hoakley November 4, 2020 Macs, Technology, Updates

Guarding against buggy security updates: a new version of SilentKnight

Every couple of weeks, Apple pushes one or two new security updates for macOS. Most commonly these improve the ability of XProtect to detect malware, and of MRT to remove it. Problems with these security updates have been very rare, and usually confined to minor glitches in version numbering. Then, on 19 October 2020, Apple pushed a version of MRT (1.68) which brought serious problems to a great many Macs. It ate CPU voraciously, kept crashing, and just wouldn’t let go.

Because this was a pushed security update, it was very hard to know how best to resolve its problems. Whatever you did, booting in Recovery mode and disabling SIP seemed inevitable. There was no easy solution. After a few days, during which most Macs were updated to the buggy version, Apple pulled 1.68 leaving the previous version available. That was of little help to the many whose Macs had already been affected by the bug. It wasn’t until 30 October – 11 days later – that Apple finally pushed the next update, 1.69.3, which resolved the problem fully.

I’ve always been a fan of Apple’s security updates, and offer two different apps, SilentKnight and LockRattler, which help you keep your Mac fully up to date with them. I also publicise when updates are released so that you can install them as soon as possible. Although none of my Macs was affected by MRT 1.68, like you, my confidence in these security updates has been shaken. This article suggests how you can treat them with more caution, and provides a new version of SilentKnight to help.

Should you leave automatic updating on?

Many of us have recommended leaving the Advanced option in Software Update to Install system data files and security updates ticked (enabled). This now appears the worst choice, as your Mac will automatically install these updates whenever, and the first thing you might know about a problem is when it goes haywire. Without checking what’s wrong in Activity Monitor, you might find it very hard to guess the cause is a ‘silent’ update.

silentknight11201

Instead, you’re now better off if you decide when to check for and install these updates. Untick that box, and choose how you’re going to keep your Mac up to date.

Should you download and install silent updates immediately?

Left to its own devices, your Mac could silently download and install security updates any time in the first day or two after Apple first releases them, and sometimes they take even longer to arrive. One of my aims in SilentKnight and LockRattler has been to ensure that you can install silent updates more promptly. Some updates protect against malware which is known to be affecting Macs already. In one case, MRT version 1.45 of 10 July 2019, Apple used a silent update to remove a vulnerable web server which had been installed with Zoom, something you didn’t want to leave active any longer than absolutely necessary.

Being more cautious, though, has its rewards. Some of those who heard about the problems being reported with MRT 1.68 were able to prevent it from affecting their Macs. Many users now prefer to leave a new update for a couple of days, to see whether it does cause problems, before installing it. That isn’t easy with silent updates, which are normally installed automatically after they have been downloaded.

The option to download and install manually

In normal use, Software Update, its command tool equivalent softwareupdate, and my apps SilentKnight and LockRattler, download and install all available updates. You can fiddle around and perform single item installs, but they’re more complex and generally unpopular. One solution might be to download all available updates, but hold off installing those, such as MRT, which you’re wary of. That hasn’t been possible in Software Update, SilentKnight or LockRattler, and it’s rarely used in softwareupdate.

silentknight11202

This has now changed with a new version of SilentKnight, 1.12, which now allows you to download all available updates or individual named updates, then decide when to install them. This is controlled by one menu command, which changes all the app’s actions from Install … to Download …. Once you’ve downloaded the updates you want (this also works when fetching just individual named updates), it even opens the folder containing those downloads for you, in /Library/Updates.

silentknight11203

You can then keep copies of each of the installer packages, or install some and not others: this gives you the choice.

So far, I’ve tested this on Mojave, Catalina and Big Sur, but not older versions of macOS. It seems to work, in that the updates are correctly downloaded. What is less clear is how or whether you can use them. Downloaded updates appear to be regular Installer packages, but the current documentation for softwareupdate warns that they “are not designed to be installed by double-clicking the packages in that directory: always use –install or the App Store to actually perform the install.” But that ‘current’ man page is over eight years old, as you might have guessed with its reference to the App Store, so whether that still applies is unknown.

