hoakley October 28, 2019 Macs, Technology

Has Apple stopped pushing security updates to El Capitan?

Both my utilities for checking and installing Apple’s silent and pushed security updates, LockRattler and SilentKnight, run on El Capitan and later versions of macOS, but I seldom hear from users running older versions. Recently, a couple of those still using El Capitan have remarked that SilentKnight appears to return erroneous information. I’m trying to discover why.

SilentKnight – which automates the same checks in LockRattler and compares results against my database of current versions – does a relatively simple job. When you open the app, it checks currently installed versions of known security data files. It fetches a Property List from my GitHub site, which lists the expected versions, and compares the results it obtained with those it should expect. It does a rather more complex job with EFI firmware versions which I’ll gloss over here.

Its last step is to check with Apple’s servers for any available “system data files and security updates”, as Apple terms them in the Advanced sheet of the Software Update pane. If the servers offer updates, you can then download and install them.

One SilentKnight user, for example, has Macs running Mojave and Catalina, and a lovely old Mac mini which is stuck on El Capitan and can’t go any further. It’s that latter system which worries me: it appears to have stopped being pushed security updates back in May 2019, and is now well out of date. Here’s a screenshot:

silentknight1011

As you can see, the XProtect, Gatekeeper and MRT versions are frozen as they were back in May 2019. The last installed updates to them were on 12 May 2019, but SilentKnight isn’t able to get Apple’s servers to offer anything more recent than those. SilentKnight is connecting correctly with those update servers, though – if you block its outgoing connection or it fails, it should return an error, sometimes after waiting for a very long timeout first.

I also hear occasionally from other SilentKnight and LockRattler users that they’re stuck on out of date versions of some of these important protections. This can occur, for instance, when an older Mac is upgraded to an unsupported version of macOS, such as High Sierra or Mojave. Again, their updates cease, and no more are offered by Apple’s servers.

At present, I’ve only heard of a handful of cases, but sufficient to make me wonder whether Apple has discontinued support for some or all of these older systems. I can’t see any article or other information from Apple which informs users (or developers) of this practice. But if this is what is happening, users need to be aware that, for example, they no longer enjoy current protection, particularly in Gatekeeper, which could leave their Macs vulnerable.

If you’re running either SilentKnight or LockRattler on such an older system, or on a version of macOS which isn’t supported on that model, please let us know whether you’re still receiving security updates. There are many of us who’d like to know.

Thank you.

If you’d like to download either of these free tools, they’re available from their Product Page and have extensive built-in Help.

Thanks to David for raising this, for providing the screenshot above, and for allowing me to use it.

21Comments

Add yours

1

alvarnell on October 28, 2019 at 8:45 am

All three updates are listed in the current El Capitan Software Update Catalog, so they should be getting them. Sierra is the oldest OS I’m running now, so can’t verify one way or another.

LikeLiked by 1 person
- 2
  
  hoakley on October 28, 2019 at 8:47 am
  
  Thank you, Al. It’s worrying that some Macs can’t seem to get them then.
  Howard
  
  LikeLike
3

Paul on October 28, 2019 at 12:06 pm

I have an 8 Core Xeon BTO Mac Pro 3,1 tower at home running El Capitan for legacy software – I will have a look when I can and take a screen grab. UK specification (on Guernsey).

LikeLiked by 1 person
- 4
  
  hoakley on October 28, 2019 at 12:24 pm
  
  Thank you so much.
  There’s no rush, but so far I haven’t seen a single El Capitan system which is up to date with these crucial data files, although each reports that there are no updates available.
  That’s worrying for anyone who uses El Capitan on a Mac which still goes online. And of course, in order to get security updates, you have to go online.
  Howard.
  
  LikeLike
5

Brad on October 28, 2019 at 8:38 pm

This mid 2009 MacBook5,2 running 10.11.6 is still receiving updates, all current

LikeLiked by 1 person
- 6
  
  hoakley on October 28, 2019 at 8:41 pm
  
  Thank you – that’s very kind and helpful. That’s the first Mac running El Capitan which I have heard of which is fully up to date.
  Howard.
  
  LikeLike
7

Brad on October 28, 2019 at 9:08 pm

Strange, I have no idea as to why any of the other machines should be any different to this one, like Al said “they should be getting them” hopefully, they can sort out why there machines have stopped updating.

