hoakley October 26, 2020 Macs, Technology

What happened with security updates and HP printer software?

Last week a great many Mac users were struck by one or both of two serious problems. This article explains what happened, and what you can do about them.

MRT 1.68 update

Some time before 2200 UTC on Monday 19 October, Apple pushed routine updates to its security tools, XProtect and MRT. These normally happen every two weeks or so, and are silent in that Apple doesn’t announce them, or even admit that they’ve happened. Macs which run with Software Update set to Install system data files and security updates then automatically download and install those updates. That doesn’t happen immediately, but for Macs in daily use, that means that most will have been updated by 2359 UTC on 20 October.

Some, but by no means all, Macs then suffered a problem as a result of the new version of MRT. Unlike XProtect, whose data files are used on demand, MRT is normally run in two situations: shortly after it has been updated, and soon after a Mac starts up. Affected Macs, which can be running any version of macOS from El Capitan to Catalina, suffer severe problems running the new version of MRT. The Mac becomes sluggish, and looking in Activity Monitor normally shows two processes, MRT and trustd, taking large amounts of CPU. MRT keeps crashing and being automatically restarted, and this affects overall performance. Although affected Macs aren’t completely unusable, they’re severely affected by this.

Many Macs which were updated to MRT 1.68 haven’t been affected at all. It’s not clear why this is, and there’s no obvious pattern to these problems. For the moment, if your Mac successfully updated to the new version of MRT without suffering these problems, there’s no reason to suspect that it will develop them later.

This appears to be the result of a bug in MRT 1.68. Apple pulled that update early on 24 October, but unfortunately that doesn’t force affected Macs to be downgraded. Because of the way that these updates are pushed, your Mac won’t see the older version, and even if it did, simply trying to install it won’t force it to be downgraded from 1.68 to 1.67.

There are many different potential solutions for Macs which are affected by this bug. The best will be when Apple pushes MRT 1.69, which should replace the buggy version at last. Until then, you’ll need to follow a method which will remove 1.68 and either replace it with 1.67 from a backup, or allow Apple’s update servers to push 1.67 at it. There are several different and reliable ways of doing that, and if you’re uncertain please contact Apple Support so that they can talk you through resolution.

HP printer software, Amazon Music

Reports about problems with HP printers didn’t start appearing until 23 October, well after those users affected by MRT 1.68 had run into problems. Symptoms were completely different: when trying to print or otherwise access some HP printers, various error messages appeared and access failed. The most worrying of the alerts came from Gatekeeper, which warned that the printer software was malicious and “will damage your computer” and refused to run it.

Not all users reported such characteristic errors, though. In some, there were what looked like regular errors with opaque numbers, and for Catalina users there were crash reports when macOS force-crashed HP software because the code signature is invalid. Problems were most frequent in Mojave and Catalina, and with older HP printers.

These behaviours aren’t anything to do with MRT, whose purpose is to remove malware, or XProtect, which checks for signatures of known malware, but come from Gatekeeper, when it’s checking the signature on software being launched. Errors aren’t consistent because they depend on where the signature is failing: if you try to open an app with a fatal signature problem, Gatekeeper will display that alert or (more brutally in Catalina) crash the app; if an app tries to run a component with a fatal signature problem, that generates an internal error which the app may not communicate explicitly, and just report an error in that component.

Checking the signatures on some of the affected software revealed that the certificate used to sign them had been revoked, presumably shortly before problems appeared on 23 October. So who might have revoked those certificates?

Security certificates provided to developers for signing macOS and other Apple platform apps come from Apple, as the Certificate Authority (CA), a very demanding responsibility which resides with a separate team within Apple, its PKI, operating under stringent rules.

Under those, revocations are performed by the CA most commonly at the request of the certificate owner, in this case HP. The most popular reason for revoking a certificate is when it has been superseded, although many are revoked because of their compromise. As with all CAs, Apple PKI issues a Certificate Revocation List (CRL), which details all the certificates it has revoked. In the last year or so, that amounts to a huge number, in the tens of thousands, and on 20 October 2020 alone there were hundreds of revocations. One reason why this revocation seems to have affected Mojave and Catalina systems first is that they now appear to use a different and quicker system for being notified of revocations from those used by earlier versions of macOS.

