What do Security Updates actually fix?

If you read Apple’s security release notes, listing the fixes which have been included in security and other updates to macOS, you will no doubt have become aware of the changes which have occurred in them over the last year or so. Those release notes have become briefer, listing fewer fixes, despite the large packages which they have covered.

Security Update 2018-001 for High Sierra is a good, and recent, example. Released on 24 April 2018, it is actually the second security update identified as 2018-001: the previous one, for Sierra and El Capitan, was released two months earlier, and completely unrelated. For an update of over 1 GB in size (2 GB installed), which replaced pretty well every one of Apple’s kernel extensions, the release notes look vestigial.

Apple claimed that all the 12,621 files installed in that security update were required to fix a memory corruption bug in Crash Reporter, and to address a spoofing issue in the handling of URLs in text messages (which Apple associated with “LinkPresentation”). Those were and remain the only fixes which Apple has listed as being included in that security update. Only last year, a typical security update of that size was accompanied by notes on 50 or more bugs which were fixed.

Apple itself has also vanished from the list of those credited with fixes. Apple’s own fixes were never frequent, but used to be reported in security release notes. For example, APPLE-SA-2015-04-08-2 detailing security fixes in OS X 10.10.3 and Security Update 2015-004 contained:
CoreAnimation Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.2 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A use-after-free issue existed in CoreAnimation. This issue was addressed through improved mutex management. CVE-ID CVE-2015-1136 : Apple
That was one of six fixes in that update attributed solely to Apple.

I have checked through the 196 or so fixes which Apple has listed in security release notes for macOS since 25 September 2017. Not one of those is credited to Apple alone, and only a handful are given jointly to Apple with others.

Apple is also in the habit of updating its security release notes after the release of that update. In some circumstances, where details of the vulnerability haven’t yet been released, and with contentious issues such as Meltdown and Spectre, this appears reasonable. But in several recent cases, Apple has later added details of fixes which appear simply to have been omitted from the original release notes. Unless you are in the habit of frequently re-reading release notes at Apple’s security updates listings, this means that you are likely to miss such delayed information.

Not that we have been deprived of security updates either. In the first four months of 2018, macOS alone has seen the the following releases:

08-01-2018 macOS High Sierra 10.13.2 Supplemental Update
23-01-2018 macOS High Sierra 10.13.3
23-01-2018 Security Update 2018-001 Sierra
23-01-2018 Security Update 2018-001 El Capitan
19-02-2018 macOS High Sierra 10.13.3 Supplemental Update
30-03-2018 macOS High Sierra 10.13.4
30-03-2018 Security Update 2018-002 Sierra
30-03-2018 Security Update 2018-002 El Capitan
24-04-2018 Security Update 2018-001 [High Sierra]

Does any of this really matter? What value are these security release notes anyway?

Until you’re affected by a vulnerability, they may seem of limited value. But take the example of Sarah Edwards’ bug which released plain text passwords used when encrypting APFS volumes into two different logs in High Sierra. Apple had partially fixed the bug at some stage before macOS 10.13.4, and it was completely fixed in the 10.13.4 update. If you had encrypted any APFS volumes, it was vital to know when each fix occurred.

Sarah did the right thing, and reported the bug to Apple, only to learn that she was not the first to do so. But Apple has still not revealed when the partial fix occurred, nor acknowledged that it delivered a complete fix in 10.13.4. The only way that we have obtained any information about this is through Sarah’s diligence, and users spending their time testing different versions of High Sierra. As far as I am aware, Apple has not at any time acknowledged the existence of the bug, except by informing Sarah that hers was not its first report.

Apple makes great play of taking security seriously. Unfortunately, just now, that doesn’t include keeping users informed. When you can’t even trust the release notes for a security update, what can you trust?

6Comments

Add yours

1

alvarnell on May 5, 2018 at 7:29 am

I know of at least one case where a vulnerability was given an embargo date by the finder, so details could not be published at the time the update was released and were added later. As you mentioned, the Specter & Meltdown bug details were similarly postponed.

LikeLiked by 1 person
- 2
  
  hoakley on May 5, 2018 at 7:35 am
  
  Thank you.
  Yes, there are of course good reasons for delaying the release of some details. But there is a problem then with communicating them: like many, I subscribe to Apple’s security mailing list, which sends the release notes for updates and security updates. But when those notes get updated, no message is sent to inform of the change.
  As far as I can tell, the only way to know of changes is to keep re-opening old notes via the webpage. Apple doesn’t even seem to have a page which tells you which of its release notes and other documentation has been recently updated (which it used to). Unless you know of one, perhaps?
  Do you seriously believe that there were only the two published security fixes in Security Update 2018-001 for High Sierra?
  Howard.
  
  LikeLike
  - 3
    
    alvarnell on May 5, 2018 at 9:11 am
    
    Yes, I have noticed that they haven’t been sending updates to the Apple Security Mailing List this year, but they did do that a few times toward the end of 2017. One example: https://lists.apple.com/archives/security-announce/2017/Oct/msg00007.html. I know there are some on Slack MacAdmins who seem to have a way of knowing when new/changed KB articles are posted, but I’m not sure how they do that. I use the Simon app to do things like that for a few web pages, but haven’t extended it to Security Updates yet.
    I haven’t made up my mind on 2018-001 yet. I know about half of it was to swap out most or all of what’s in /System/Library/Extensions and assume that they all had to be changed due to the same vulnerability, but it’s way beyond my abilities to interpret what all needed to be changed based on the short descriptions we got on those two vulnerabilities plus the Safari Update. I keep hoping one of the reverse engineering folks we know will come up with a better explanation.
    I’m convinced there will be a longer list associated with 10.13.5 when it’s released and it’s unusual to have an out-of-cycle Security Update for the current macOS. We don’t usually see those until development stops after a new macOS, so it must have been something critical to have it pushed out at this time.
    
    LikeLiked by 1 person
4

Michael Tsai - Blog - What Do Security Updates Actually Fix? on May 7, 2018 at 8:41 pm

[…] Howard Oakley: […]

LikeLike
5

alvarnell on May 8, 2018 at 11:41 pm

Note that the Security notes were updated with an additional Kernel patch today.

Available for: macOS High Sierra 10.13.4
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: In some circumstances, some operating systems may not
expect or properly handle an Intel architecture debug exception
after certain instructions. The issue appears to be from an
undocumented side effect of the instructions. An attacker might
utilize this exception handling to gain access to Ring 0 and access
sensitive memory or control operating system processes.
CVE-2018-8897: Andy Lutomirski, Nick Peterson
(linkedin.com/in/everdox) of Everdox Tech LLC
Entry added May 8, 2018

LikeLiked by 1 person
- 6
  
  hoakley on May 9, 2018 at 5:13 am
  
  Thank you – I have detailed this, and the probable explanation for its delay – in a separate article.
  What is even better is that Apple pushed this addition out to its security-announce mailing list.
  Howard.
  
  LikeLike

Share this:

Related