LikeLiked by 1 person
- 8
  
  hoakley on October 28, 2019 at 11:48 pm
  
  In my experience with such problems, a few users identify a problem they can fix. Most though are left with a Mac which just won’t – no matter what they do – update properly.
  I don’t know if it’s Apple’s servers, or softwareupdate.
  Howard.
  
  LikeLike
9

John on October 29, 2019 at 3:20 am

Thanks for the heads-up. Ran SilentKnight on an older MacBook Pro (mid 2009) and Mac Pro (early 2008) both running El Capitan and the only warning I received was ⚠️Old EFI Firmware. Everything else was ✅OK.

LikeLiked by 1 person
10

Brad on October 29, 2019 at 6:22 am

Howard
My apologies to everyone, somewhere I must have had a Seniors moment and missed this or it didn’t sink in “SilentKnight appears to return erroneous information. I’m trying to discover why.”
To try and rectify my blue I did a Time Machine restore back to August and downloaded and ran Silent Knight and it appears that yes there is a problem as after several attempts, to update it wasn’t happening.
As I’ve been using Lock Rattler and familiar with the documentation that you supplied I ran the command
sudo softwareupdate –background-critical

in a Terminal and shortly thereafter maybe 10 mins it had updated.

If someone else who has been stuck in the past can double check this by doing the same and report back perhaps, I imagine that this will prove that apple is still pushing out the updates.
This doesn’t mean that it fixed I guess.
In the meantime Lock Rattler appears to be working fine,

Hope this is a bit more helpful and whether it can be fixed or not we will have to wait & see

Thanks Brad

LikeLiked by 1 person
- 11
  
  Brad on October 29, 2019 at 7:33 am
  
  that should have been
  sudo softwareupdate –background-critical
  but judging by previous post by John, Silent Knight is fine so pass
  
  LikeLiked by 1 person
12

Paul on October 29, 2019 at 8:48 am

Seems OK on my 2008 3,1 MacPro 8 Core Xeon running El Capitan. Firmware wont go any higher on this Mac I don’t believe. Filevault is off as not required (domestic, for video, no sensitive files). https://bit.ly/2qQSyON – update was iTunes which I completed.

LikeLiked by 1 person
- 13
  
  hoakley on October 29, 2019 at 9:25 am
  
  Thank you – and many thanks to all those who have posted their results.
  I hope to have a conclusion tomorrow morning.
  Howard.
  
  LikeLike
14

Jon B on October 29, 2019 at 12:41 pm

I had the same problem on macOS El Capitan 10.11.6 (Build 15G22010) in a VM but fixed it by using the App Store to install a “recommended” update.

SilentKnight 1.4 reported XProtect 2103 installed 2019-05-07, Gatekeeper 166 installed 2019-05-13, and MRT 1.41 installed 2019-05-07.

There was one update available in the App Store: “Command Line Tools (macOS El Capitan version 10.11) for Xcode 8-2” version 8.2.

After installing that update via the App Store, SilentKnight reports all is now up-to-date and shows XProtect, Gatekeeper, and MRT updated at about the same time as the “Command Line Tools” update.

If SilentKnight is returning erroneous info, perhaps it is because of a bug fixed in or other change made to the command line tools. But it seems more likely that SilentKnight is returning correct info, and that the uninstalled update is blocking the update of XProtect, Gatekeeper, and MRT. Once the update is installed, the others are updated. Or perhaps the “Command Line Tools” update also updates them directly.

I’m not sure I want to keep using the updated VM, since I would have to recertify the tool chain and this VM has little exposure to the Internet. (The VM is used for creating production software.) Is there a way to get the XProtect, Gatekeeper, and MRT updates without updating the Command Line Tools?

As an aside, I could not get not get “sudo softwareupdate –background-critical” to work, even with two hyphens before the word “background”, either before or after the update. The command just displays a mini-man page. The full man page for softwareupdate doesn’t list that command, either.

LikeLiked by 1 person
- 15
  
  hoakley on October 29, 2019 at 1:29 pm
  
  Thank you.
  I don’t see a shred of evidence that either SilentKnight or LockRattler return erroneous info, except in the known update issue as described below, which doesn’t account for the reports of wildly out of date systems.
  Howard.
  
