MacInTouch Amazon link...

Apple security and privacy

Channels
Apple, Security
Should have checked here first - I'm doing a Time Machine restore for a High Sierra MacBook Air as I write.
There have been reports that restoring doesn't help if your T1 EmbeddedOS or T2 BridgeOS was updated, so you may still suffer from the sleep / wake kernel crash issue. Follow here.
 


Nothing really new, same as what we have heard about Google:
It pretty much comes with the technology. That type of speech recognition is a type of machine learning, and if left to itself, its algorithms can go off the rails, like the infamous Microsoft chatbot that evolved into a racist troll after less than 24 hours of unfiltered Twitter feed. The usual solution is having humans check results. That can be a problem with private information.
 


... Apple had to withdraw the updates...
I just downloaded the macOS [10.14.6] combo from Apple. The post is still dated 7/22 (the *.pkg is dated 7/16). System Preferences / Software Update is also showing it available. iOS 12.4 also seems available. Was it just the Sierra updates Apple withdrew? At any rate, it looks like mostly newer, T1, etc. are affected. I just backed up, and will become a statistic shortly... ;-}
 


Ric Ford

MacInTouch
I just downloaded the macOS [10.14.6] combo from Apple. The post is still dated 7/22 (the *.pkg is dated 7/16). System Preferences / Software Update is also showing it available. iOS 12.4 also seems available. Was it just the Sierra updates Apple withdrew? At any rate, it looks like mostly newer, T1, etc. are affected.
The problem appears to be with the special OS (EmbeddedOS/BridgeOS) for the T1/T2 security subsystem in new Macs. Apple removed both the Sierra and High Sierra Security Update 2019-004 packages from distribution and must have pulled the EmbeddedOS/BridgeOS update(s), as well. There were also firmware updates contained within the update packages.

It's all very confusing and Apple hasn't deigned to explain publicly what's going on, but, as far as I know, iOS is unaffected.

The problem is that Apple distributes firmware (EFI) updates and T1/T2 updates together with macOS updates, so Apple may have changed/removed those components, but it's all very unclear (and very unprofessional with Apple's lack of information for customers).
 


Ric Ford

MacInTouch
Here's more from Howard Oakley about the confusion of components involved with Apple's system/security updates:
Eclectic Light Co. said:
What makes macOS updates more complex: T2 firmware updates
Last week’s debacle with macOS Mojave, High Sierra and Sierra updates seems to have resulted from a problem with the T2 chip firmware update. So how come this caused Apple to pull both the Security Updates, even for Macs which don’t have a T2 (or T1) chip?

Before Apple shipped Macs with T1/T2 chips, all EFI and other firmware updates were embedded in the update installer. When you installed an update using softwareupdate or the App Store, what arrived on your Mac was all that was required. This enabled Apple to release standalone installer packages which did exactly the same thing. If your Mac wasn’t connected to the Internet, it was easy to copy across a standalone installer, run that, and any firmware updates would be applied automatically without any need for additional downloads.

This changed with T1/T2 models. Rather than bundling their T1/T2 firmware updates in the standalone installer, those are delivered in a separate package. If your Mac has a T1 or T2 chip and you run a ‘standalone installer’ which needs to update their firmware, during the install the firmware update is downloaded from the update server and installed as part of the update. If your Mac can’t connect to an update server during the update, then that whole update should fail.
 






Thanks for reminding me how ghastly and clumsy Apple's Downloads pages have become. It takes real effort to combine the worst elements of text-driven searching and big-buttoned browsing to create a flattened interface for navigating through what is essentially hierarchical information.
 


I can't get the App Store to download the full Mojave installer. Is this related to the security updates being withdrawn?
I faced the same situation last week, before the update withdrawals. Further, I remember seeing a lot of discussions when Mojave (or HIgh Sierra?) was first released, both here and on other sites, that made it sound like the App Store stub-triggers-full-Installer-download design is now Apple's standard for OS installs. If I remember correctly, it has something to do with the decoupling of macOS software from Apple IDs.
 


I can't get the App Store to download the full Mojave installer. Is this related to the security updates being withdrawn?
Are you using this ‎macOS Mojave link? Are you able to download anything?

In addition to the stub download issues, there have been reports of installation failures on selected T2-based Macs that are related but no complete failure to download anything that I'm aware of.
 


