I hadn’t really taken a great deal of interest in Apple’s ‘silent’ security updates until the morning one kindly disabled my wired Ethernet port. That fiasco – in which Apple had pushed an update to its list of blocked kernel extensions which disabled one of its own Ethernet drivers – taught me that I needed to keep tabs on them. It broke the trust that I had placed in those silent updates.
There hasn’t been a repetition since, but watching what gets installed behind my back enabled me to detect Apple’s nudgeware that is still irritating many users who haven’t yet upgraded to High Sierra.
Now it has brought a mystery: how Apple can push such a silent update that it doesn’t even appear in the list of installations?
It was, again, an accidental discovery when I was rummaging through Bill of Materials (BoM) files in /System/Library/Receipts, on my iMac17,1 running 10.12.6. There, on 4 January 2018, was the BoM for an update to the OSX1012IncompatibleAppList, which doesn’t appear in the system install history. What’s more, that update replaced some files which are protected by SIP.
Now, ten days later, I can’t remember what might have happened at the time. I’ve combed my logs, and there’s no evidence that my Mac was restarted until a couple of days later. There were no other updates installed from Apple even near that date: the last before it was on 14 December 2017, and the next after it was Safari 11.0.2 update on 8 January 2018.
It was quite a substantial update too: according to Suspicious Package (looking at that BoM), there was a total of 89 items weighing in at 1.3 MB. These included a complete new Resources folder for /System/Library/PrivateFrameworks/SystemMigration.framework, and new Contents for /System/Library/Sandbox/Compatibility.bundle. These aren’t of any use in day-to-day security, but determine which files are treated as compatible when migrating systems.
The ‘action’ files in those are
MigrationIncompatibleApplicationsList.plist (in SystemMigration.framework), and
paths (in Compatibility.bundle). Oddly they, and all the other items installed on 4 January 2018, are listed with modification dates of 24 September 2016. So why on 4 January 2018 was Apple pushing out a silent update to those settings files which it had apparently created over 15 months earlier?
By an odd coicidence, I happen to have a copy of earlier versions of those files: while the
paths file in Compatibility.bundle hasn’t changed,
MigrationIncompatibleApplicationsList.plist has, adding /usr/lib/libgutenprint.2.0.3.dylib to its blacklist for migration, and changing its internal version number from 10.12.155 to 10.12.156. But those changes were made back on 24 September 2016 too.
By now, I’m wondering whether this is all in my imagination. So I check com.apple.pkg.OSX1012IncompatibleAppList.plist, which accompanied the installation BoM. That file was created on 20 September 2016, but was last opened and modified on 4 January 2018, when this update was installed. For the install date, it clearly says 2018-01-04T22:27:55Z.
There’s nothing equivalent in High Sierra, which has a different set of files in its SystemMigration.framework and Compatibility.bundle which were updated immediately after the 10.13 installation. Besides, High Sierra has had so many supplemental updates, patches, tweaks, and cover-ups that it’s hard to make any sense of its update history now.
As far as I can tell from the evidence remaining, at around 22:25 UTC on 4 January 2018, Apple’s push servers sent my iMac an update to its minor security settings bundles. That update replaced many files which are protected by SIP without apparently changing the status of the Mac, which continued in normal use throughout, and did not restart. The update itself appears to have been sent in error, having originally been installed shortly after initial installation of macOS Sierra 10.12, around 1 October 2016.
I’d be very interested to know whether others using Sierra had a similar pushed update earlier this year, please. Unfortunately you cannot use System Information or my SystHist to tell, but will have to look at /System/Library/Receipts itself, as this flew in under the radar.
I am afraid that this inspires no confidence in Apple’s silent pushed updates, and I will soon be updating SystHist so that it also reports all such silent silent updates.