hoakley August 28, 2022 Macs, Technology

Last Week on My Mac: Security updates are down again

Mac security, privacy, and every one of its features are founded on the many and various updates we get to macOS. Apple makes no bones about their importance to security, in its Platform Security Guide: “Security is a process; it isn’t enough to reliably boot the operating system version installed at the factory — there must also exist a mechanism to quickly and securely obtain the latest security updates.”

It continues there to extol the virtues of the macOS Content Caching server: “What’s more, software updates can be cached on a Mac running macOS 10.13 or later with Content Caching turned on, so that iOS and iPadOS devices don’t need to redownload the necessary update over the internet.”

On another page in that guide, Apple makes clear the importance of daily checks for urgent security data updates: “Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily.”

Over the last three months, of the nine security updates to XProtect pushed by Apple, only one has been delivered and installed correctly through my Monterey Content Caching server, that on 4 August. The other eight security updates to XProtect and its new companion XProtect ‘Remediator’ all downloaded correctly from my local server, but then failed to install. Details are in the Appendix.

I know from readers’ comments here that I’m not alone in experiencing these failures with the Content Caching server, and many of you have now disabled yours as being too unreliable to trust. What none of us knows is how many Macs are still using out of date versions of XProtect security data because of these persistent failures. As you’re unlikely to be aware of these failed updates unless you go looking for them, many running local Content Caching may be unaware of how far behind their Macs are.

Although working around these problems hasn’t been difficult for me, I’ve been so concerned at their consequences that I’ve raised Feedback reports to Apple. The first was back in June, which I closed when the bug appeared to be fixed in early August, and the second when it broke again following the very next security update on 18 August. The second of those remains both open and as yet without any response from Apple.

I have two principal concerns with this persistent problem: that Apple only seems aware of such failures through Feedback reports, and that macOS security relies on a software update system which looks so complex and fragile.

Given the importance of quickly and securely obtaining the latest security updates, there’s a glaring omission in not propagating error reports from the client Mac to the Content Caching server, and from there back to Apple’s software update service. Apple’s servers simply push out millions of updates, making the unwarranted assumption that they all install correctly and prove effective. In the absence of such feedback, Apple has no assurance that its security updates reach those client Macs, and the update mechanism isn’t known to be effective.

Ironically, the most reliable security updates I’ve experienced over the last three months have been those of macOS virtual machines running with Monterey’s Virtualization framework, which can’t use the Content Caching server, and have the least need to be kept up to date anyway. They provide an ideal opportunity to watch the work of the various processes and subsystems involved in software update, when it checks for new updates shortly after startup. The long and complex series of entries suggests that these processes are far from being clean and simple, and likely to be prone to bugs and failure as a result.

The Content Caching server is one of the last surviving fragments of what was once Mac OS X Server, and as far as I can tell originated 17 years ago in Mac OS X Server 10.4. In return for its simplicity in configuration and management, it’s highly uninformative. When it just doesn’t work, the user is given few clues as to what went wrong, and no effective means to fix it.

As foundations for macOS security, software updates and the Content Caching server need to be timely and thoroughly reliable. As eight failures in nine attempts demonstrates, they’re not, and on many Macs may well be compromising security rather than being a mechanism to quickly and securely obtain the latest security updates.

Perhaps instead of reinventing System Preferences as System Settings with SwiftUI, a better investment for Ventura would have been sleek rewrites of the software update subsystems and the Content Caching server. Without them, there is no macOS security.

Appendix: Reliability of security data updates pushed since 1 May 2022

XProtect 2159, 12 May 2022, installed correctly
XProtect 2160, 9 June 2022, failed to install
XProtect Remediator 62, 17 June 2022, failed to install
XProtect 2161, XProtect Remediator 64, 30 June 2022, failed to install
XProtect Remediator 65, 7 July 2022, failed to install
XProtect Remediator 67, 21 July 2022, failed to install
XProtect Remediator 68, 4 August 2022, installed correctly
XProtect 2162 and XProtect Remediator 71, 18 August 2022, failed to install

Monterey and Ventura beta clients, with a Monterey server, all running the latest versions.

14Comments

Add yours

1

jvbeaupre on August 28, 2022 at 1:48 pm

I have the iMac with the m1 chip and run macOS 12.4. When I check for system updates, I’m told the system is up to date. What’s going on: I thought that I needed macOS 12.5.x to close some security problems.
Any insights are appreciated.

LikeLiked by 1 person
- 2
  
  hoakley on August 28, 2022 at 5:36 pm
  
  I’m sorry to hear that.
  What I’d do is run my free utility SilentKnight (available from Downloads above). When that checks for updates, it often finds macOS updates which Software Update hasn’t yet discovered. Don’t let SilentKnight download the update, though: that should trigger its availability in the Software Update pane, which is the best place to download and install it.
  Once updated, run SilentKnight again and you can then use it to download and install any necessary smaller security data updates.
  I wish you success.
  Howard.
  
