hoakley October 25, 2020 Macs, Technology

Last Week on My Mac: Are silent security updates a vulnerability?

Overall, Apple has coped remarkably well during the pandemic, and has maintained its support services as well as it possibly could, given restrictions on the opening of its stores around the world. Where users have suffered is in the surprising number of software updates which haven’t gone as intended.

On Macs, this started with Catalina 10.15.6 on 15 July, which introduced a severe memory leak in kernel zones, leading to kernel panics. That had to be fixed in 10.15.6 Supplemental Update, released on 12 August. Then came Safari 14.0, the surprise 10.15.7 and matching Security Updates for Mojave and High Sierra on 24 September. The latter caused many users problems, which had to be fixed by Mojave 10.14.6 Supplemental Update on 1 October. Little more than a fortnight later, Apple pushed MRT 1.68 (on 19 October), which has wreaked havoc on many Macs from El Capitan to Catalina. That’s the third update in three months to prove flawed.

Although Apple recommends us to allow automatic downloading and installation of updates, many users have grown wise to the problems that can create. But until this latest update to MRT, most have considered that it’s best practice to “install system data files and security updates” in their Software Update options. With that enabled, the methods open to you for reverting to MRT 1.67 are limited.

Assume for the moment that you had followed Apple’s recommendation to allow those automatic security updates. You might have returned from lunch, or merely started up your Mac one morning, only to find it sluggish and unreponsive for no apparent reason. Being an expert user, you then open Activity Monitor to investigate, only to find that MRT and trustd are stealing all its CPU, with the former crashing repeatedly and being automatically restarted time and again. What are the chances that you’d next open System Information and rummage through its list of Installations to discover whether MRT had just been updated?

Even if you decided that the problems were the result of a silent MRT update, and not the result of malware trying to tamper with your system, what can you then do about this problem?

If you are really lucky, and have been running Time Machine – in spite of the serious problems it has suffered in Catalina – the chances of having a snapshot of your Data volume which you could roll back to are slim. While previous versions of macOS may have made a snapshot prior to any more substantial update, that has never been the practice for these frequent small security updates, and was removed from Catalina anyway.

With Time Machine backups, you do still have another option, to restore the previous version of MRT, 1.67, from your backup. To do that, you’ll need to start up in Recovery mode, as MRT.app is protected by SIP. At least, in Catalina, it resides on an otherwise accessible folder on your Data volume and isn’t on the read-only System volume.

If you don’t have that backup, though, you’re now in trouble. Your choices are to remove MRT altogether, or to install a fresh copy of Catalina 10.15.7. Neither is simple, and the first of those leaves your Mac without the protection afforded by MRT. And whichever you decide to try, once you’ve reverted MRT you must then disable all updates, to ensure that Software Update doesn’t reinstall MRT 1.68.

Unlike almost all other system software updates, not only does Apple not announce or record these security updates to MRT and XProtect, even though they occur every couple of weeks, but it doesn’t make previous versions available as installers. Thus Apple doesn’t offer any direct way to revert to an older version of MRT.

Neither do you have any easy technique for keeping copies of old installers of MRT. The Software Update pane provides no way to keep a copy of the installer which it dowloads when silently updating security data. You can manually run the softwareupdate command using its -d option, for instance in
softwareupdate -da --include-config-data
which doesn’t install any updates, but downloads and leaves them in /Library/Updates for manual installation. That’s unusual practice, and something that I’m now giving serious thought to for my free utilities SilentKnight and LockRattler. However, once you’ve installed any update, Apple’s update server denies you all further access to that and previous updates: for example, if you’ve already installed MRT 1.68, there’s no direct way of getting Apple to offer you previous installers, such as MRT 1.67.

In summary, allowing macOS to “install system data files and security updates” can allow the silent installation of software which brings your Mac to its knees, and, should you realise what has happened, downgrading to a previous version is a long and complex task. The update to MRT 1.68 has effectively resulted in a Denial of Service to many Mac users, making Apple’s silent security updates nothing short of a vulnerability.

