The 11 Jan 2018 update was for the Safari Technology Preview, which users will only have installed if they had that preview app installed from the App Store.
  Howard.
  
  LikeLike
3

alvarnell on January 15, 2018 at 10:40 am

Mine are dated 4 Nov 2016. Suspicious Package tells me it was installed by migration assistant and could have been downloaded by that process at some point.

All Apple signed installers are able to write to SIP locations, so that’s not at all surprising.

LikeLiked by 1 person
- 4
  
  hoakley on January 15, 2018 at 10:48 am
  
  Thank you.
  I remain surprised that an Apple installer appears to have written to protected locations without even making its presence known, let alone warning me that it was intending to do so, and then bypassing the Install History. That surely is behaviour which is characteristic of sophisticated malware?
  Perhaps it is just as well that Mac anti-malware software is (generally) not advanced enough to detect and block such behaviour!
  I also know for sure that I didn’t run Migration Assistant at that time.
  Howard.
  
  LikeLike

Share this:

Like this:

Related