Before blamestorming about the sudden blocking of this HP printer software, it’s essential to discover who instigated the certificate revocation. According to an anonymous spokesperson quoted by The Register, that was HP, not Apple. So someone in HP decided to revoke their certificate used to sign that printer software, instructed Apple PKI to make that revocation, which then propagated to Macs. When those Macs next performed a certificate check on the affected software, as part of its Gatekeeper checks, HP’s software was then correctly prevented from opening.

At some time during the night of 24-25 October, Apple PKI withdrew the revocation of HP’s certificate, presumably at HP’s request in response to the many complaints from users. HP’s software should therefore now work normally again.

What to do?

In the case of the MRT update, Apple has already removed MRT 1.68, but that happened too late to help many affected users, and reverting to the previous version isn’t simple – because of the way that Apple distributes these ‘silent’ updates, any bug like this is hard to diagnose and tougher still to fix. I’m a great believer in Apple’s security software. Although it doesn’t provide ‘perfect’ protection (what does?) it’s important for users to keep it up to date. However, in the light of this problem Apple needs to review how these updates are distributed so that users are more aware when updates occur, and have a straightforward method of reverting to an older version when problems arise with an update.

Rather than letting Software Update install updates automatically, it may be preferable to manually download their installers using
softwareupdate -da --include-config-data
and that’s an option which I’m considering for my own utilities SilentKnight and LockRattler. Users can then wait a day or two after each update to verify that problems are unlikely, and retain copies of installers for older versions should they need them.

Some users have suggested that the only way to avoid problems such as that with HP’s printer software is to do away with code signing altogether. Although superficially attractive, I can hear malware developers shouting ‘yes please!’ at the thought that there would then be almost nothing to replace signatures as a baseline in app security.

Instead what we should be asking is how HP came to revoke a certificate still being relied on by many users. I have certificates issued by Apple with which I sign my apps here. Could you see me ‘unintentionally’ instructing Apple to revoke them? That’s a very deliberate act which no corporation could ever leave to an intern to handle. They should have a complete audit trail which establishes exactly where their error was made, with the safeguards which were bypassed to enable such a serious mistake. Such errors aren’t addressed by abandoning a whole layer in macOS security protection.

What should surprise and anger us more than anything else is not that these failures occurred, but that neither Apple nor HP have seen fit to explain what has happened and advise us what to do to work around the problems they have created. Instead, as usual, they leak a little unattributed comment to a reporter and then pretend that nothing happened at all. That isn’t being open or honest with their customers, and only brings discredit to both companies.

Postscript (27 October 2020):

HP has now published a support article explaining what affected users should do to remedy this problem. I suspect this only works with its software for relatively recent printer models. Thanks to @macinteractive for drawing my attention to this.

27Comments

Add yours

1

Roman on October 26, 2020 at 11:36 am

Apple accidentally revoked amazon/hp certificates

LikeLike
- 2
  
  hoakley on October 26, 2020 at 11:38 am
  
  Who has announced that? Over the weekend, HP stated that it had unintentionally revoked the certificate.
  Howard
  
  LikeLiked by 1 person
3

BKDad on October 26, 2020 at 1:54 pm

Adding that feature to SilentKnight and LockRattler would be magnificent!

I’ve become a big fan of letting other people volunteer to be post-release testers. Hence, we’re still using iOS 13.n and Mojave on the appropriate devices here. There’s always a trade-off between new features and reliability. At this point in the evolution of operating systems, many of the new features are not quite cool or useful enough to tip the scales in favor of upgrading versus staying reliable. I have empathy for developers who simply must upgrade for their business activities.

LikeLiked by 1 person
4

johnt519 on October 26, 2020 at 7:53 pm

Just ran into the HP problem on two separate systems. Haven’t seen the MRT issue, but could not print using those two computers (an iMac and a MacBook Pro). The latest, the iMac, happened to day, so whatever was said to have been “fixed” certainly has not. Any idea on how to force an update to the certificates to get printing working again?

LikeLike
- 5
  
  hoakley on October 26, 2020 at 8:32 pm
  
  Thank you.
  There isn’t any way that I know of to force any update on certificate information: it’s fetched as a background process which you can’t control.
  Howard.
  
  LikeLike
  - 6
    
    hstriepe on October 26, 2020 at 8:36 pm
    
    I should clarify. The HP installer came up with an outdated certificate message that I was able to override with an ok. This looks relatively new. The only way you used to to be able to run installers with outdated certificats was by setting the date back after disabling Internet date/time update.
    
    >
    
    LikeLiked by 1 person
    - 7
      
      hoakley on October 26, 2020 at 8:39 pm
      
      I strongly advise you not to alter the date of your clock: that will cause havoc in many systems, and breaks some networking completely, for instance.
      Howard.
      
      LikeLike
    - 8
      
      hstriepe on October 26, 2020 at 8:44 pm
      
      I only do this temporarily during the install of a well-known installer from my archive.
      
      >
      
      LikeLiked by 1 person
9

analysis on October 26, 2020 at 8:19 pm

I just really wish Apple would stop doing things like this. When you have loyal, dedicated users, it’s best not to give them second thoughts… because nobody hates a company like people who trusted it and got burned.

LikeLiked by 1 person
- 10
  
  hoakley on October 26, 2020 at 8:36 pm
  
  Thank you.
  And HP?
  Howard.
  
  LikeLike
  - 11
    
    hstriepe on October 26, 2020 at 8:38 pm
    
    I think this is just a feature of the current installer.
    
    >
    
    LikeLiked by 1 person
12

hstriepe on October 26, 2020 at 8:28 pm

I was trying to remote scan from my Officejet printer this morning and suddenly got a warning about the HP scanner plugin being a virus. Prevented me from scanning, I ended up removing the software and reinstalling it with the caveat to ignore the outdated signature. That fixed the issue. I prefer the native driver to AirPrint.
The security update also repeated nag dialogs for “legacy” system extensions.
UX used to be prized by Apple, but the user experience seems to be secondary these days.
One of my pet peeve is the use of system modal dialogs that intrude in the middle of whatever you are doing instead of politely waiting. That used to be only on Windows.
Of course, Windows also reboots after some updates whether you like it or not.

LikeLiked by 1 person
- 13
  
  hoakley on October 26, 2020 at 8:37 pm
  
  Thank you.
  Sorry – aren’t you referring to HP’s software, and not Apple’s?
  Howard.
  
  LikeLike
14

HP Printer Driver Certificate Issue! "Driver will Damage your Computer" on October 27, 2020 at 4:44 am

[…] eclecticlight.co/2020/10/26/what-happened-with-security-updates-and-hp-printer-software/ […]

LikeLike
15

awsumth on October 27, 2020 at 5:05 am

I couldn’t get my printer to work today and have come up with two solutions. One is you can set install your printer as a generic Postscript/PCL or AirPrint printer. This is a quick workaround but some features won’t work. Second you can go to /Library/Printers and delete HP. Install your printer again and it will download and install an updated version.

LikeLiked by 1 person
- 16
  
  Neil Ross on October 27, 2020 at 12:56 pm
  
  Thank you so much for all your help. It all seems to be working fine now.
  
  LikeLiked by 1 person
17

Henry Larsen on October 27, 2020 at 10:03 am

Here is another datapoint, for reference. My late-’14 iMac 27 Retina is still running Sierra 10.12. According to System Information > Software > Installations, MRTConfigDate 1.68 was installed on 20 October at 01:56. I have experienced no problems; I haven’t even noticed anything different.

LikeLiked by 1 person
- 18
  
  hoakley on October 27, 2020 at 1:12 pm
  
  Thank you. Yes, a great many users didn’t experience any problems with MRT 1.68. We don’t understand why some did, though.
  Howard.
  