18Comments

Add yours

1

Myob on October 25, 2020 at 3:59 pm

I like the idea of adding the -d capability to your tools, to LockRattler at the least since it’s the more flexible, involved tool.

Regardless, thank you again for the tools and hat’s off to you for their quality, including and especially the documentation. The time you’ve taken is greatly appreciated.

Fortunately, I’ve not been personally affected by any of the recent Apple induced update issues (other than calls for help) as I don’t use auto updating. I’ve turned people on to your tools––you’ve saved them from lost time and stress.

LikeLiked by 1 person
2

josehill on October 25, 2020 at 5:28 pm

It’s an ugly kludge, but if you periodically download copies of Apple’s software catalog file (~7 MB xml format), many older links remain viable after they are no longer current and after they no longer appear via the normal software update process. For example, a software catalog file from mid-September contains a link to the MRT 1.66 installer. The link still works, though MRT 1.66 won’t install over a newer version of MRT, of course.

It may be prudent for sys admins to automate periodic (daily?) downloading of Apple Software Update Catalog files to maintain access to previous versions of at least some updates. Ambitious admins may consider using the catalog file to build a local archive of previous installers.

For reference, the daily update of the catalog file for Leopard through Catalina is available at https://swscan.apple.com/content/catalogs/others/index-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

There are variants of the catalog for individual OS versions which may be deduced by the url format or by searching the Internet. Also, although Apple has indicated that Big Sur will use a different method for tracking updates, Apple currently supplies a seed version of the catalog that includes Big Sur beta files at https://swscan.apple.com/content/catalogs/others/index-10.16seed-10.16-10.15-10.14-10.13-10.12-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog.gz

Again, it’s not a great solution, but having access to an appropriate Apple Software Update Catalog file can prove to be very handy.

LikeLiked by 1 person
- 3
  
  hoakley on October 25, 2020 at 6:54 pm
  
  Thank you – valuable for those looking after multiple Macs, indeed.
  Howard.
  
  LikeLike
- 4
  
  alvarnell on October 26, 2020 at 12:41 am
  
  I know a lot of SysAdmins use Sus Inspector (as do I) to keep track of one or more catalog files, which I find much easier than scanning through the catalog itself:
  https://github.com/hjuutilainen/sus-inspector/releases.
  
  LikeLiked by 1 person
  - 5
    
    hoakley on October 26, 2020 at 1:34 pm
    
    Thank you, Al.
    Howard.
    
    LikeLike
  - 6
    
    Myob on October 26, 2020 at 1:58 pm
    
    Thank you.
    
    LikeLike
7

almeath on October 25, 2020 at 6:46 pm

The worst aspect of this issue with MRT is that even those who make a conscious decision not to upgrade their older Macs (or who cannot) and expected to have outdated but at least “stable” systems, can suddenly have their machine rendered unusable. Couple that with major headaches trying to locate and download older versions of macOS, and older pre-downloaded installers being rendered unusable by expired certificates, and it gets pretty close to having your system bricked, just for keeping it connected to the Internet and in touch with Apple servers. I hate to say it, but it is borderline incompetence from Apple.

LikeLiked by 1 person
- 8
  
  hoakley on October 25, 2020 at 6:55 pm
  
  Thank you. I have to agree.
  Howard.
  
  LikeLike
- 9
  
  Myob on October 25, 2020 at 9:06 pm
  
  I agree as well and add to that this from, hoakley:
  
  “[…]
  Then in a month’s time, Apple looks set to pose us all with the next set of hurdles to upgrading, as it starts releasing betas of 10.16. Two things we know about the next major release of its flagship operating system are that third-party kernel extensions will be blocked, and we’re going to find it hard or impossible to turn off software updates.
  […]”
  The whole article is worth reading:
  https://eclecticlight.co/2020/05/31/last-week-on-my-mac-its-about-user-choice/
  
  I’ve not heard much more about this possible new Apple update/upgrade regime. I’m philosophically opposed to it just from a user choice standpoint, but beyond that, the multiple problematic software issues Apple has produced is clear evidence that that direction would be foolhardy.
  
