Last Week on My Mac: Does anyone here know about MRT?

This has been a week of firsts for Mac users: it’s been the first time that I can recall Apple officially ‘leaking’ information about one of its ‘silent’ security updates, the first time that many users have wanted to run its malware removal tool MRT, and the first time that Apple has pushed out software intended to delete (instead of merely disabling) what was perfectly legitimate third-party software rather than malware.

These all centre on the vulnerabilities which came to light in Zoom conferencing software, issues which are going to continue to have impacts for some time to come. Important though those are, and will continue to be, they can easily distract from those affecting everyone who uses a reasonably recent version of macOS or OS X: what Apple refers to opaquely as “system data files and security updates”.

One of the biggest problems posed by the old Zoom software was that it installed, in a hidden folder, a web server which was left behind, still active, when you uninstalled its app. This web server was capable of reinstalling the Zoom client, and has now been found to have its own vulnerability as well. However Zoom responded to the other issues in its client software, it was vital that all copies of this web server were removed, particularly on Macs whose users may have forgotten that they had ever installed Zoom’s client. This wasn’t something that Zoom was able to handle alone: they needed Apple, just as Apple needed to remove Zoom’s web server before it could be exploited.

The solution lay in gently repurposing Apple’s MRT to detect and destroy Zoom’s web server in its hidden folder. The delivery vehicle had therefore to be an urgent ‘silent’ security update containing the new version of MRT, which Apple had ready to push out on 10 July.

Then everything got rather strange. Instead of Apple breaking its self-imposed silence on security updates and explaining this direct to users, it passed the message on to Zack Whittaker at TechCrunch, then re-tweeted TechCrunch’s tweet linking to that news story. Not only that, but the story was coy over detail: it didn’t mention MRT, merely that the “silent update” had been released, and that all users would receive it automatically. Neither did it explain that users needed to do anything other than wait for the update to be installed.

Reading between those lines, it was obviously worth checking for security updates. As I had recently released the second beta of my new utility EFIcienC, I ran that within seconds of seeing the tweet. Sure enough, there was an MRT update available, which my app was only too happy to download and install.

I already knew that my Mac didn’t have Zoom’s web server installed or active, so didn’t worry too much about when that MRT update would take effect. But when users started asking that question, and news came back that the new feature in MRT would require a Mac to be restarted, it all got more puzzling. As Apple doesn’t provide ordinary users with information about these ‘silent updates’, there was nowhere to look this up, and Apple hadn’t leaked further instructions to TechCrunch about this either.

Later, I was pointed at Apple’s 2018 “Overview for IT” on macOS Security, where it states that “Apple also issues updates to macOS to remove malware from any impacted systems that are configured to receive automatic security updates. Once the malware removal tool receives updated information, malware is removed after the next restart. The malware removal tool doesn’t automatically reboot the Mac.”

Unfortunately, that information isn’t included in the Apple support article which explains how these ‘silent’ security updates work. But that article hasn’t been updated for over two years.

With some advanced users and system administrators advising that you should run MRT manually in its agent mode after an update, and others like Al Varnell saying that shouldn’t be necessary, I realised that Apple’s almost total silence over these critical updates meant that we didn’t even know how to use tools such as MRT. We were proceeding by rumour, which is definitely not wise when security is at stake.

I decided that communing with my unified log was the only way to resolve this, and, as I showed yesterday, quickly discovered exactly what had happened in the case of my own MRT update. No sooner had I written that article up than I started seeing users reporting that installing the MRT update hadn’t resulted in MRT being run on their Macs, and their hidden Zoom web servers had been left untouched.

In pushing this MRT update to fix such a gaping vulnerability, Apple acted in our (and its) best interests. Although a drastic response setting a precedent which will be controversial for some, it was above all the most effective practical solution. But it also underlines one of Apple’s biggest failings: its complete inability to communicate effectively with its users. Even now, days after the update, we’re left wondering what we should have done, and what we should do next time Apple pushes a critical MRT update.

Why does Apple turn Mac security, indeed so much of macOS, into a maze of riddles?


Thanks to @textdot1 for reminding me of Apple’s article on these updates in Mojave. That sort of explains a bit more: “Security-configuration updates, which help make your Mac more secure by identifying malicious software and preventing its installation. When you restart your Mac, these updates also remove any malicious software that is identified but already installed.” The implication here that it is MRT which only runs after restarting, although Apple doesn’t name it here, nor does that explain the observation made by some Mac users that MRT is run after an update and before any restart which the user might choose.