How can security data get so out of date?

It’s almost three years since I released my first version of LockRattler, and since then it and the more recent SilentKnight have helped us all keep on top of updates to macOS security data files. One issue which you raise time and again is that, when you run either utility, you discover that the security protection on your Mac is woefully out of date.

Just recently, this seems to have happened on several Macs which are still running El Capitan (OS X 10.11.6), so a couple of days ago I asked for your feedback to discover whether this is a global problem, and perhaps Apple had stopped pushing silent security updates to El Capitan systems. I’m delighted to report that isn’t the case: Apple continues to push those updates, and most El Capitan systems install them successfully. Not only that, but Apple provides those updates to admnistrators who use its Software Update Service (SUS).

In spite of that, there are some seriously out-of-date El Capitan systems around. Several are stuck with XProtect version 2103 (should be 2106), and MRT as early as 1.41 (currently 1.50), which puts them at a serious disadvantage. The record for the most out-of-date goes to the following:

  • XProtect 1.0 (currently 2106),
  • Gatekeeper 48 (181),
  • MRT 1.0 (1.50).

Yet when that system ran softwareupdate to list available updates, none was offered.

As there’s no way to download one of these updates unless Apple’s servers report them as being available, that system appears to be stuck on those forever – and seriously vulnerable as a result. This must be a bug, and a very serious one at that, as it leaves systems vulnerable when they badly need updates. So, in El Capitan at least, there is a serious bug in the software update system which allows Macs to remain out of date and vulnerable.

How not to keep up to date

Macs which are most prone to falling behind with these security updates are those which are used little, and only rarely connected to the Internet. If you use your El Capitan system daily, then you are most likely to have security protection which is as up-to-date as that in Mojave or Catalina, although the older security tools aren’t as capable, of course.

It’s a statement of the obvious that online updates like these only occur when your Mac is online. There’s also the paradox that the time you need the updates most is when they’re most out of date, and that’s the time when maybe that Mac shouldn’t be online, at least not until it has been brought up to date.

The Mac which is likely to have fallen behind and have these problems getting up to date is the Fallback Mac, maybe your last Mac which you keep tucked away in case your current working system has to go off for repair, or is otherwise unavailable, and you need to carry on working. It might also run old and now incompatible versions of key apps, retaining your access to them. With the requirement for 64-bit software in Catalina, we can expect users in the future to have to keep more old systems for that purpose.

What makes this worse is that it appears that the more out of date your system becomes, the less likely it is to get updates again. I don’t have any hard evidence for this, but a system which is only just – a version or two – out of date seems able to get the updates it needs, but once your Mac is several months out of date, the servers seem to lose interest in pushing anything more to it. You then run softwareupdate, either at the command line or through LockRattler or SilentKnight, and it just draws a blank.

The other observation worth considering is that there is often delay between logging into a Mac and the appearance of available updates. Leave your Mac on for less than ten minutes, and it’s likely to miss updates and steadily fall behind. Give it an hour or more, and the updates may magically appear.

Managing the Fallback Mac

When you decide to put a Mac into reserve, you can choose either to freeze it as it is, or to keep it as current as possible. When you freeze it, that means no more significant updates, and never connecting it to the Internet. Security updates then become irrelevant, as it’s going to be protected by an air gap, and never exposed to any risk.

For most users, that isn’t going to be a useful fallback, as it can’t do many of the tasks that your working Mac does. To fill that gap, you need a Mac which is running a fully patched and protected version of macOS, and that requires full security updates.

This problem is rather like someone who is totally reliant on having a functional car, so they have a second vehicle. When engines were started with cranks and the most sophisticated electrics they had were their lights, you could keep a reserve car like that for months with minimal attention. Now they’ve all got elaborate anti-theft systems, in-car electronics, and more, leave your car unattended for a couple of weeks and systems start to get worrysome. To function well, the modern car needs to be driven regularly and fairly frequently.

So with your fallback Mac, you need to power it up every few weeks, if not more often. Each time it’s used, give it at least an hour with an Internet connection, then towards the end of that period run SilentKnight or LockRattler to check for updates, and open the Software Update pane too. Sometimes it takes as much as that to ensure that a silent update gets pushed, detected, and successfully installed.

Before you make any Mac your fallback, it’s worth taking a little time to prepare it too. A clean re-install of macOS and being brought fully up to date with security updates is a good start, if you can. You should also ensure that you have enabled your Mac to Automatically check for updates, and to Install system data files and security updates. If you don’t, then it can’t check for or install these updates.

If you’re concerned and want to track your Mac’s status for silent security updates, look at SilentKnight, which does this with the minimum of fuss and intervention on your part, and LockRattler, which is a bit more extensive in its coverage and more manual.

Thanks to all those who kindly provided information about their El Capitan systems, who made this possible, and to Al who kindly checked the SUS and reminded me to remind that Software Update settings allow updating.