Last Week on My Mac: Security updates are down again

Mac security, privacy, and every one of its features are founded on the many and various updates we get to macOS. Apple makes no bones about their importance to security, in its Platform Security Guide: “Security is a process; it isn’t enough to reliably boot the operating system version installed at the factory — there must also exist a mechanism to quickly and securely obtain the latest security updates.”

It continues there to extol the virtues of the macOS Content Caching server: “What’s more, software updates can be cached on a Mac running macOS 10.13 or later with Content Caching turned on, so that iOS and iPadOS devices don’t need to redownload the necessary update over the internet.”

On another page in that guide, Apple makes clear the importance of daily checks for urgent security data updates: “Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily.”

Over the last three months, of the nine security updates to XProtect pushed by Apple, only one has been delivered and installed correctly through my Monterey Content Caching server, that on 4 August. The other eight security updates to XProtect and its new companion XProtect ‘Remediator’ all downloaded correctly from my local server, but then failed to install. Details are in the Appendix.

I know from readers’ comments here that I’m not alone in experiencing these failures with the Content Caching server, and many of you have now disabled yours as being too unreliable to trust. What none of us knows is how many Macs are still using out of date versions of XProtect security data because of these persistent failures. As you’re unlikely to be aware of these failed updates unless you go looking for them, many running local Content Caching may be unaware of how far behind their Macs are.

Although working around these problems hasn’t been difficult for me, I’ve been so concerned at their consequences that I’ve raised Feedback reports to Apple. The first was back in June, which I closed when the bug appeared to be fixed in early August, and the second when it broke again following the very next security update on 18 August. The second of those remains both open and as yet without any response from Apple.

I have two principal concerns with this persistent problem: that Apple only seems aware of such failures through Feedback reports, and that macOS security relies on a software update system which looks so complex and fragile.

Given the importance of quickly and securely obtaining the latest security updates, there’s a glaring omission in not propagating error reports from the client Mac to the Content Caching server, and from there back to Apple’s software update service. Apple’s servers simply push out millions of updates, making the unwarranted assumption that they all install correctly and prove effective. In the absence of such feedback, Apple has no assurance that its security updates reach those client Macs, and the update mechanism isn’t known to be effective.

Ironically, the most reliable security updates I’ve experienced over the last three months have been those of macOS virtual machines running with Monterey’s Virtualization framework, which can’t use the Content Caching server, and have the least need to be kept up to date anyway. They provide an ideal opportunity to watch the work of the various processes and subsystems involved in software update, when it checks for new updates shortly after startup. The long and complex series of entries suggests that these processes are far from being clean and simple, and likely to be prone to bugs and failure as a result.

The Content Caching server is one of the last surviving fragments of what was once Mac OS X Server, and as far as I can tell originated 17 years ago in Mac OS X Server 10.4. In return for its simplicity in configuration and management, it’s highly uninformative. When it just doesn’t work, the user is given few clues as to what went wrong, and no effective means to fix it.

As foundations for macOS security, software updates and the Content Caching server need to be timely and thoroughly reliable. As eight failures in nine attempts demonstrates, they’re not, and on many Macs may well be compromising security rather than being a mechanism to quickly and securely obtain the latest security updates.

Perhaps instead of reinventing System Preferences as System Settings with SwiftUI, a better investment for Ventura would have been sleek rewrites of the software update subsystems and the Content Caching server. Without them, there is no macOS security.

Appendix: Reliability of security data updates pushed since 1 May 2022

  • XProtect 2159, 12 May 2022, installed correctly
  • XProtect 2160, 9 June 2022, failed to install
  • XProtect Remediator 62, 17 June 2022, failed to install
  • XProtect 2161, XProtect Remediator 64, 30 June 2022, failed to install
  • XProtect Remediator 65, 7 July 2022, failed to install
  • XProtect Remediator 67, 21 July 2022, failed to install
  • XProtect Remediator 68, 4 August 2022, installed correctly
  • XProtect 2162 and XProtect Remediator 71, 18 August 2022, failed to install

Monterey and Ventura beta clients, with a Monterey server, all running the latest versions.