hoakley October 30, 2019 Macs, Technology

How can security data get so out of date?

It’s almost three years since I released my first version of LockRattler, and since then it and the more recent SilentKnight have helped us all keep on top of updates to macOS security data files. One issue which you raise time and again is that, when you run either utility, you discover that the security protection on your Mac is woefully out of date.

Just recently, this seems to have happened on several Macs which are still running El Capitan (OS X 10.11.6), so a couple of days ago I asked for your feedback to discover whether this is a global problem, and perhaps Apple had stopped pushing silent security updates to El Capitan systems. I’m delighted to report that isn’t the case: Apple continues to push those updates, and most El Capitan systems install them successfully. Not only that, but Apple provides those updates to admnistrators who use its Software Update Service (SUS).

In spite of that, there are some seriously out-of-date El Capitan systems around. Several are stuck with XProtect version 2103 (should be 2106), and MRT as early as 1.41 (currently 1.50), which puts them at a serious disadvantage. The record for the most out-of-date goes to the following:

XProtect 1.0 (currently 2106),
Gatekeeper 48 (181),
MRT 1.0 (1.50).

Yet when that system ran softwareupdate to list available updates, none was offered.

As there’s no way to download one of these updates unless Apple’s servers report them as being available, that system appears to be stuck on those forever – and seriously vulnerable as a result. This must be a bug, and a very serious one at that, as it leaves systems vulnerable when they badly need updates. So, in El Capitan at least, there is a serious bug in the software update system which allows Macs to remain out of date and vulnerable.

How not to keep up to date

Macs which are most prone to falling behind with these security updates are those which are used little, and only rarely connected to the Internet. If you use your El Capitan system daily, then you are most likely to have security protection which is as up-to-date as that in Mojave or Catalina, although the older security tools aren’t as capable, of course.

It’s a statement of the obvious that online updates like these only occur when your Mac is online. There’s also the paradox that the time you need the updates most is when they’re most out of date, and that’s the time when maybe that Mac shouldn’t be online, at least not until it has been brought up to date.

The Mac which is likely to have fallen behind and have these problems getting up to date is the Fallback Mac, maybe your last Mac which you keep tucked away in case your current working system has to go off for repair, or is otherwise unavailable, and you need to carry on working. It might also run old and now incompatible versions of key apps, retaining your access to them. With the requirement for 64-bit software in Catalina, we can expect users in the future to have to keep more old systems for that purpose.

What makes this worse is that it appears that the more out of date your system becomes, the less likely it is to get updates again. I don’t have any hard evidence for this, but a system which is only just – a version or two – out of date seems able to get the updates it needs, but once your Mac is several months out of date, the servers seem to lose interest in pushing anything more to it. You then run softwareupdate, either at the command line or through LockRattler or SilentKnight, and it just draws a blank.

The other observation worth considering is that there is often delay between logging into a Mac and the appearance of available updates. Leave your Mac on for less than ten minutes, and it’s likely to miss updates and steadily fall behind. Give it an hour or more, and the updates may magically appear.

Managing the Fallback Mac

When you decide to put a Mac into reserve, you can choose either to freeze it as it is, or to keep it as current as possible. When you freeze it, that means no more significant updates, and never connecting it to the Internet. Security updates then become irrelevant, as it’s going to be protected by an air gap, and never exposed to any risk.

For most users, that isn’t going to be a useful fallback, as it can’t do many of the tasks that your working Mac does. To fill that gap, you need a Mac which is running a fully patched and protected version of macOS, and that requires full security updates.

This problem is rather like someone who is totally reliant on having a functional car, so they have a second vehicle. When engines were started with cranks and the most sophisticated electrics they had were their lights, you could keep a reserve car like that for months with minimal attention. Now they’ve all got elaborate anti-theft systems, in-car electronics, and more, leave your car unattended for a couple of weeks and systems start to get worrysome. To function well, the modern car needs to be driven regularly and fairly frequently.

So with your fallback Mac, you need to power it up every few weeks, if not more often. Each time it’s used, give it at least an hour with an Internet connection, then towards the end of that period run SilentKnight or LockRattler to check for updates, and open the Software Update pane too. Sometimes it takes as much as that to ensure that a silent update gets pushed, detected, and successfully installed.

