Tim Hardwick (Avid, Hacker News):
Variety reports this morning of a possible computer virus attack or critical software failure affecting Mac Pro workstations across Los Angeles.
According to social media chatter, Hollywood Film and TV editors discovered late on Monday that “trashcan” Mac Pros running older versions of macOS and AVID’s Media Composer software were refusing to reboot after shutting down.
May 26, 2020 Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile.Beginning with macOS 10.15.5, devices can connect to APNs when configured to use the HTTP proxy with a proxy auto-config (PAC) file. Installed all system updates (besides Catalina), and it auto restart while installing system updates, whamp! Hit with critical software update. So it's a loop again. (I did replace my screen with a third party repairman due to the 2016 MBP touch bar encountered backlight failed issue). Not sure if this is related.-Additional update. This update won't include the latest version of the software so after performing the update, check Software Update and apply the latest macOS update. Install the OS from an external drive.
Mr. Macintosh (Hacker News):
After further investigation it was found that AVID was not the problem!
[…]
After investigation from some of the top minds in the MacAmins Slack Chat #varsectomy channel it was found that the Google Keystone Updater was at the heart of the issue.
Google:
We recently discovered that a Chrome update may have shipped with a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled, including machines that do not support SIP. We’ve paused the release while we finalize a new update that addresses the problem.
[…]
To recover a machine that has been affected by this bug, please boot into recovery mode, and then from the Utilities menu open the Terminal application.
In the Terminal application, you can run the following commands[…]
Rich Trouton:
The now-pulled Keystone update attempts to remove the /var symlink, which is usually protected by Apple’s System Integrity Protection (SIP) security feature.
On Macs where SIP was disabled, this protection did not apply and the Keystone update was able to remove the /var symlink. This symlink is not a directory itself, but points to another directory (/private/var) which contains software necessary for the operating system to boot and function correctly, so removing the /var symlink rendered the affected Macs unbootable.
Update (2019-09-26): Jeff Johnson:
Something fishy with Google’s latest comment. Seems to be shifting the blame. Why act as if the updater doesn’t have root?
John Gruber:
Why in the world would a web browser’s software updater be doing anything at all at the root level of the boot volume? The arrogance and presumptuousness here boggles the mind. This is like hiring someone to wash your windows and finding out they damaged the foundation of your house.
The other question is why in the world so many users would disable System Integrity Protection. The answer seems to be that it’s the only way macOS will let the AVID customers use third-party video cards.
See also: Hacker News.
Update (2019-09-27): Jeff Johnson:
People: Why does a web browser installer need to modify the system?!?
Me: $ lsbom /System/Library/Receipts/com.apple.pkg.Safari13.0.1MojaveAuto.bom | grep /System/
Jeff Johnson:
The Google Keystone bug isn’t a justification for System Integrity Protection. In fact, if SIP didn’t exist, Google would most likely have noticed the bug before shipping it. So in a sense, SIP is partially to blame for the disaster.
This is true, but it doesn’t mean SIP was a bad idea. Rather, SIP is treating the symptoms rather than helping to identify the causes. It certainly could do more of the latter, e.g. if it maintained an audit log. I don’t mean the gigabytes of console spew that we currently get for SIP and sandbox violations. Instead, there should be a friendly window that concisely shows what each app was thwarted from doing. The Chrome developer—or even Chrome users—would be able to see at a glance that it tried to delete the /var folder 39 times and would then be able to ask why.
Jeff Johnson:
Every app outside the Mac App Store has to roll its own software updater. This is how we get software update problems. Apple has left this gaping hole in the system forever. Why is there no system process and API for 3rd party app updates?
It’s a totally obvious idea that could have been done 20 years ago. And it would be more helpful today in that updating sandboxed apps is harder. But it’s also kind of a strategy tax. Making life better for directly sold apps (and their users) would cost services revenue and reduce the value proposition of the Mac App Store.
Update (2019-10-13): To be clear, the Chrome updater only asked for root access if you enabled the option to Automatically update Chrome for all users.
Tangentially related: I’m not sure “#varsectomy” promotes the kind of inclusive environment we’d like to see in software.
Critical Software Update Error Mac
The Chrome bug is insane. That is all.