  LikeLiked by 1 person
  - 10
    
    hoakley on October 25, 2020 at 9:47 pm
    
    Thank you.
    That article was written before this year’s WWDC. It has since become clear that Big Sur doesn’t block third-party kernel extensions, although they are deprecated. Big Sur is supposed to automatically download system updates in the background, although whether they’ll be installed automatically isn’t clear from the betas, which haven’t worked that way yet. Indeed, it has been quite tricky to get some of the beta updates!
    Howard.
    
    LikeLike
11

EcleX on October 25, 2020 at 9:25 pm

Thanks for this great review. That highlights the relevance of installing applications like MenuMeters
https://member.ipmu.jp/yuji.tachikawa/MenuMetersElCapitan
to spot a high CPU activity. That is useful not only to identify these bugs or malware trying to encrypt the disk, but also hanging applications that require to quit-open again, forced quit via Activity Monitor, reboot, etc to get rid of if. For instance, that happens sometimes with “Mail Web Content” in Apple Mail 10.3 (3273) on macOS 10.12.6 (16G2136) Sierra.

Indeed, millions of users might have high CPU activity sometimes without knowing about it. Not only that is bad for the hardware (heat, etc), but also consumes much more electricity, with the corresponding environmental impact. Does Apple really care about it? Really? Then, Apple should include activity lights for both CPU and SSD in front of all Macs. That way, it would be much easier to identify these issues, determine if the Mac is frozen (crashed) or doing something (for instance, during long installations, etc).

And finally, all that teaches the lesson of “Pioneers get the arrows…”. At least Apple should allow to troubleshoot these bugs installing previous versions, etc.

LikeLiked by 1 person
- 12
  
  hoakley on October 25, 2020 at 9:56 pm
  
  Thank you.
  I’d hope that most users were sensitive enough to the ‘feel’ of their Mac to notice when this scale of cycle theft is taking place, and be wise enough to open Activity Monitor to check. But if you want another gizmo, fine.
  If you’re obsessed with high CPU load, then you can leave Activity Monitor open. It soon gets incredibly boring, though.
  I’ve previously advised you to suggest your idea of activity lights to Apple. I somehow don’t see it happening, and such lights can be misleading more than they might help.
  There are no pioneers with respect to these security data updates – they’re not something you can readily avoid. Nor should you, as they often provide urgent protection against malware which is already in the wild, something that SilentKnight and LockRattler try to assist.
  Howard.
  
  LikeLike
13

BKDad on November 3, 2020 at 4:20 pm

Is it safe and advisable to update Mojave now?

LikeLiked by 1 person
- 14
  
  hoakley on November 3, 2020 at 8:07 pm
  
  I thought Mojave was pretty safe over a year ago, but then I have been on Catalina and Big Sur since!
  Howard.
  
  LikeLike
  - 15
    
    BKDad on November 3, 2020 at 8:10 pm
    
    There were the recent little bumps with regard to security upgrades. I managed to dodge them by turning those updates off, but that’s not really ideal.
    
    LikeLiked by 1 person
    - 16
      
      hoakley on November 3, 2020 at 8:18 pm
      
      If you’re referring to the MRT 1.68 update, that applied to all versions of macOS from El Capitan onwards. If you’re referring more generally to security updates, then I’m afraid that you need those updates. High Sierra is about to drop off support, which means its security vulnerabilities will never be fixed. You really do want to be running a supported version of macOS, unless you never connect it to the Internet.
      Howard.
      
      LikeLike
  - 17
    
    BKDad on November 3, 2020 at 8:39 pm
    
    I was in fact thinking of the MRT 1.68 update.
    
    Has a new update been issued that really fixes the problem?
    
    iOS/iPadOS 14 hasn’t exactly been a day at the beach, either, from what I can tell. Hopefully 14.2 fixes the bugs.
    
    LikeLiked by 1 person
    - 18
      
      hoakley on November 3, 2020 at 8:45 pm
      
      As far as I’m aware, the MRT 1.68 problem wasn’t system-specific, and the update was pushed to all Macs running El Capitan (and earlier too?) to Big Sur.
      The update to 1.69.3 was pushed on 30 October, and doesn’t appear to have any issues.
      Howard.
      
      LikeLike