I will be adding this download-only feature to LockRattler shortly. SilentKnight version 1.12 is now available from here: silentknight112
from Downloads above, from its Product Page, and via its auto-update mechanism.

The next silent security updates for macOS are due on or around 12 November. Please let me know how you get on with this new feature. And my apologies to Apple’s engineers who are working under such difficult circumstances; however, many Mac users can’t afford to spend an hour or two unravelling a bad update.

23Comments

Add yours

1

EcleX on November 4, 2020 at 9:06 am

Thanks for all your awesome work and wise advice. Really remarkable!

LikeLiked by 1 person
- 2
  
  hoakley on November 4, 2020 at 9:54 am
  
  Thank you. Coming tomorrow: LockRattler with a download-only option.
  Howard.
  
  LikeLiked by 1 person
3

Milo on November 4, 2020 at 9:18 am

I decided to deactivate automatic updates in system preferences for now. Downloads are still enabled.

Am I going to see pending XProtect and MRT updates in system preferences as well, or do I need a tool like SilentKnight to see and start the updates manually?

LikeLiked by 1 person
- 4
  
  hoakley on November 4, 2020 at 9:59 am
  
  Thank you.
  That’s a very good question. Yes, even though automatic updates are disabled, you should still get them pushed and thus made available. The one exception to this may be El Capitan, which has a remaining bug which can make updates much less reliable.
  In my experience, leaving it to the system to offer them results in significant delays, typically of a day, but sometimes several days before the update shows up in Software Update.
  If you want to see those updates reliably, SilentKnight is a better route, I believe, run once a day. These security updates are usually release between about 1800 and 2359 on a roughly fortnightly cycle. I try to announce them promptly here.
  Howard.
  
  LikeLike
5

John Hay on November 4, 2020 at 5:43 pm

Fabulous article and information. Very well done. A million thanks.
Is there any way to be notified from Apple of XProtect and of MRT new releases?
I generally receive update emails from Apple on the major patches and OS updates, but don’t think I’m getting anything on XProtect and of MRT new releases.
Of course I can always run SilentNight from time to time, but would be more convenient to be auto-notified.
Keep up the GREAT work!
All the best,All the best,
Ocean City, NJ

LikeLiked by 1 person
- 6
  
  hoakley on November 4, 2020 at 5:50 pm
  
  Thank you.
  I have two articles which explain how to get newsfeeds etc.: this one is general, and this addresses news about app updates more specifically.
  Howard.
  
  LikeLiked by 1 person
7

BKDad on November 4, 2020 at 6:39 pm

Great solution! Works perfectly. Thank you very much!

LikeLiked by 2 people
- 8
  
  hoakley on November 4, 2020 at 7:30 pm
  
  Thank you.
  Howard.
  
  LikeLike
9

Buggy Security Updates | on November 6, 2020 at 8:00 am

[…] I get into this setting I urge you to go to this site and read this article. It is written by a person that has a software App called SilentKnight which shows what security […]

LikeLike
10

Dana Nau on November 8, 2020 at 2:33 pm

Thanks, I’ve disabled automatic security updates and am using Silent Knight as you suggested.

Annoyingly, Apple Pay disables itself unless security updating is turned on. The (rather awkward) workaround is to turn on security updating before using Apple Pay, then turn it off afterward. In case it matters, this is on a 2018 Macbook Pro running Mojave 10.14.6.

LikeLiked by 1 person
- 11
  
  hoakley on November 8, 2020 at 6:05 pm
  
  I’m sorry to hear that. That sounds like a bug in Mojave, and would be worth reporting to Apple, please, although it may never get fixed, of course. I don’t think it affects Catalina.
  Howard.
  
  LikeLike
12

Dana Nau on November 8, 2020 at 2:35 pm

Oops, that was supposed to be a comment on the article, not a reply to #9.