Google pushed this Keystone Updater across all skus, I noticed it when BlockBlock threw up a dialog for no reason whatsoever, on my 2012 Mini.this would’ve crippled my Mini too.
SIP is annoying but NEVER turn off SIP. Those Avid jockeys should run Windows until Avid properly signs their drivers.
Google is now malware, they’ve crossed the malware line. No updater should ever need root. Google should FIRE and BLACKLIST that installer “engineer.”
EVERY MAC USER should run BlockBlock. All the positives with none of the negatives of Catalina on your macOS now.
Every app outside the Mac App Store has to roll its own software updater. This is how we get software update problems. Apple has left this gaping hole in the system forever. Why is there no system process and API for 3rd party app updates?
No, no, no.
Yes, it would have been great if Apple had shipped a standard way to update apps (and also a better mechanism to remove them that also removes satellite files), but Sparkle does exist, has existed for a long time, and gets the job done just fine.
:max_bytes(150000):strip_icc()/blue-screen-of-death-bsod-windows-56a6faab3df78cf772913ee6.png "Critical Software Update Problem On Macs")
Google could’ve used that. They do not want to, because of NIH culture, and also because they don’t want the user’s consent in changing their software whenever they please (something euphemistically known as “evergreen” now).
Wait, the Chrome updater deleted /var?
Look, as someone who just deleted both my anacrontab and anacrontab.bak file because I was a lazy typist (just cp first file to second file location and then changed my command to rm, instead of retyping, stupidly autocompleted and clicked enter without thinking…yeah, that kind of stupid), I get how these things can happen.
I even had a Samba problem when my fstab was edited to map a Samba drive at boot and the file browser kept freaking out when I navigated to the mount point. I even copy and pasted the correct entry from a different fstab, well correct, except for the specific mount point on the server side, so I edited the share manually and saved. After going on my merry way, none the wiser, turns out when I deleted a bit of the IP address while editing the share, instead of undoing that deletion, I got cute and manually retyped the address before saving the fstab. Wrongly retyped as it were when I discovered the last two digits of the IP address were transposed! Oops! E.g. /10.0.0.1/fooshare became 10.0.1.0/fooshare.
Even still, Google should be able to do better than Mr One Man Band, home IT guy like myself. Geeze!
Stay up-to-date by subscribing to the Comments RSS Feed for this post.
Leave a Comment
Critical Software Update Problem On Macs Mac
This article is intended for enterprise and education network administrators.
Apple products require access to the Internet hosts in this article for a variety of services. Here's how your devices connect to hosts and work with proxies:
- Network connections to the hosts below are initiated by the device, not by hosts operated by Apple.
- Apple services will fail any connection that uses HTTPS Interception (SSL Inspection). If the HTTPS traffic traverses a web proxy, disable HTTPS Interception for the hosts listed in this article.
Make sure your Apple devices can access the hosts listed below.
Apple Push Notifications
Learn how to troubleshoot connecting to the Apple Push Notification service (APNs). For devices that send all traffic through an HTTP proxy, you can configure the proxy either manually on the device or with a configuration profile. Beginning with macOS 10.15.5, devices can connect to APNs when configured to use the HTTP proxy with a proxy auto-config (PAC) file.
Device setup
Access to the following hosts might be required when setting up your device, or when installing, updating or restoring the operating system.
