Latest Update on #iamroot Security Concerns

Tags: ,
Blog Author
Doug Wilson

Further updates in the #iamroot saga have shown a confusing set of responses from Apple that invalidate some of what I posted earlier, and also may give a false sense of security if users have not installed updates in the proper sequence and then restarted.

This is not intended as a critique of how the updates were done, but rather a quick look at the osquery implications after the additional updates:

  1. You ultimately want to be on software revision 17B1003 which is actually the second revision of Security Update 2017–001 for High Sierra (macOS 10.13.x). osquery can tell you this easily.
  2. You do not have to reboot if you installed in the proper sequence, but you may wish to check to see if a given computer has been rebooted since you did an update, and/or check and see what sequence the updates were installed in. You can do this with osquery, and we’ll walk through how.
  3. You may be concerned about users who are on 10.13.0, got the Security Update pushed, but then updated to 10.13.1 (re-introducing the vulnerability) See #2 above.

Though many IT folks may be cursing at Apple right about now, not all is grim about this, as it lets us see some more of the functionality of osquery in action.

To check your software revision, simply do the following (as in the last post):

osquery> select * from os_version;
| name | version | major | minor | patch | build | platform |
| Mac OS X | 10.13.1 | 10 | 13 | 1 | 17B1003 | darwin |

This time we are looking for version of build = 17B1003 so we will redo our distributed query (looking for High Sierra Macs at the wrong patch level) as follows:

select * from os_version where major='10' and minor = '13' and patch = '1' and build <> '17B1003'

But, since just having the correct revision might not be enough, let’s say that we want to see the order the updates were installed in, or we want to see if a mac has been rebooted recently. We can also do this with osquery!

osquery has a table for macOS named package_install_history which contains — you guessed it! A history of all the packages installed on your macOS machine. If we do

select * from package_install_history

we’re going to see a lot of rows go by, especially if you have been using your mac for a while. Let’s narrow it down to the problem at hand, instead. We could go through the most recent updates, and see what’s there. Below, I’ve done one version of that for you.

This is a bit messy, but what I’m doing is grabbing updates to High Sierra, as well as the specific identifiers to the two different versions of Security Update 2017–001 and the simultaneous X-Protect update that came out with them.

select datetime(time, 'unixepoch') as install_time, name, version, package_id from package_install_history where name = 'Install macOS High Sierra' OR package_id in ('', '', '') order by time;

Doing some editing on  so that this fits on the screen, we get something like this:

| install_time | name | version | package_id|
| 11-15 15:51:29 | Install macOS High Sierra | 10.13.1 | |
| 11-15 15:51:29 | Install macOS High Sierra | 10.13.1 | |
| 11-15 15:51:29 | Install macOS High Sierra | 10.13.1 | |
| 11-30 02:24:34 | Security Update 2017-001 | | .17B102 |
| 12-04 15:01:47 | XProtectPlistConfigData | 2097 | |
| 12-04 15:03:18 | Security Update 2017-001 | | .17B103 |

(n.b. depending on how you installed High Sierra, you may have more lines than this on your screen. Also, package_id is going to have a lot more data in real life).

The machine here was patched in the correct order — it was already at 10.13.1, and then it got both security updates in order. But if the results were different, you might want to investigate.

If we want to go back further while investigating this thread, we can see all of your macOS installs in this timeline by changing the query to the following:

select * from package_install_history where name like '%macOS%' OR package_id in ('', '', '') order by time;

Depending on how new or old your mac is, you may see all the way back to when your OS was first installed! I haven’t tried this on an older machine to see if the naming convention changed in earlier versions.

And, the final piece of the puzzle — Has your mac been rebooted? Probably the simplest query we can do in osquery gives us the answer:

osquery> select * from uptime;
| days | hours | minutes | seconds | total_seconds |
| 0 | 0 | 2 | 41 | 161 |

I love the smell of a freshly rebooted computer in the morning!

Hopefully there are no new security updates for a few days now . . .

Thanks for reading. If you have comments about this article, or questions about osquery, drop me a line.