Last Week on My Mac: Informed Security

Apple rightly places user consent at the centre of its privacy protection. But mere consent isn’t sufficient: as Mojave and Catalina require, apps which seek your permission to access potentially sensitive information must give their reasons, and elsewhere explain exactly what they do with any data of yours they collect. So consent is only meaningful, indeed only valid, when it is informed.

Informed consent extends beyond privacy to the security which underpins it. Non-secure systems can’t protect your privacy, as those protections cannot be relied on. But if you can’t make a meaningful assessment of the security of a system, you can’t trust it either. Informed security isn’t just a nice option, it’s a requirement. Just as a system can’t pat you sweetly on your head and assure you that your private data are protected, so it can’t try the same trick with security.

Here there’s an obvious divergence in macOS. While I’m constantly reminded of how it protects my privacy, with all those fun dialogs, its security isn’t a presence, or informed, but a void in which there’s just the occasional reassurance that Apple has checked an app for malware and didn’t find any.

We know the names of the major security systems: Gatekeeper, XProtect, SIP, and so on. But that’s about it as far as a user is concerned. Without third-party utilities and articles, we’d never know whether our local security updates were timely, or had quietly stopped working a couple of months ago. Apple doesn’t inform us when it pushes its updates, so without the likes of SilentKnight, we can only assume everything’s working fine. Ironically, this also applies to the database used by TCC, the privacy protection system whose very initials stand for Transparency Consent and Control.

Last week Apple pushed an update to its Malware Removal Tool (MRT). As usual, it has said nothing. Even the curious user who might happen to glance at the list of installations in System Information is none the wiser: is version 1.49 the latest? Apple doesn’t tell. If your Mac showed that it was 1.45 which was installed instead, you’d be none the wiser. And many users do report that their Macs seem stuck on previous versions, something Apple doesn’t want you to discover.

Not only that, but as we now know, MRT updates only take full effect when you next start up macOS. This important information is buried away in a document for system administrators, and the only support article likely to be read by users doesn’t mention this crucial fact. Indeed, Apple’s claim that a notification is displayed whenever a security update is installed is commonly incorrect, or that notification is so momentary as to be subliminal.

We’re not informed about when these updates occur, nor of their purpose, nor do we know what changes they bring. In the past, Apple’s security tools used to refer to malware using names which, although not always the best-known, at least enabled us to know what they protected us from. Then last year Apple switched to using internal code names, so we now know that the latest MRT update enables that tool to remove MACOS.87fabeb and MACOS.07758e9. Oh boogaloo.

If you went to your physician and they said that you needed an immunisation but refused to tell you what it protected you from, would you consider that informed consent? Surely, everyone would be suspicious and refuse. Who knows, maybe Apple is just making these things up as part of some security theatre, or maybe MACOS.87fabeb and MACOS.07758e9 are so obscure that this added protection is mere illusion.

Sometimes Apple does seem to want us to know what these pushed security updates do. When it updated MRT to version 1.45 to remove the hidden and vulnerable Zoom web server, an unnamed Apple spokesperson tipped off TechCrunch, but failed to mention that update also appeared to cover a problem with the open source virtualiser QEMU. Furthermore, contrary to Apple’s advice to sysadmins, that spokesperson “said the update does not require any user interaction and is deployed automatically”.

Return for a moment to the physician and the mystery immunisation: would you trust them any more if their answer to your question was “flu and a few other things too”?

I keep trying to imagine who Apple thinks it’s protecting by this prolonged silence and refusal to inform. It’s not the malware developers, who will quickly be able to tell the effect of any changes that Apple makes to the protection in macOS. It’s not the users, who are unable to make informed decisions about whether third-party protection is worthwhile. It’s not system administrators, who are as baffled as anyone else on the receiving end.

The only party that this benefits is Apple, who continues to be wedded to the demonstrably false assumption that security by obscurity is a sound way to proceed.