Before you make any Mac your fallback, it’s worth taking a little time to prepare it too. A clean re-install of macOS and being brought fully up to date with security updates is a good start, if you can. You should also ensure that you have enabled your Mac to Automatically check for updates, and to Install system data files and security updates. If you don’t, then it can’t check for or install these updates.

If you’re concerned and want to track your Mac’s status for silent security updates, look at SilentKnight, which does this with the minimum of fuss and intervention on your part, and LockRattler, which is a bit more extensive in its coverage and more manual.

Thanks to all those who kindly provided information about their El Capitan systems, who made this possible, and to Al who kindly checked the SUS and reminded me to remind that Software Update settings allow updating.

16Comments

Add yours

1

alvarnell on October 30, 2019 at 8:37 am

One other possibility is that those out-of-date users have somehow disabled background updates. They must enable both Automatically check for updates and Install system data files and security updates.

And since those updates will only be automatically checked for and installed at a random time after booting, it could be as long as 24-hours before that occurs.

LikeLiked by 1 person
- 2
  
  hoakley on October 30, 2019 at 10:04 am
  
  Thank you, Al, for reminding me – duly amended and credited.
  Howard
  
  LikeLike
3

Robert on October 30, 2019 at 1:36 pm

Good point, Al. Even so (and it may have been covered in an earlier article here), you can invoke critical updates via Terminal in El Capitan and beyond using the command:

sudo softwareupdate –background-critical

It may take a few minutes — or even an hour or so — to update, but this has been successful for me updating a couple older MacBook Pros relegated to El Capitan for the balance of their (backup) service life.

Both these computers are current with security update files according to SIlentKnight, btw.
Bob

LikeLiked by 1 person
- 4
  
  hoakley on October 30, 2019 at 6:32 pm
  
  Both SilentKnight and LockRattler provide you with simple, Terminal-free means of obtaining and installing all pending updates.
  El Capitan does have a bug, in that trying to run this background check manually doesn’t work sometimes when automatic checks are turned off – so that background check isn’t available when running LockRattler in El Capitan. However, the
  sudo softwareupdate -ia
  does seem to work reliably, and much more quickly than background updates. That is available in LockRattler and SilentKnight.
  Howard.
  
  LikeLike
5

ploppy on October 30, 2019 at 3:58 pm

I should say first of all that I’m running High Sierra 10.13.6 on an offically unsupported MBP late 2008, using the method described on macrumours. I noticed a while ago that my “silent” updates weren’t happening, so I now always use LockRattler to get those updates once you’ve announced them. Strangely, this time, as well as an XProtect update, it listed an update CompatibilityNotificationData_10_13-1.0.5. This appears to be a new file because I couldn’t find an existing version where you stated it would be (in a previous article). My understanding is that this is a Mojave security file (in preparation for Catalina?). Any idea why it’s listed as an update for me running High Sierra?

LikeLiked by 1 person
- 6
  
  hoakley on October 30, 2019 at 4:06 pm
  
  That update looks good, and it’s name specifies it for 10.3. However, I don’t have a system here running High Sierra, so I can’t confirm that it’s expected. It isn’t a true security file anyway. I’d install it.
  Howard
  
  LikeLike
7

Myob on May 7, 2020 at 11:52 pm

Firstly, thank you for everything, Howard.

I’ve only been on OSX/macOS for about 5 years. I’ve searched for an exact definition of what Software Update calls “Install system data files and security updates”. I’ve found plenty of material from which an inference can be drawn, including from your LockRattler tool, its manual and your website in general.

I’ve not found anything by Apple itself. It seemingly has an expectation that users will use Auto Update. I can understand the reasoning, however the options do exist in the Software Update tool UI. I’d think specific definitions of those options should be readily available in documentation.

Maybe it’s a case of my searching ability being faulty.

If the documentation exists, do you (or anyone) know where it is?

[I’m on 10.14.6]

LikeLiked by 1 person
- 8
  
  hoakley on May 8, 2020 at 2:55 pm
  
  Thank you.
  Apple simply states what the options do. There’s a little more in its platform security documentation about the tools, but not enough to explain much of use.
  Howard.
  