LikeLiked by 1 person
13

Will on November 9, 2020 at 7:29 am

I have two installations of Big Sur beta(rc). One is an essentially clean install; the other is installed on a clone of my working Mojave system. The cloned system has carried over Gatekeeper 181 from Mojave. SilentKnight says it expected 94, but won’t correct it (neither would any of the Big Sur installers). The clean install has Gatekeeper 94. There have been eccentricities between the two installations. I was wondering if Gatekeeper could be an issue. I haven’t been able to figure out how to force the Big Sur Gatekeeper to install?

LikeLiked by 1 person
- 14
  
  hoakley on November 9, 2020 at 7:50 am
  
  Thank you.
  In Big Sur betas, as has happened before, the version of Gatekeeper found depends on whether the beta has been installed over a copy of an older version of macOS. Where it has, the Gatekeeper version conforms to that older version, so is newer. Where it’s a fresh install, the very old version shown by SilentKnight remains. We don’t know whether that will remain with the full release.
  I don’t think this makes any difference, as macOS Mojave, Catalina and Big Sur don’t appear to access the ‘Gatekeeper’ databases any more – they now appear to be vestigial.
  You can’t force any of these security data files to update, anyway: Apple’s servers decide what to push at your Mac.
  Howard.
  
  LikeLike
15

John Hay on November 13, 2020 at 11:26 pm

Okay. I’ve read through the original article (outstanding BTW) and all of the comments now, three times, looking for where I’m going wrong.

On my 2017 iMac Pro I just updated from 10.15.7 to the 10.15.7 Supplemental Update making sure the “Install System Data Files and Security Updates” checkbox was ticked.
The update went off seemingly without a hitch. No surprises. I rebooted a few times just for good measure.

Just to double-check that my MRT and XProtect were updated I ran the latest version 1.12 of SilentKnight. XProtect updated but it would appear MRT did not.
Oddly, at the top section of SK it states that I’m still running my old MRT v1.62, and to confirm I located the MRT Library file and the info-box on the MRT.app file likewise agrees v1.62.

So here’s the rub. If you look at my screenshot https://9581826.com/HTML/MRTversion.jpg you will note that in the bottom section of SK the stated installations include the new MRT v1.72.

Next, I tried unsuccessfully to force install just the new MRT v1.72 with two “command line” entries in SK. The response was “No such update.”

I’m left thinking, based on the two v1.62 references above that the newer v1.72 never installed, even though it’s included in the SK list of “Latest updates installed:”

What say you? Any and all suggestions, ideas, insights welcome.

Here’s the link again showing the SK GUI and the file info:

TIA,
John
Ocean City, NJ

LikeLiked by 1 person
- 16
  
  hoakley on November 13, 2020 at 11:57 pm
  
  Thank you. Much of this is explained in SilentKnight’s Reference, accessible from the Help menu.
  You’re looking at three different things.
  In the lowest text view, softwareupdate is being offered MRT 1.72, which I presume you then installed using the Install All Updates button higher up. What’s odd about that text is that, before reporting that MRT 1.72 is available, the list of latest installations, written when SilentKnight starts up, reported that version had also been installed earlier. In other words, softwareupdate thought it had installed it, but clearly it had not, and that’s confirmed by the version number shown in the MRT box at the top.
  For some reason, softwareupdate has downloaded that update, installed it, but that update hasn’t worked.
  The reason that you can’t get the MRT update as a named install is because macOS has decided that it has been installed; therefore, it’s no longer being offered as an update at all. If you were to quit and re-open SilentKnight, it would report that no updates are available. softwareupdate doesn’t allow you a second attempt – if it thinks an update has been installed, then it won’t let you obtain another copy, or re-install it. BTW, the correct name for the single installation is that given on the line starting Label, with the underscore characters.
  I can’t recall seeing this problem before, but you’ve confirmed there in the Finder that the installed version of MRT is old.
  The snag is that there isn’t much you can do about this. You can’t force an update to become available. MRT seems stuck in an old version and there’s no way to change that at present. I’d suspect that there’s a problem with its folder permissions, perhaps, which has prevented the update from completing.
  Howard.
  
