What do Security Updates actually fix?

If you read Apple’s security release notes, listing the fixes which have been included in security and other updates to macOS, you will no doubt have become aware of the changes which have occurred in them over the last year or so. Those release notes have become briefer, listing fewer fixes, despite the large packages which they have covered.

Security Update 2018-001 for High Sierra is a good, and recent, example. Released on 24 April 2018, it is actually the second security update identified as 2018-001: the previous one, for Sierra and El Capitan, was released two months earlier, and completely unrelated. For an update of over 1 GB in size (2 GB installed), which replaced pretty well every one of Apple’s kernel extensions, the release notes look vestigial.

Apple claimed that all the 12,621 files installed in that security update were required to fix a memory corruption bug in Crash Reporter, and to address a spoofing issue in the handling of URLs in text messages (which Apple associated with “LinkPresentation”). Those were and remain the only fixes which Apple has listed as being included in that security update. Only last year, a typical security update of that size was accompanied by notes on 50 or more bugs which were fixed.

Apple itself has also vanished from the list of those credited with fixes. Apple’s own fixes were never frequent, but used to be reported in security release notes. For example, APPLE-SA-2015-04-08-2 detailing security fixes in OS X 10.10.3 and Security Update 2015-004 contained:
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.2
Impact: Visiting a maliciously crafted website may lead to arbitrary
code execution
Description: A use-after-free issue existed in CoreAnimation. This
issue was addressed through improved mutex management.
CVE-2015-1136 : Apple

That was one of six fixes in that update attributed solely to Apple.

I have checked through the 196 or so fixes which Apple has listed in security release notes for macOS since 25 September 2017. Not one of those is credited to Apple alone, and only a handful are given jointly to Apple with others.

Apple is also in the habit of updating its security release notes after the release of that update. In some circumstances, where details of the vulnerability haven’t yet been released, and with contentious issues such as Meltdown and Spectre, this appears reasonable. But in several recent cases, Apple has later added details of fixes which appear simply to have been omitted from the original release notes. Unless you are in the habit of frequently re-reading release notes at Apple’s security updates listings, this means that you are likely to miss such delayed information.

Not that we have been deprived of security updates either. In the first four months of 2018, macOS alone has seen the the following releases:

  • 08-01-2018 macOS High Sierra 10.13.2 Supplemental Update
  • 23-01-2018 macOS High Sierra 10.13.3
  • 23-01-2018 Security Update 2018-001 Sierra
  • 23-01-2018 Security Update 2018-001 El Capitan
  • 19-02-2018 macOS High Sierra 10.13.3 Supplemental Update
  • 30-03-2018 macOS High Sierra 10.13.4
  • 30-03-2018 Security Update 2018-002 Sierra
  • 30-03-2018 Security Update 2018-002 El Capitan
  • 24-04-2018 Security Update 2018-001 [High Sierra]

Does any of this really matter? What value are these security release notes anyway?

Until you’re affected by a vulnerability, they may seem of limited value. But take the example of Sarah Edwards’ bug which released plain text passwords used when encrypting APFS volumes into two different logs in High Sierra. Apple had partially fixed the bug at some stage before macOS 10.13.4, and it was completely fixed in the 10.13.4 update. If you had encrypted any APFS volumes, it was vital to know when each fix occurred.

Sarah did the right thing, and reported the bug to Apple, only to learn that she was not the first to do so. But Apple has still not revealed when the partial fix occurred, nor acknowledged that it delivered a complete fix in 10.13.4. The only way that we have obtained any information about this is through Sarah’s diligence, and users spending their time testing different versions of High Sierra. As far as I am aware, Apple has not at any time acknowledged the existence of the bug, except by informing Sarah that hers was not its first report.

Apple makes great play of taking security seriously. Unfortunately, just now, that doesn’t include keeping users informed. When you can’t even trust the release notes for a security update, what can you trust?