hoakley August 18, 2021 Macs, Technology

What else changed in Big Sur 11.5.2 update?

As you will have gathered, I’m unimpressed with the lack of information that Apple has provided about the macOS 11.5.2 update. Last night, almost a week after its release, it got round to posting as much detail as it wants to give us: it “includes bug fixes for your Mac” is apparently all we’re going be told.

Because of the shortage of release notes in recent years, I’ve taken to cruising through macOS updates looking at version and build numbers for many of the most important parts of the system. From those I work out what significant changes there have been. In the case of these “bug fixes” I identified changes in several important frameworks, including some which are widely used by third-party developers, who suffer the same dearth of information as the user.

Of course, this is only part of the story. Many of the most important parts of macOS aren’t contained in neat bundles with Info.plist files, but in Mach-O binaries. Apple has devised a method of incorporating Info.plist data into those binaries, something which third-party developers are now ‘encouraged’ to use to make notarization of command tools easier. But after much searching, I have been unable to find any executable binary in macOS which does that, and almost all of them bear no accessible version information at all.

Now that Apple has changed macOS to running from a sealed system, every single file on the System volume has to have its own hash, which can’t differ across Macs with the same installed version of macOS, or their Seals would differ. This ensures that every copy of 11.5.2 is identical, and that checking the hashes of individual components can be relied upon as a means of determining whether they have been updated.

So far, I have been comparing hashes between 11.5.1 and 11.5.2 across a limited range of directories, but here are the changes in 11.5.2 that this has already revealed:

in /bin, /sbin and /usr/lib there have been no changes at all;
in /System/Library/dyld all shared caches apart from aot_shared_cache.t8027 have changed, as would be expected from the changes I have already reported in both public and private frameworks;
in /usr/bin, /usr/libexec and /usr/sbin most files are unchanged, with the exception of some significant executables.

The executables which have changed are:

/usr/bin/fileproviderctl which matches the change I reported in the FileProviderDaemon framework;
/usr/bin/sandbox-exec and /usr/libexec/sandboxd;
/usr/sbin/spctl, /usr/libexec/syspolicyd and /usr/libexec/endpointsecurityd;
/usr/libexec/testmanagerd which isn’t documented;
/usr/sbin/tpctl which “manages trusted peers as part of keychain syncing”.

The problem with comparing hashes is that, unlike version and build numbers, they can’t tell you whether anything significant has changed. Hashes are designed to amplify the smallest of changes: a single bit different and there’s a completely different hash. Only Apple could tell us whether these changes in frameworks, sandboxing, spctl, syspolicyd and tpctl are significant, but the mere fact that these have justified a patch update implies that they’re of importance, and not just crossing the ts.

Some years ago, Apple used to include in its security release notes details of vulnerabilities which its own engineers had discovered, so that those notes gave a fairly complete account of what had changed. It’s some years since I last saw such entries, which either means Apple hasn’t discovered and fixed its own bugs, or it isn’t telling us what it does fix unless the vulnerability was discovered by a third-party, who could disclose details.

I think the evidence points to Apple having made significant security fixes in 11.5.2, as well as fixing bugs across important frameworks. At least we now know where to look. Pass me the Hopper…

8Comments

Add yours

1

Tudorminator on August 18, 2021 at 7:59 am

My 2012 mac mini is forever stuck on Mojave, even though I have previously installed unsupported macOS versions on old machines, so I could probably do it again. But I wouldn’t touch Catalina if my life depended on it, Big Sur even less. If not for the dark theme which I actually like, I would have probably stayed on High Sierra.

Every day it seems more and more likely that this is going to be my last mac ever, and if not, then my future macs will most likely be running some flavor of linux, maybe even Windows if Microsoft could get their act together already… Which is ironic, because I always regarded Apple’s hardware as overpriced and underpowered (a real problem when one lives in Eastern Europe), but I absolutely LOVED macOS and considered it vastly superior to anything else. Well, those days are long gone…

With the M1, Apple’s hardware started looking interesting again, but this patronizing assholery that Apple is pulling with macOS and iOS is too much to bear. I understand that I come from a power user’s point of view and my computing needs are probably completely different than those of the vast majority of „regular” users, but I need the freedom to do anything and everything I can think of with my computer, even if it means shooting myself in the foot and hosing my whole system once in a while.

LikeLiked by 1 person
- 2
  
  hoakley on August 18, 2021 at 7:05 pm
  
  Thank you.
  Actually, I think you’re misreading the M1 badly. You do realise that on an M1 you can choose to build and run your own kernel, for example?
  I don’t think there’s much that you can’t do with the M1 if you want – including running Linux, although it may be a while yet before Asahi Linux is complete.
  Howard.
  
  LikeLike
  - 3
    
    Jay on August 21, 2021 at 9:42 am
    
    Have you written about this? I recently read elsewhere that one could not install Linux on an M1.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 21, 2021 at 9:47 am
      
      No, I haven’t gone into detail here, as this blog is primarily about macOS, not Linux. If you want to run Linux on an M1 today, the best way is as a guest OS in Parallels Desktop 17. Funnily enough, I have an Ubuntu VM which I’m using to review Parallels for MacFormat and Mac|Life.
      If you want to run Linux without virtualisation, then you’ll have to wait a little longer for Asahi Linux.
      Whoever was telling otherwise was talking rubbish.
      Howard.
      
      LikeLike
5

Michael Tsai - Blog - macOS 11.5.2 on August 18, 2021 at 3:02 pm

[…] Update (2021-08-18): Howard Oakley: […]

LikeLike
6

Duncan on August 18, 2021 at 3:34 pm

I think it’s clear at this point that Apple would just as soon sell sealed devices that the user simply accepts, no questions asked. I can understand such a goal in terms of minimizing support hassles but that is at odds with what third-party developers and security researchers require for access. MacOS is the only OS that Apple allows re-installation of earlier versions, but even that comes with significant hassles now.

I’m not sure how they can strike a better balance, especially in terms of security-related documentation, but what we have now is becoming increasingly obfuscated and difficult to manage. If Apple’s various products were flawless in terms of usability and lack of bugs we wouldn’t care what’s going on behind the curtain. Unfortunately, that’s not the case and in many cases users have to either take it or leave it.

LikeLiked by 1 person
- 7
  
  hoakley on August 18, 2021 at 6:59 pm
  
  Thank you.
  I don’t think that’s generally true. Yes, that tends to be the attitude when it comes to security, although even there Apple recognises the needs of its corporate and large-scale users, most of the time. It employs some excellent staff whose purpose is to ensure that good relationships are maintained, and large users are better-informed. What Apple currently seems to lack is any advocacy for the more advanced Mac user – of whom there must be millions. So we’re caught between the mass market for computers as an appliance, and that for big users. If you can’t do it with MDM and Jamf, then we shouldn’t be doing it, I fear.
  Howard.
  
  LikeLike
8

Robert on August 19, 2021 at 1:32 pm

Thanks for this. It’s odd that apple has moved to more mystery. I didn’t know the ‘sealed’ stuff, and that’s really cool.

LikeLiked by 1 person

·Comments are closed.

Share this:

Related