8Comments

Add yours

1

alvarnell on September 15, 2019 at 9:08 am

I realize that the documentation has been saying that “malware is removed after the next restart”, but I also know that for a long time MRT has been running immediately after installation. Here are my log entries for v1.49:
Timestamp (process)[PID]
2019-09-12 16:34:21.861046-0700 localhost softwareupdated[1602]: (AssetCacheServices) [com.apple.AssetCacheServices:Framework] #2bb8f306 ACSLocateCachingServer(assetURL=http://swcdn.apple.com/content/downloads/42/05/061-12628-A_MN2LYV4NMD/cnfopfripbbcq669bz55rtj3lk96q6d90u/MRTConfigData_10_14.pkg, locateTimeout=30.000, options=(null), callbackQueue=0x0, callback=0x7000025e1758)
…
2019-09-12 16:34:22.047257-0700 localhost AssetCache[280]: [com.apple.AssetCache:builtin] #grNm69B1qnjA ECResponse[0x7fae51437190]: Received GET request by “Software Update” for /content/downloads/42/05/061-12628-A_MN2LYV4NMD/cnfopfripbbcq669bz55rtj3lk96q6d90u/MRTConfigData_10_14.pkg
…
2019-09-12 16:36:39.337289-0700 localhost MRT[47049]: (libswiftFoundation.dylib) Finished MRT run
2019-09-12 16:36:40.166133-0700 localhost MRT[53286]: (libswiftFoundation.dylib) Finished MRT run

And there was no restart at the time. Of course, no malware was found, so I can’t prove that it would have been removed, but there is clear evidence that it did run both the MRT daemon and agent.

Not sure what you are referring to regards “Apple’s claim that a notification is displayed whenever a security update is installed”. I’m not finding it in the documentation referenced, nor have I ever seen such a notification, myself, but there was a time, back when MRT was first introduced when the user was notified whenever MRT found and removed Malware (no notification if nothing found). I did see that once when I had purposely installed an inert infection, but that hasn’t been the case for a very long time.

LikeLiked by 1 person
- 2
  
  hoakley on September 15, 2019 at 9:15 am
  
  Thanks, Al.
  Yes, that’s what we found and I documented here when the MRT 1.45 update was pushed. Maybe it has changed: has Apple told us or updated its documentation for sysadmins or users?
  The reference to notifications when pushed updates are installed is in that second Apple link, where it not only says “Some critical security updates for your Mac are released as automatic updates. Your Mac checks for these updates daily, and when an automatic security update is available, it installs automatically and displays a notification” but it even shows a screenshot of such a notification.
  I can’t ever recall seeing one here, and I’m glad that I’m not alone.
  Howard.
  
  LikeLike
  - 3
    
    alvarnell on September 15, 2019 at 9:20 am
    
    No, I’ve never seen that notification dialog and I’m usually at my computer when they are installed. I have a tripwire notification that tells me every time /Library/Updates/ is modified and always try to snag the update project folder off in case I need to analyze it. Or if I’m in a hurry, I just use SilentKnight now.
    
    LikeLiked by 1 person
4

John Mac on September 15, 2019 at 2:55 pm

So glad I read this article (I get your RSS feed, art and all). Although I’m a long-time user (since 1988 maybe) and know my way around my computer (although I don’t know coding and a lot of your articles are way beyond my pay grade), I did not on know: “…. but as we now know, MRT updates only take full effect when you next start up macOS”. I do not think I’ve done a restart since SilentKnight (great app) installed MRT 1.49. Are there other parts of the security system in macOS where a restart should be done after an update? Perhaps you could include a “Restart Required” reminder within SilentKnight. Of course this won’t help the everyday user … like me!

LikeLiked by 1 person
- 5
  
  hoakley on September 15, 2019 at 3:03 pm
  
  Thanks.
  Well, as Al’s comments above indicate, this isn’t so simple. Although Apple’s current sysadmin docs say that a restart is required after updating MRT, and MRT alone, our experience is that this probably isn’t the case any longer, as recent updates to MRT have run that app in both its modes immediately after the update has been installed.
  So at present it looks like you don’t need to restart, even though that is Apple’s current advice.
  It would be really helpful if Apple was to clarify this, rather than pretending it’s too secret for users to know.
  Howard.
  
  LikeLike
6

Michael Tsai - Blog - MRT Updates: Informed Security on September 16, 2019 at 8:53 pm

[…] Howard Oakley: […]

LikeLike
7

Valdo on September 22, 2019 at 11:33 am

Hello Howard
where from is SilentKnight taking infos on existing updates.
It is directly from Apple or from you?

Thank you

Valdo

LikeLiked by 1 person
- 8
  
  hoakley on September 22, 2019 at 11:36 am
  
  Apple provides no information on security updates like Gatekeeper, XProtect, or MRT – it doesn’t even announce when they occur. The version numbers are taken by SilentKnight from a database which I maintain on my GitHub.
  Howard.
  
  LikeLike

Share this:

Related