  LikeLike
  - 3
    
    jvbeaupre on August 28, 2022 at 6:40 pm
    
    Right after I ran Silent Knight, the latest macos,12.5.1, appeared in Software update. WONDERFUL.
    Good tip & thanks
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 28, 2022 at 8:17 pm
      
      You’re most welcome.
      Howard.
      
      LikeLike
5

Gideon on August 29, 2022 at 1:22 pm

Thank you Howard for looking into this situation and notifying Apple.
I agree, this should be treated with high priority.

I’ve lately also observed strange behavior in this regard. For this reason, I too have deactivated Content Caching on the 11.6.8 Mac on my network.
Setting up a new MacBook Pro 16″ M1 Pro, after installing 12.5.1 from the App Store (Combo Install), a check with SilentKnight revealed that the XProtect updates were missing. System Preferences was set up to automatically install Security Updates. This did not take place. Trying to install with your SilentKnight 1.21 failed. However after waiting a while, System Information>Installations showed that the Updates had now been installed. Checking with SilentKnight it still notified that the Updates were outstanding. After several restarts and some hours later SilentKnight remained convinced that the Security Updates were missing and needed installing. This is not a singled out occasion where I have encountered this. I’ve witnessed it a couple of times on Catalina, Big Sur and Monterey Macs over the past couple of months.
Is there another, perhaps more reliable way to check if an update has been applied?

LikeLiked by 1 person
- 6
  
  hoakley on August 29, 2022 at 3:30 pm
  
  Thank you.
  I’m afraid that System Information isn’t reliable – it only tells you which installers have run, not whether they have been successful in updating. SilentKnight actually checks the bundle version numbers, and is therefore authoritative. If SilentKnight says that only version 68 is installed, then believe it – and try to get that update to install correctly.
  I have an article publishing on Wednesday morning which goes into full detail about these problems, as they’re now so common.
  Howard.
  
  LikeLike
7

David on August 31, 2022 at 2:39 pm

Here is a weird one. Content Caching is ON on my M1 mac/server. My iNtel mac updated (using Silent knight) XProtect to 2162,71 just fine after noting it was out of date. However when I went to the M1 it wouldn’t update to ,71 until I turned CC OFF. Then it would update. Not what I expected, and I hope this datapoint helps you in figuring out what is going on with CC.

LikeLiked by 1 person
- 8
  
  hoakley on August 31, 2022 at 4:16 pm
  
  Thank you.
  That’s exactly the behaviour I experienced with the last XProtect updates – the iMac Pro hosting the CC server updated fine, but no other Mac client could.
  I’m afraid this isn’t something that we can fix. It rests with Apple, whether it’s in their software update servers or the local CC server.
  Howard.
  
  LikeLike
  - 9
    
    David on August 31, 2022 at 5:13 pm
    
    Your experience was exactly opposite of mine. The CC server didn’t update, while the served computer did. That is what makes this so unusual. (no need to post this update).
    
    LikeLiked by 1 person
    - 10
      
      hoakley on August 31, 2022 at 8:19 pm
      
      Ah, right. I had that behaviour during the previous 2-month outage, on a couple of occasions. Sometimes it seems to be just luck, which I find even more disturbing when it comes to updates.
      Howard.
      
      LikeLike
11

Dakotamoons on October 24, 2022 at 6:20 pm

Stupid question. Sorry.

Where in the world can one find the “date-coded” security update status, such as “2022-005” as opposed to the build number (19H2026) which can be displayed in the “About This Mac” pop-up? I checked in the System Report and found the (19H2026) code, but can’t find the same update (2022-005) displayed anywhere. Frustrating.

Also, I guess I never noticed the absence of either reference to “security” updates, specifically, in SilentKnight. Sorry, I am dyslexic. That could explain some or all of this. TIA, John

LikeLiked by 1 person
- 12
  
  hoakley on October 24, 2022 at 9:14 pm
  
  Not stupid at all.
  When Apple changed its macOS version numbering with macOS 11, it did away with that system of numbering security updates, and incorporated them into a single coherent system.
  Now, macOS N.0 to N.5.x are general updates during the first year. N.6 onwards are security updates during the second year, and N.7 onwards are security updates during the third and final year of support.
  SilentKnight has never tracked such updates, but displays the currently running version of macOS in the window title. LockRattler does still show macOS versions and, in older macOS, security updates.
  I hope that’s a bit clearer.
  Howard.
  
  LikeLiked by 1 person
  - 13
    
    Dakotamoons on October 24, 2022 at 9:25 pm
    
    Thank you Howard. I do see the build number in the in the window title. I wish the “human” title would display somewhere as well, i.e., “2022-005”, etc. Either in SL, or in the System Report, but can’t find it.
    
    LikeLiked by 1 person
    - 14
      
      hoakley on October 24, 2022 at 9:30 pm
      
      From macOS 11 onwards, there isn’t a “human title”, neither do you need a build number. The version numbering system takes it all into account without confusion.
      Howard.
      
      LikeLiked by 1 person

·Comments are closed.

Share this:

Related