  LikeLike
  - 9
    
    Myob on May 8, 2020 at 4:26 pm
    
    Apple has some wonderful documentation but there’s room for improvement. I’m not whinging, overall my experience has been positive. I’ve mostly been able to fill in the blanks by searching the ‘Net. There are many people who generously post their knowledge. I wish I could thank them all but can’t, of course, but I can/do follow their example by paying it forward in small ways.
    
    Thank you again for the continual education about tech and art I receive from you and your guest posters. You’ve created a beautiful thing here. *hat tip* [I don’t have a WP acct., so that’s my “Like”.]
    
    LikeLiked by 1 person
  - 10
    
    Myob on May 9, 2020 at 2:07 pm
    
    Hi, Howard.
    
    Don’t know if this is useful to you and others or not but I found an Apple Support article titled “About background updates in macOS”:
    
    It’s published-on date is Jan 28 2020. It does list (appears to be exhaustive) both the “Security-configuration updates” and the “System data files”. I don’t think this was available in the past in such a presentable way. I was motivated to find the info over the past few years because I want to set a manual, non-auto update routine using Terminal app.
    
    Best….
    
    LikeLiked by 1 person
    - 11
      
      hoakley on May 9, 2020 at 2:43 pm
      
      Thank you. That’s actually the latest version of an old support note, and is now here.
      I don’t find that particularly helpful, myself, I’m afraid. It doesn’t tell you the names of the files which are updated, and mixes those which are updated directly, such as the firmware AllowList, with those which are pushed separately. There’s also no information on current versions which the user should expect, nor how to check that your Mac is up to date.
      So, although better than nothing, I suspect that you needed rather more info for your routine. I am always happy to provide help, for example giving you all the paths and commands which I use in my apps.
      Howard.
      
      LikeLike
12

Myob on May 9, 2020 at 4:02 pm

That’s the same article I posted. I did post the link but you probably have mechanisms in place to prevent mischievousness.

For me, as you say, it’s better than nothing. Prior to seeing the list (I’m assuming it’s complete and accurate) I’d found nothing close to its specificity published by Apple Inc.

I wholeheartedly agree with your assessment about Apple’s failings on the topic. What you’ve presented is a major factor in my quest to be less and less dependent on Apple’s updating system. I was predisposed to not trust auto OS updates from my Windows’ experiences.

One of your accomplishments here, and I suspect for many, many others, is that you’ve enabled me to have a clearer view through Apple’s obfuscation. I don’t know why they hide information. I can’t think of a rational reason why they should.

Thank you for the offer to help. Before I ask a question(s), I should do some homework. Your LockRattler manual explains quite a bit, including the commands not acknowledged in Terminal app’s *man* and *help* files. That you actually took the time to define what your LockRattler UI translates to in CLI––”Hey Apple. This is how a manual should be done, how information should be presented. Many of your customers would appreciate it. Those who don’t want such specificity don’t have to read it.”

Thanks again and best…..

LikeLike
- 13
  
  hoakley on May 9, 2020 at 4:36 pm
  
  Thank you.
  Yes, I’m afraid something ate your link, but I guessed that was the same article.
  Howard.
  
  LikeLike
  - 14
    
    Myob on May 9, 2020 at 11:02 pm
    
    Hi, Howard.
    
    If I were to uncheck the box “Check for updates” at Software Update > Advanced > Automatically:, would LockRattler’s “List all pending updates” button, which equals *softwareupdate -l –include-config-data* in Terminal app, list each update available for my Mac?
    
    If not, do you know what wouldn’t be included and how it/they could be otherwise listed via Terminal?
    
    [I’m running macOS 10.14.6 and my machines are eligible for at least 10.15.x.]
    
    John
    
    LikeLiked by 1 person
    - 15
      
      hoakley on May 10, 2020 at 9:55 am
      
      In 10.12 and later, it should. In 10.11 and earlier, there’s a known bug which prevents that from working properly.
      So you should be fine in Mojave.
      Howard.
      
      LikeLike
    - 16
      
      Myob on May 10, 2020 at 10:03 pm
      
      Thank you, Howard.
      
      May your brushstrokes be true.
      
      LikeLiked by 1 person

·Comments are closed.

Share this:

Related