  LikeLike
17

John Hay on November 14, 2020 at 3:41 am

UPDATE! ✅

Well — funny thing just happened. Truth is stranger than fiction. I just ran SK AGAIN after doing a long 3 hour backup and and another reboot and guess what? . . . I now magically have the “new” v1.72 MRT installed! All in due time I suppose. Obviously something triggered. So all’s well that ends well.

Thank you Howard for your in-depth explanation. I understand. BTW, I used the “Install named update” because I was not positive that I wanted “All” updates installed. Do I, i.e., want them “all” installed? For example, I don’t want FireVault on, but “Install all updates” would not turn “on” my FireVault option, right? Would there be any other reason I should be wary of the “install all updates” process?

I love SK, your amazing web site, and all of the amazing tools, apps, articles, and wisdom available no where else.

A million thanks Howard for everything.

All the best,
John

p.s. Just curious, why does SK label FireVault as “merit further checking or action?” You must obviously have strong feelings about the value of FireVault?

LikeLiked by 1 person
- 18
  
  hoakley on November 14, 2020 at 9:51 am
  
  Thank you.
  Recommendations about FileVault encryption are in the SilentKnight Reference, accessed in the Help menu.
  Pretty well everyone now recommends that you should enable FileVault encryption on all disks which contain sensitive data. For most users, that starts with the boot volumes. With a T2 chip, there is no cost to this – encryption happens whatever you do anyway. For other Macs, it’s a personal choice, but the default now should be to enable it. I don’t universally, though, but make that decision on the circumstances and risks.
  Howard.
  
  LikeLiked by 1 person
19

John Hay on November 14, 2020 at 4:37 pm

I’m paraphrasing from a group list post re why my MRT did not update on the spot:

“Actually, the MRT won’t. I just checked, and the 10.15.7 Supplemental does not contain any XProtect.bundle or MRT.app.
You’ll need to leave it on for 24 hours to ensure you get those background updates. They don’t come automatically when you run any of the manual macOS updates unless they are included within the install package.”

He (in his above post) was right.
About 4-5 hours after I ran the update install I went back and ran SK again and, bingo, there it was! The new MRT v1.72 showed up in SK.

That’s all I know. Just thought I’d follow up as for the “reason” the MRT did’t update with everything else.

LikeLiked by 1 person
20

Brownie on November 27, 2020 at 4:31 pm

I don’t understand how / why both LR & SK identified multiple system updates but did not install all of them. I have to go thru the process again and both still show security update 2020-006 Mojave 1.22GB need to be both downloaded & installed after I told LockRattler to install all updates. Yes it restarted.

How come? I don’t get it.

LikeLiked by 1 person
- 21
  
  hoakley on November 27, 2020 at 4:53 pm
  
  Thank you.
  Have you looked at the Help book in either of the apps (in SK, the Reference)? That explains how download and install works. I don’t recommend that you use them for substantial security updates – that’s what Software Update is designed to do. Both apps are primarily intended for the smaller, more frequent security updates such as those for MRT and XProtect, which Software Update often misses.
  That said, you can use either app for any update offered. But the softwareupdate command tool will make decisions about what it can install, how and when, because that’s what does the work. In this case, it seems to have told you that two updates were available, but decided that it would download and install them in a fixed order. As softwareupdate can’t continue once the first install has started, you will then have to go through the process twice (or more) until all the available updates have been installed in the correct order.
  If you have any better suggestions as to how to handle that situation, I welcome your ideas.
  Howard.
  
  LikeLike
22

Nick on December 13, 2020 at 3:46 am

If Software Update’s “Install system data files and security updates” option is unchecked, presumably one doesn’t also receive the background non-security updates which Apple describes at:

https://support.apple.com/en-gb/HT207005#systemdatafiles

Is there a way to download and install these separately on Catalina?

LikeLiked by 1 person
- 23
  
  hoakley on December 13, 2020 at 12:00 pm
  
  Yes. You can use the command tool softwareupdate, or either of my free utilities SilentKnight or LockRattler if you prefer a GUI.
  Howard.
  
  LikeLike