  LikeLike
16

Jon B on October 29, 2019 at 1:19 pm

Correcting my previous comment:

Installing the “Command Line Tools” update from the App Store *did not* trigger updates to XProtect, Gatekeeper, and MRT. They were each updated by macOS automatically a few minutes after booting up the VM. (In my earlier test, I did the update from the App Store shortly after booting up, so what I reported was just a coincidence.)

SilentKnight reported that XProtect (only) was updated by macOS a few minutes after booting up, at about the same time I saw the “Updates Available” notice in the Notification Center. However, it did not show that Gatekeeper or MRT were updated. Clicking the “Check” button in SilentKnight a few minutes later showed contradictory results: red Xs saying “Gatekeeper 166 should be 181” and “MRT 1.41 should be 1.50” but the “Latest updates installed” section shows that both had been updated to the new versions. (I have a screenshot of that but don’t know how to attach it.)

Quitting SilentKnight resulted in a display showing everything was up-to-date.

So maybe there is a bug in SilentKnight that caused the contradictory result, and/or a bug/feature having to do with the “Check” button not being the same as quitting/restarting SilentKnight.

LikeLiked by 1 person
- 17
  
  hoakley on October 29, 2019 at 1:27 pm
  
  Thank you.
  This is documented in the Help files of both SilentKnight and LockRattler, and is a bug in macOS.
  The way that both get the installed versions of these data bundles is to obtain the version numbers of the bundles (I know, it’s dull!). Even though the bundles are updated, the version number which is returned by macOS remains the same, unless you quit the app and open it again.
  This has driven me to distraction, as it’s plainly wrong. But somewhere macOS is caching those versions, and simply won’t check the version numbers properly after the update, unless the app is closed and re-opened.
  If you have a better suggestion as to how to fix this, I’d be delighted to hear it, please.
  Howard.
  
  LikeLike
18

Jon B on October 29, 2019 at 2:12 pm

I apologize; I didn’t RTFM before I posted about the problem.

I’ve had similar problems macOS caching info that my app uses. If there’s a way for you to access the bundle info differently, that might avoid the caching problem. For example, if you’re using NSBundle’s infoDictionary or objectForInfoDictionaryKey: methods to get the version info, try creating a path to Info.plist (by appending “/Contents/Info.plist” to the bundle’s path, presumably), converting thet path to a URL, using NSDictionary’s dictionaryWithContentsOfURL:error: method), and extracting the version from there. Similar things have worked for me, although not in this exact situation. Of course, you may have tried this already.

LikeLiked by 1 person
19

Miles Wolbe on October 29, 2019 at 11:42 pm

At present, I’ve only heard of a handful of cases, but sufficient to make me wonder whether Apple has discontinued support for some or all of these older systems. I can’t see any article or other information from Apple which informs users (or developers) of this practice.

Hasn’t it been Apple’s unofficial policy since at least Lion to support each OS X / macOS version for 3 years from release with security updates?

Which Releases of macOS Are Supported With Security Updates? – “For quite a few years, Apple has consistently updated the last three versions of macOS—in other words, the current release of macOS and the last two releases—with security updates.”

The end is near for OS X Mountain Lion support – “Apple supports editions ‘n’, ‘n-1’ and ‘n-2,’ where ‘n’ is the current. That means when El Capitan, aka OS X 10.11, launches, likely in October, it will push Mountain Lion down into the ‘n-3’ slot, and thus to retirement.”

Running a Nessus scan against an El Capitan install returns: “Mac OS X 10.11.0 (intel) support ended. Upgrade to Mac OS X 10.14 / 10.13 / 10.12.”

LikeLiked by 1 person
- 20
  
  hoakley on October 29, 2019 at 11:49 pm
  
  Sorry, I think that we are at cross purposes here. I’m not referring to system Security Updates, such as fixes for vulnerabilities, etc., but updates to security data files such as Gatekeeper, XProtect, and MRT.
  And it turns out that Apple there does still support El Capitan and Sierra. And so it should.
  Howard.
  
  LikeLiked by 1 person
  - 21
    
    mwolbe on October 30, 2019 at 12:26 am
    
    Thanks, Howard! I suppose without any policy (other than perhaps the seemingly standard but undeclared 3 years), it’s a miracle they’ve provided any support, including Gatekeeper updates, to OS versions after 3 years. Given the number of serious security vulnerabilities that never get patched in older versions, it would be a mistake to assume that Gatekeeper, XProtect, or MRT, even if updated, would provide adequate protection in any case, don’t you think?
    
    LikeLiked by 1 person