I faced the same situation last week, before the update withdrawals. Further, I remember seeing a lot of discussions when Mojave (or HIgh Sierra?) was first released, both here and on other sites, that made it sound like the App Store stub-triggers-full-Installer-download design is now Apple's standard for OS installs. If I remember correctly, it has something to do with the decoupling of macOS software from Apple IDs.
I thought that when this happened before, ultimately it was determined that it was due to a temporary problem in the App Store.

I had no trouble downloading the full installer for previous versions of Mojave.
Are you using this ‎macOS Mojave link? Are you able to download anything?
Yes, it downloads the stub installer.

(I tried clearing the App Store cache.)
 


It pretty much comes with the technology. That type of speech recognition is a type of machine learning, and if left to itself, its algorithms can go off the rails, like the infamous Microsoft chatbot that evolved into a racist troll after less than 24 hours of unfiltered Twitter feed. The usual solution is having humans check results. That can be a problem with private information.
I think part of the problem lies with the use of non-employees, who are much less bound to any Apple employee conduct guidelines than Apple's own workers. Apple and other companies in this business whose employees regularly have access to private or sensitive information should be vetted and bonded to the proper use of it. I, as a user, wittingly or not, share my information with Apple, not other parties of whom I have no knowledge or with whom I have no recourse in the event my information is compromised, mishandled, stolen, or misused.
 


Ric Ford

MacInTouch
Oh, look, here they are, back again...
I installed Security Update 2019-004 Sierra the first time, and it is listed in Mac App Store > Updates as applied on July 22, but the App Store wants to install it again, this time calling it "Security Update 2019-004 10.12.6" vs. the first version, which was just named "Security Update 2019-004", although it also applied to macOS 10.12.6....

Here are some more details from Howard Oakley:

I guess I'll do more backups, log my system/firmware versions, and reinstall Security Update 2019-004 Sierra on top of Security Update 2019-004 Sierra on two Macs, log the updated system/firmware versions, and then do the same dance for Mojave and High Sierra systems....
 


Ric Ford

MacInTouch
(There's no T1 or T2 subsystem in the 2017 iMac, thus no BridgeOS.)

2017 iMac 5K, running macOS Sierra, after the first Security Update 2019-004 Sierra:
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G2127)​
Kernel Version: Darwin 16.7.0​

After installing the second version, Security Update 2019-004 10.12.6:
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G2128)​
Kernel Version: Darwin 16.7.0​

I installed a vanilla macOS Sierra system from a USB flash install stick last week. It has not yet had the following updates installed, but note that the App Store did not list the first Security Update 2019-004 this time, even though I never installed it:
  • iTunes 12.8.2
  • iTunes Device Support Update
  • Remote Desktop Client Update 3.9.3
  • Safari 12.1.2
  • Security Update 2019-004 10.12.6
The older macOS Sierra system firmware and kernel are the same versions as on the updated systems — only the system build number is different (and different in format):
Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G29)​
Kernel Version: Darwin 16.7.0​

#firmware #securityupdate
 



Ric Ford

MacInTouch
Here's a pretty big Apple security flaw, patched only in the latest iOS release after Apple was notified a couple of months ago:
Bleeping Computer said:
Apple iMessage Flaw Lets Remote Attackers Read Files on iPhones

An iMessage vulnerability patched by Apple as part of the 12.4 iOS update allows potential attackers to read contents of files stored on iOS devices remotely with no user interaction, as user mobile with no sandbox. The security flaw tracked as CVE-2019-8646 was discovered by Google Project Zero security researcher Natalie Silvanovich who reported it to Apple during May.
 


System Version: macOS 10.12.6 (16G2127) {after first 2019-004 update}
System Version: macOS 10.12.6 (16G2128) {after second 2019-004 update}
System Version: macOS 10.12.6 (16G29) {after install from USB flash drive}
These are expected.
Wikipedia said:
Hackers can confirm or see build numbers without installing by using Pacifist to poke around installer packages and/or mount BaseSystem.dmg from an "Install Mac OS" app. The file containing the build number is
/System/Library/CoreServices/SystemVersion.plist
 


After a week of troubleshooting, I determined the last security update broke file sharing on my main workhorse (2015 MacBook Pro) running Sierra. I keep it in sync with documents on my 2018 Retina MacBook Air.

My error was having the box checked that said to always download and install security updates. Doh!

After resetting the router, needlessly updating to High Sierra (stuck with APFS), I gave up - until I saw notice of the new security update today. Installed it and voila! File sharing works as it always did.

It all came together after researching the topic, and the best information came from MacInTouch threads in November 2017, when a previous security update broke file sharing. Thanks to all who posted to that topic!
 


