SilentKnight & LockRattler: security & firmware updates

Over the last week, a lot of Mac users have been installing my free utilities SilentKnight and LockRattler, and as a result I’ve been getting a lot of questions about them. This article looks at two common issues: why they don’t update version numbers shown when you’ve just installed updates, and whether the EFI firmware versions are correct.

Installing security data updates

Both apps provide buttons which download and install available security data and other pushed updates from Apple, to save you having to wait for them to be pushed, which can be a day or two after they’ve been released.

If you used these for the updates which Apple released on 2 April, you’ll have noticed that neither app updates the versions of the data which have been updated after they’ve been installed. I apologise for this, but it’s a bug in macOS. In order to see the versions correctly updated, after they’ve been installed you need to quit the app and open it again.

In some ways, this isn’t a disadvantage: it’s not unusual for Apple to release multiple updates, and checking that there aren’t any more to be installed is purposeful. However, that isn’t my intention. I’ve been working for years now to get the version numbers to update properly, but macOS simply won’t let it happen.

Both SilentKnight and LockRattler are very careful only to use official and supported system calls. That way, when we get new versions of macOS, or updates, they both continue to work well, and don’t fall apart when Apple changes something internally. I therefore use the official ways of getting the version number from the bundles which contain the security data.

However, no matter which of the official ways that I use to obtain those version numbers, macOS appears to cache that data, so when the app calls for the version number a second (or third, or …) time, it always gets the same number as it did the first time, despite the number having changed on the bundle. The only reliable way to flush that cache is to quit the app and open it again.

I do have a new version in development, in which I am experimenting with bending the rules in an effort to work around this. Unfortunately, testing is very difficult, as these updates are only pushed every couple of weeks. That gives me plenty of time to write new code, but only one shot to test it. And yes, I was testing a new version on 2 April, which didn’t fix the problem.

As soon as I do have a method which overcomes this infuriating problem, I’ll release it as an update. In the meantime, please live with this minor limitation.

EFI firmware versions

Apple doesn’t provide an official listing of EFI firmware versions for different models or different versions of macOS, nor does it provide any way to update firmware except as part of a macOS install, update, or Security Update. Many of you, particularly those with iMac17,1 models, are being shocked that SilentKnight or LockRattler report that your Mac’s firmware is out of date.

A few go on to contact Apple Support, who may not be as helpful as you would want. I’ve recently heard from one user who was told that his Mac’s out-of-date firmware was correct, and that Apple hadn’t provided an update since that version, which is categorically untrue. Please bear with Apple Support at this time: they’re good people trying to do a difficult job at a time when they’re under enormous pressure. In other circumstances, they’re usually a lot more receptive and will try to report these issues rather than denying them.

Each time that Apple pushes a macOS update and/or Security Update which could include firmware updates, I and several friends of this blog, Pico in particular, examine the installer to look for firmware updates which it brings. These aren’t difficult to discover, and within an hour or two of each update appearing, Pico normally provides me with a full listing by model number. I then manually take those versions and update the GitHub property lists which contain my firmware database, and the articles which I have here for those who prefer to check manually rather than using SilentKnight. I try to update SilentKnight’s databases within six hours of the update being made available, and the article(s) within 24 hours.

Because these are manual processes, they’re prone to human error. I have made the very occasional error in the past, but check every entry thoroughly before putting the new database or article live. I therefore welcome you questioning whether a given version number is correct.

However, whatever you might be told by others, as far as we can ascertain those are correct, and what the macOS installer or updater should be updating your Mac’s firmware to. As firmware updates often fix bugs in important features such as waking from sleep, handling external displays, and may be needed to restore stability, Apple should be concerned if your Mac isn’t running the latest firmware for that model and version of macOS.

I know of three problems with firmware updates which can catch users out. First, one model, the iMac17,1, appears at present to have a particular problem updating to the latest firmware version, 176.0.0.0, and many are stuck at 170.0.0.0. I have reported this to Apple, but as of today haven’t received any response.

Other models may get stuck at old firmware versions too, particularly if the original Apple-installed internal storage has been replaced. Some users whose Macs have suffered this have taken to replacing the original storage before applying that update, which often allows the update to complete successfully. If you can’t or won’t attempt that, the only thing you can do is report your problem to Apple Support.

Finally, if you’re still running an old and now-unsupported version of macOS, for which Apple no longer provides Security Updates, there’s no way of getting your firmware updated without upgrading to a supported version of macOS. In any case, running an old kernel with newer firmware could readily cause problems of its own.

I hope these explanations save you time and trouble when using SilentKnight or LockRattler.