Guarding against buggy security updates: a new version of SilentKnight

Every couple of weeks, Apple pushes one or two new security updates for macOS. Most commonly these improve the ability of XProtect to detect malware, and of MRT to remove it. Problems with these security updates have been very rare, and usually confined to minor glitches in version numbering. Then, on 19 October 2020, Apple pushed a version of MRT (1.68) which brought serious problems to a great many Macs. It ate CPU voraciously, kept crashing, and just wouldn’t let go.

Because this was a pushed security update, it was very hard to know how best to resolve its problems. Whatever you did, booting in Recovery mode and disabling SIP seemed inevitable. There was no easy solution. After a few days, during which most Macs were updated to the buggy version, Apple pulled 1.68 leaving the previous version available. That was of little help to the many whose Macs had already been affected by the bug. It wasn’t until 30 October – 11 days later – that Apple finally pushed the next update, 1.69.3, which resolved the problem fully.

I’ve always been a fan of Apple’s security updates, and offer two different apps, SilentKnight and LockRattler, which help you keep your Mac fully up to date with them. I also publicise when updates are released so that you can install them as soon as possible. Although none of my Macs was affected by MRT 1.68, like you, my confidence in these security updates has been shaken. This article suggests how you can treat them with more caution, and provides a new version of SilentKnight to help.

Should you leave automatic updating on?

Many of us have recommended leaving the Advanced option in Software Update to Install system data files and security updates ticked (enabled). This now appears the worst choice, as your Mac will automatically install these updates whenever, and the first thing you might know about a problem is when it goes haywire. Without checking what’s wrong in Activity Monitor, you might find it very hard to guess the cause is a ‘silent’ update.


Instead, you’re now better off if you decide when to check for and install these updates. Untick that box, and choose how you’re going to keep your Mac up to date.

Should you download and install silent updates immediately?

Left to its own devices, your Mac could silently download and install security updates any time in the first day or two after Apple first releases them, and sometimes they take even longer to arrive. One of my aims in SilentKnight and LockRattler has been to ensure that you can install silent updates more promptly. Some updates protect against malware which is known to be affecting Macs already. In one case, MRT version 1.45 of 10 July 2019, Apple used a silent update to remove a vulnerable web server which had been installed with Zoom, something you didn’t want to leave active any longer than absolutely necessary.

Being more cautious, though, has its rewards. Some of those who heard about the problems being reported with MRT 1.68 were able to prevent it from affecting their Macs. Many users now prefer to leave a new update for a couple of days, to see whether it does cause problems, before installing it. That isn’t easy with silent updates, which are normally installed automatically after they have been downloaded.

The option to download and install manually

In normal use, Software Update, its command tool equivalent softwareupdate, and my apps SilentKnight and LockRattler, download and install all available updates. You can fiddle around and perform single item installs, but they’re more complex and generally unpopular. One solution might be to download all available updates, but hold off installing those, such as MRT, which you’re wary of. That hasn’t been possible in Software Update, SilentKnight or LockRattler, and it’s rarely used in softwareupdate.


This has now changed with a new version of SilentKnight, 1.12, which now allows you to download all available updates or individual named updates, then decide when to install them. This is controlled by one menu command, which changes all the app’s actions from Install … to Download …. Once you’ve downloaded the updates you want (this also works when fetching just individual named updates), it even opens the folder containing those downloads for you, in /Library/Updates.


You can then keep copies of each of the installer packages, or install some and not others: this gives you the choice.

So far, I’ve tested this on Mojave, Catalina and Big Sur, but not older versions of macOS. It seems to work, in that the updates are correctly downloaded. What is less clear is how or whether you can use them. Downloaded updates appear to be regular Installer packages, but the current documentation for softwareupdate warns that they “are not designed to be installed by double-clicking the packages in that directory: always use –install or the App Store to actually perform the install.” But that ‘current’ man page is over eight years old, as you might have guessed with its reference to the App Store, so whether that still applies is unknown.

I will be adding this download-only feature to LockRattler shortly. SilentKnight version 1.12 is now available from here: silentknight112
from Downloads above, from its Product Page, and via its auto-update mechanism.

The next silent security updates for macOS are due on or around 12 November. Please let me know how you get on with this new feature. And my apologies to Apple’s engineers who are working under such difficult circumstances; however, many Mac users can’t afford to spend an hour or two unravelling a bad update.