I installed a vanilla macOS Sierra system from a USB flash install stick last week. It has not yet had these updates installed, and note that the App Store does not list the first Security Update 2019-004:
  • iTunes 12.8.2
  • iTunes Device Support Update
  • Remote Desktop Client Update 3.9.3
  • Safari 12.1.2
  • Security Update 2019-004 10.12.6
Its firmware and kernel are the same — only the system build number is different (and oddly different in format):

Model Identifier: iMac18,3​
Boot ROM Version: 175.0.0​
SMC Version (system): 2.41f1​
System Version: macOS 10.12.6 (16G29)​
Kernel Version: Darwin 16.7.0​
Firmware is associated with the computer and will not vary by macOS version. Once installed by any installer, it will stay the same until a newer version is released on a subsequent installer.

macOS 10.12.6 (16G29) is the release version of 10.12.6, so the Security Update 2019-004 was not installed.
 


Ric Ford

MacInTouch
Firmware is associated with the computer and will not vary by macOS version. Once installed by any installer, it will stay the same until a newer version is released on a subsequent installer.
I guess it's installed in the invisible EFI partition — the first partition on the drive. If I install Mojave on a Sierra system, does it update the EFI firmware in the process? (I think it's a prerequisite for running Mojave.) But, then, can I still boot Sierra from that drive after Mojave has put its own, updated firmware in the EFI partition? (I guess so, since I can boot both macOSes from the same drive.) But if I erase the drive and clean-install Sierra, will that prevent Mojave from booting?
macOS 10.12.6 (16G29) is the release version of 10.12.6, so the Security Update 2019-004 was not installed.
Security Update 2019-004 was not included in the standalone installer, but it's queued as an update now for the installed system.
 


If I install Mojave on a Sierra system, does it update the EFI firmware in the process? (I think it's a prerequisite for running Mojave.) But, then, can I still boot Sierra from that drive after Mojave has put its own, updated firmware in the EFI partition?
Yes and yes. That's some of what makes EFI updates so complicated, in that they must be backward-compatible with any macOS that model is capable of running.

But very little of what's contained in EFI has anything to do the OS — most, if not all, recent updates have been needed to patch [low-level] vulnerabilities and compatibility with the CPU and other hardware features.
But if I erase the drive and clean-install Sierra, will that prevent Mojave from booting?
Security Update 2019-004 will reinstall the EFI update, so that Mojave will boot.
 


No problems with the update on my Hackintosh or my 2013 Mac Pro.

I must say that the more I hear about the T2-based Macs, the less inclined I am to ever get one. The security enhancements read great but don't seem to have much real-world relevance, unlike the tradeoffs in upgradeability, serviceability, and overall system reliability.
 


I guess it's installed in the invisible EFI partition — the first partition on the drive.
One other thing that might help here: Although EFI is uploaded to a normally hidden partition of the boot drive, it's just an interim placement which is transferred to the computer's firmware at first boot after a change.

I don't believe that an older version will ever replace a newer version on the computer — if you were to totally erase the drive and install an older EFI partition, it should not impact your ability to boot any hardware-compatible macOS.
 


There were two High Sierra updates that came through the App Store. I installed the first one on July 23 and the replacement yesterday. Neither created problems, but I installed both just in case.
 


This may seem like a stupid question, but should I install the new macOS 10.14.6 update over the old one or just leave things alone? I have not had any problems with the old 10.14.6 update on my 2017 MacBook.
 


Ric Ford

MacInTouch
This may seem like a stupid question, but should I install the new macOS 10.14.6 update over the old one or just leave things alone? I have not had any problems with the old 10.14.6 update on my 2017 MacBook.
It's a very confusing situation, but Apple's macOS 10.14.6 download page shows a date of July 22.

One thing you could do is run Howard Oakley's SilentKnight, which will report on the various components and their update status. But if macOS wants to install an update, it should be OK. Just be sure to make a good, complete backup and set that aside before doing the update, since they can sometimes go wrong (or very wrong).

I installed macOS 10.14.6 on a 2018 MacBook Pro on July 23, and there is no new update shown in System Preferences > Software Update. Here are the current versions on this system, which SilverKnight reports is up to date:
Model Identifier: MacBookPro15,2​
Boot ROM Version: 220.270.99.0.0 (iBridge: 16.16.6568.0.0,0)​
System Version: macOS 10.14.6 (18G84)​
Kernel Version: Darwin 18.7.0​
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts