hoakley February 5, 2023 Macs, Technology

Last Week on My Mac: Why are security updates still so unreliable?

Apple’s software updates are a cornerstone in the security of our Macs, and updates it releases for the security tools built into macOS are a crucial part of that. When Apple’s security researchers discover a change in threat, it’s essential that all Mac users benefit from the response to that threat as quickly as possible.

With plenty of us now, both at home and in smaller workgroups, using several if not many Apple products, the Content Caching service provided by macOS is our means of getting timely security updates. These servers also reduce the burden on Apple’s software update servers, as they allow multiple Macs to be updated from a single download from Apple.

If only they had worked reliably over the last eight months.

Problems started here on 9 June 2022. My Content Caching server running in Monterey suddenly started delivering XProtect updates to client Macs that failed to install correctly. After flushing its caches, I discovered the only reliable way to install those updates was to disable the Content Caching server altogether, so that each of my Macs had to download the update direct from Apple.

I filed a Feedback report with Apple, complete with a sysdiagnose from a client and one from the server. Weeks passed, and every time there was a new security update, I had to disable my Content Caching service to update successfully, until 4 August, when the update installed through the server for the first time since May. I closed the Feedback, presuming that whatever was the cause of this had been fixed.

The next security update came two weeks later, on 18 August, and behaviour had reverted, forcing me to disable the server once again. I filed a fresh Feedback (FB11333839), with another matched pair of sysdiagnose reports.

Since then, the Content Caching server has worked on another two occasions, on 13 October 2022 and 19 January 2023. Otherwise, each time there’s been a new security update, I’ve gone through the same routine: try first with the server running, watch the update fail to install, disable the server, try installing the update again, this time successfully. This has persisted through upgrading the server and its clients from Monterey to Ventura.

Of the 16 security software updates since the start of June last year, only three have worked as advertised, and the other 13 have failed identically. That’s less than a 20% success rate.

I know from the comments of others here that I’m not alone, and that several of you have disabled your Content Caching servers as a result of these persistent problems. Of course we could be the only ones affected, but given the lack of controls over or insight into the service, there isn’t anything we can do to work around this, other than by disabling the service whenever we want to update, which is deeply contradictory. Isn’t the purpose of the Content Caching server to make updates quicker and easier?

I’ve now reached the stage where I realise little or nothing is going to happen, at least not in Ventura. Maybe macOS 14 will bring an undocumented new feature, “A Content Caching server that works”?

In the meantime, I ask one favour of Apple. If you can’t fix this problem, could you at least give us a workaround in an additional option to the softwareupdate command tool, to download and install software updates direct from Apple rather than through the Content Caching server? I know this shouldn’t be too difficult, as it’s already an internal option for macOS, which is able to elect for downloads from Apple to be made direct, rather than through a local server.

If your Macs rely on a local Content Caching server for their updates, this might be a good time to check that they are being installed correctly on your Macs. I maintain lists of the current versions of security data files for Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page. Which is more than Apple does.

15Comments

Add yours

1

Alan B on February 5, 2023 at 9:35 am

Thankfully my modest setup here does not really need the use of a content caching server. Good luck in your endeavours in persuading Apple to sort their act out.

LikeLiked by 2 people
- 2
  
  hoakley on February 5, 2023 at 5:43 pm
  
  Thank you.
  I have taken the liberty of correcting the text.
  Howard.
  
  LikeLiked by 2 people
3

Alan B on February 5, 2023 at 9:36 am

… sort their act out …

LikeLiked by 2 people
4

Sab Gigo on February 5, 2023 at 7:35 pm

Thank you, Howard. I briefly believed that Apple had corrected the issues with its Content Caching feature, however, I again experienced the update installation failure. I have 4 Macs that are used in my household currently, and have once again disabled Content caching on all Macs, which operated as peers. I thank you for all your hard work in collecting, deciphering, documenting and maintaining the lists and both the successes and failures that Apple has accomplished with their Update and Rapid Response systems. With Apple, it seems like we will eternally suffer the bad with the good, so it’s up to people like you, Mr. Macintosh, OCLP, and many others that provide the extras for Apple users to benefit from. Again, thank you for all that you do!

LikeLiked by 1 person
- 5
  
  hoakley on February 5, 2023 at 10:00 pm
  
  Thank you.
  Howard.
  
  LikeLiked by 1 person
6

Daniel B on February 5, 2023 at 8:05 pm

Amen. Frankly, updating both iOS and macOS is a tremendous pain in the enterprise. It’s getting to the point where it is the greatest weakness.

LikeLiked by 1 person
7

Kathryn Jenkins on February 10, 2023 at 4:07 pm

I applied the most recent security update on a Catalina drive attached to a 2018 Mini. The result was other attached drives disappearing and generic drive icons labeled Update appearing instead. The actual drives and drive names did not appear in the Startup Disk prefs, either. I had to option-boot to find them. I didn’t have the patience to try to unmuck the Catalina drive, so I just wiped it and reinstalled Catalina. But I am leery of appliying the last security update on my Big Sur or Monterey drive.

LikeLiked by 1 person
- 8
  
  hoakley on February 10, 2023 at 6:13 pm
  
  I’m sorry to hear that. If you’re referring to the XProtect Remediator update of a week ago, I don’t see how that could cause that. It’s a single app that gets installed in the CoreServices folder on your Data volume, nothing more. Maybe there’s a different cause?
  Howard.
  
  LikeLike
9

Kathryn Jenkins on February 11, 2023 at 5:14 pm

This was the latest security update, which I downloaded from Apple via system updates. I have the App Store set to not do OS updates automatically. I used to get the security updates from the Apple OS downloads area and install them when it seemed safe to do so, but apparently that’s not possible anymore, or the updates have not been posted there yet. It just left that drive in a weird state.

LikeLiked by 1 person
- 10
  
  hoakley on February 11, 2023 at 9:58 pm
  
  That Catalina Security Update was released last July, and is the final one for Catalina. It’s available as a standalone update from here.
  Because Big Sur and later use a different system for updates, Apple only releases updates through Software Update, and doesn’t provide the same standalone updates any more.
  I hope you manage to sort that problem out.
  Howard.
  
  LikeLike
11

Matt Tracey on March 3, 2023 at 9:25 pm

Thanks for staying on top of this Howard!

As my Feedback Assistant & AppleSeed requests continue to go into the Apple black hole, I finally got tired of doing the Caching Server toggle-off-and-on dance with XProtect updates and whipped up this script which some people may find helpful: https://www.dropbox.com/s/oyu9xtpsdz6287g/macos_CheckAndInstallXProtectUpdates.sh?dl=0

Is it hacky? Yes 🙂
Could it likely be better/more efficient? Heck yes!
Does it appear to do the job in my (limited) testing? Indeed It Does 😀

Currently I’m triggering this on a schedule via our MDM, scoped to a limited set of systems —but barring any massive weirdness I may roll it out to all our meeting room Macs, followed by staff systems (basically anything that touches our internal networks and their content caching servers more often that not, and thus end up missing out on the XProtect updates as a result!)

LikeLiked by 1 person
- 12
  
  hoakley on March 4, 2023 at 7:04 am
  
  Thank you. I wish you success with it.
  Sadly, I don’t think it would work outside of enterprise. It also doesn’t cater for updates other than XProtect and XProtect Remediator, which have always been the great unknowns that SilentKnight tries to include. Until we know how RSRs are going to be delivered, I’m very wary of being too exclusive.
  Howard.
  
  LikeLike
13

Sebby on March 28, 2023 at 6:04 am

I upgraded my internal network to 10 Gbps across the board, so I was really looking forward to some good news on this issue. Sadly it seems still to be unreliable for the config updates as discussed since basically when this was first discovered. Since I am about to replace my 2012 and 2018 Mac Mini servers with another Mac Mini 2023 M2 Pro running Linux VMs for an all-in-one server and this would require bringing over the content cache config and possibly also the existing cache data, I am now wondering seriously whether it would make any sense to even use CCS at all again, for the meagre benefit it brought. Add to that that I’ve now moved to a 1.1Gbps down connection (yes, Virgin Media, sadly) after they finally gave me the equipment I needed to fully benefit from the cable line speed and it begins to look like vanishing gains. I’m sorry that it doesn’t work–it really is a great idea–but I guess it was for a time, and not for all time.

LikeLiked by 1 person
- 14
  
  hoakley on March 28, 2023 at 6:11 am
  
  I don’t know whether the latest updates to 13.3 alter this.
  I only disable my CC server for a few minutes every couple of weeks when the scheduled XPR update needs to be installed. Otherwise it saves a lot of iCloud syncing, and App Store duplicate updates.
  Howard.
  
  LikeLike
  - 15
    
    Sebby on March 28, 2023 at 6:24 am
    
    Thanks Howard, I’ll certainly keep a look out, at least while the existing server is still in place, but I don’t really feel like babysitting things more than absolutely necessary. I’d be grateful for any news though.
    
    On the subject of babysitting, I hit a recurring bug that I suspect most people won’t notice, namely that during any security update, all my Ethernet’s DNS resolvers are deleted from the list if they have the IP addresses of local interfaces. I notice this because I have Cloudflare’s DoH proxy listening to the loopback interface 127.0.0.1, and then macOS configured to use that address. After the update, that breaks, leaving the Mac with no Internet connectivity. Worse, because it’s also my network’s DHCP server, it kills the ‘net on the whole network (that’s my choice, I’ll fix it). Worse, if I cleverly try working around it by just using the IP of a network interface itself, like Ethernet, the exact same thing happens. Maybe there’s some special-case logic in there somewhere that tries to detect this situation, although I can’t imagine what the rationale for that is. Do you happen to be familiar with this? It’s deeply irritating. Of course I could just do what sensible people do, and run the DNS and DHCP on a Linux router directly, and indeed I’ll probably do that, but it’s still curious.
    
    LikeLiked by 1 person