Last Week on My Mac: Are silent security updates a vulnerability?

Overall, Apple has coped remarkably well during the pandemic, and has maintained its support services as well as it possibly could, given restrictions on the opening of its stores around the world. Where users have suffered is in the surprising number of software updates which haven’t gone as intended.

On Macs, this started with Catalina 10.15.6 on 15 July, which introduced a severe memory leak in kernel zones, leading to kernel panics. That had to be fixed in 10.15.6 Supplemental Update, released on 12 August. Then came Safari 14.0, the surprise 10.15.7 and matching Security Updates for Mojave and High Sierra on 24 September. The latter caused many users problems, which had to be fixed by Mojave 10.14.6 Supplemental Update on 1 October. Little more than a fortnight later, Apple pushed MRT 1.68 (on 19 October), which has wreaked havoc on many Macs from El Capitan to Catalina. That’s the third update in three months to prove flawed.

Although Apple recommends us to allow automatic downloading and installation of updates, many users have grown wise to the problems that can create. But until this latest update to MRT, most have considered that it’s best practice to “install system data files and security updates” in their Software Update options. With that enabled, the methods open to you for reverting to MRT 1.67 are limited.

Assume for the moment that you had followed Apple’s recommendation to allow those automatic security updates. You might have returned from lunch, or merely started up your Mac one morning, only to find it sluggish and unreponsive for no apparent reason. Being an expert user, you then open Activity Monitor to investigate, only to find that MRT and trustd are stealing all its CPU, with the former crashing repeatedly and being automatically restarted time and again. What are the chances that you’d next open System Information and rummage through its list of Installations to discover whether MRT had just been updated?

Even if you decided that the problems were the result of a silent MRT update, and not the result of malware trying to tamper with your system, what can you then do about this problem?

If you are really lucky, and have been running Time Machine – in spite of the serious problems it has suffered in Catalina – the chances of having a snapshot of your Data volume which you could roll back to are slim. While previous versions of macOS may have made a snapshot prior to any more substantial update, that has never been the practice for these frequent small security updates, and was removed from Catalina anyway.

With Time Machine backups, you do still have another option, to restore the previous version of MRT, 1.67, from your backup. To do that, you’ll need to start up in Recovery mode, as is protected by SIP. At least, in Catalina, it resides on an otherwise accessible folder on your Data volume and isn’t on the read-only System volume.

If you don’t have that backup, though, you’re now in trouble. Your choices are to remove MRT altogether, or to install a fresh copy of Catalina 10.15.7. Neither is simple, and the first of those leaves your Mac without the protection afforded by MRT. And whichever you decide to try, once you’ve reverted MRT you must then disable all updates, to ensure that Software Update doesn’t reinstall MRT 1.68.

Unlike almost all other system software updates, not only does Apple not announce or record these security updates to MRT and XProtect, even though they occur every couple of weeks, but it doesn’t make previous versions available as installers. Thus Apple doesn’t offer any direct way to revert to an older version of MRT.

Neither do you have any easy technique for keeping copies of old installers of MRT. The Software Update pane provides no way to keep a copy of the installer which it dowloads when silently updating security data. You can manually run the softwareupdate command using its -d option, for instance in
softwareupdate -da --include-config-data
which doesn’t install any updates, but downloads and leaves them in /Library/Updates for manual installation. That’s unusual practice, and something that I’m now giving serious thought to for my free utilities SilentKnight and LockRattler. However, once you’ve installed any update, Apple’s update server denies you all further access to that and previous updates: for example, if you’ve already installed MRT 1.68, there’s no direct way of getting Apple to offer you previous installers, such as MRT 1.67.

In summary, allowing macOS to “install system data files and security updates” can allow the silent installation of software which brings your Mac to its knees, and, should you realise what has happened, downgrading to a previous version is a long and complex task. The update to MRT 1.68 has effectively resulted in a Denial of Service to many Mac users, making Apple’s silent security updates nothing short of a vulnerability.