  LikeLike
19

josehill on October 27, 2020 at 12:52 pm

…and there is the downstream effect on other developers and support staff. For example, the impact of the dire warning message displayed to users in the absence of clarifying information led Thomas Reed at Malwarebytes to tweet “Folks are either angry that we didn’t detect the “malware” or because they think we’re detecting it erroneously.”

We've got quite a few cases continuing to come in to support on the HP software issue. Even though the cert has been un-revoked, some folks still see the issue. Folks are either angry that we didn't detect the "malware" or because they think we're detecting it erroneously. 😕

— Thomas Reed (@thomasareed) October 26, 2020

A lot of headaches could have been avoided with clearer communications and guidance from Apple and HP.

…and there still is confusion and mystery over why Amazon Music and Amazon WorkSpaces apparently had similar issues for some users around the same time. Presumably, it was purely coincidental, but good luck finding necessary details about Music from Amazon, though perhaps there will be more information out there about WorkSpaces, given its enterprise focus.

LikeLiked by 1 person
- 20
  
  hoakley on October 27, 2020 at 1:15 pm
  
  Yes. The onus was on HP. macOS doesn’t know why a certificate has been revoked, and those dire warnings are good for the worst case, that it is because the certificate has been revoked because it’s being actively used in malware. There’s no way the Mac can know that, unfortunately. Thankfully, as far as revocations go, these are extremely rare, but when they happen they affect a great many users.
  Howard.
  
  LikeLike
21

David Losada on October 27, 2020 at 1:35 pm

When installing the new (2017) 5.1 drivers from Apple support, the installation fails due to code signature errors. This is not a solution.

HP Easy start and Easy admin only works for recent printers.

Curiously enough, our Windows 10 machines are not affected.

LikeLiked by 1 person
- 22
  
  hoakley on October 27, 2020 at 1:51 pm
  
  Thank you.
  Many users have certainly installed the 5.1 drivers without trouble, and got them working as expected. Are you running the latest release of the major version of macOS that you are running? HP stresses the importance of that.
  If you are, and have used the latest release of those drivers, I suggest that you contact HP and/or Apple support.
  Howard.
  
  LikeLike
23

Jazzman on October 27, 2020 at 6:15 pm

I got it working by removing the hp folder from /Library/Printers and restoring the hp folder from a Time Machine backup a week prior to Oct 23, 2020. I then went through the process of adding the printer. When I added the printer, a popup indicated that Apple had software and could download, which I allowed it to do. It couldn’t have been downloading the driver, the download time was too fast, so I think it was probably downloading a new certificate. In any event, I was able to add the printer (HP Deskjet F4200 series) and now both the scanner and printer are working again.

Another good reason for backups.

LikeLiked by 1 person
- 24
  
  hstriepe on October 27, 2020 at 9:31 pm
  
  I installed the installer but have not yet been prompted for an Apple update Is there a way to trigger that?
  I checked for updates in the System Software Update Panel.
  
  LikeLiked by 1 person
25

Ben on October 29, 2020 at 4:49 pm

It’s been suggested that HP revoked the certs as part of a tightening up after major vulnerabilities and possible breaches were found in their Windows software at the end of September. Though presumably Apple’s certs wouldn’t be used on the Windows drivers!

LikeLiked by 1 person
- 26
  
  hoakley on October 29, 2020 at 6:11 pm
  
  Thank you.
  Yes, I’ve seen that suggestion too. It’s plausible to the extent that a security review could have highlighted shortcomings which in turn could have led to a review of old certificates, and then revocation of what appeared to be out-of-use certificates. But there’s nothing more than speculation, and I also have a couple of suggestions that this may not have been initiated by HP at all, but been another ‘Charlie Monroe’.
  As neither Apple nor HP seems prepared to come clean, I suspect we won’t know until someone writes their autobiography in twenty years time, if ever. So much for caring for users.
  Howard.
  
  LikeLike
27

Michael Tsai - Blog - HP Printer Driver Certificate Revoked on November 10, 2020 at 5:16 pm

[…] Howard Oakley (also: Mr. Macintosh): […]

LikeLike