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| albert.apple.com | 443 | TCP | iOS, tvOS, and macOS | Yes | |
| captive.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | Internet connectivity validation for networks that use captive portals. | Yes |
| gs.apple.com | 443 | TCP | iOS, tvOS, and macOS | Yes | |
| humb.apple.com | 443 | TCP | iOS, tvOS, and macOS | Yes | |
| static.ips.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | Yes | |
| tbsc.apple.com | 443 | TCP | macOS only | Yes | |
| time-ios.apple.com | 123 | UDP | iOS and tvOS only | Used by devices to set their date and time | — |
| time.apple.com | 123 | UDP | iOS, tvOS, and macOS | Used by devices to set their date and time | — |
| time-macos.apple.com | 123 | UDP | macOS only | Used by devices to set their date and time | — |
Device Management
Network access to the following hosts might be required for devices enrolled in Mobile Device Management (MDM):
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| *.push.apple.com | 443, 80, 5223, 2197 | TCP | iOS, tvOS, and macOS | Push notifications | Learn more about APNs and proxies. |
| gdmf.apple.com | 443 | TCP | iOS, tvOS, and macOS | MDM server to identify which software updates are available to devices that use managed software updates. | Yes |
| deviceenrollment.apple.com | 443 | TCP | iOS, tvOS, and macOS | DEP provisional enrollment. | — |
| deviceservices-external.apple.com | 443 | TCP | iOS, tvOS, and macOS | — | |
| identity.apple.com | 443 | TCP | iOS, tvOS, and macOS | APNs certificate request portal. | Yes |
| iprofiles.apple.com | 443 | TCP | iOS, tvOS, and macOS | Hosts enrollment profiles used when devices enroll in Apple School Manager or Apple Business Manager through Device Enrollment | Yes |
| mdmenrollment.apple.com | 443 | TCP | iOS, tvOS, and macOS | MDM servers to upload enrollment profiles used by clients enrolling through Device Enrollment in Apple School Manager or Apple Business Manager, and to look up devices and accounts. | Yes |
| setup.icloud.com | 443 | TCP | iOS only | Required to log in with a Managed Apple ID on Shared iPad. | — |
| vpp.itunes.apple.com | 443 | TCP | iOS, tvOS, and macOS | MDM servers to perform operations related to Apps and Books, like assigning or revoking licenses on a device. | Yes |
Software updates
Make sure you can access the following ports for updating macOS, apps from the Mac App Store, and for using content caching.
macOS, iOS, and tvOS
Network access to the following hostnames are required for installing, restoring, and updating macOS, iOS, and tvOS:
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| appldnld.apple.com | 80 | TCP | iOS only | iOS updates | — |
| gg.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | iOS, tvOS, and macOS updates | Yes |
| gnf-mdn.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| gnf-mr.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| gs.apple.com | 443, 80 | TCP | macOS only | macOS updates | Yes |
| ig.apple.com | 443 | TCP | macOS only | macOS updates | Yes |
| mesu.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | Hosts software update catalogs | — |
| ns.itunes.apple.com | 443 | TCP | iOS only | Yes | |
| oscdn.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
| osrecovery.apple.com | 443, 80 | TCP | macOS only | macOS Recovery | — |
| skl.apple.com | 443 | TCP | macOS only | macOS updates | — |
| swcdn.apple.com | 80 | TCP | macOS only | macOS updates | — |
| swdist.apple.com | 443 | TCP | macOS only | macOS updates | — |
| swdownload.apple.com | 443, 80 | TCP | macOS only | macOS updates | Yes |
| swpost.apple.com | 80 | TCP | macOS only | macOS updates | Yes |
| swscan.apple.com | 443 | TCP | macOS only | macOS updates | — |
| updates-http.cdn-apple.com | 80 | TCP | iOS, tvOS, and macOS | — | |
| updates.cdn-apple.com | 443 | TCP | iOS, tvOS, and macOS | — | |
| xp.apple.com | 443 | TCP | iOS, tvOS, and macOS | Yes |
App Store
Access to the following hosts might be required for updating apps:
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| *.itunes.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
| *.apps.apple.com | 443 | TCP | iOS, tvOS, and macOS | Store content such as apps, books, and music | Yes |
| *.mzstatic.com | 443 | TCP | iOS, tvOS, and macOS | Store content such as apps, books, and music | — |
| itunes.apple.com | 443, 80 | TCP | iOS, tvOS, and macOS | Yes | |
| ppq.apple.com | 443 | TCP | iOS, tvOS, and macOS | Enterprise App validation | — |
Content caching
Access to the following host is required for a Mac that uses macOS content caching:
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| lcdn-registration.apple.com | 443 | TCP | macOS only | Content caching server registration | Yes |
App notarization
Starting with macOS 10.14.5, software is checked for notarization before it will run. In order for this check to succeed, a Mac must be able to access the same hosts listed in the Ensure Your Build Server Has Network Access section of Customizing the Notarization Workflow:
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| 17.248.128.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
| 17.250.64.0/18 | 443 | TCP | macOS only | Ticket delivery | — |
| 17.248.192.0/19 | 443 | TCP | macOS only | Ticket delivery | — |
Certificate validation
Apple devices must be able to connect to the following hosts to validate digital certificates used by the hosts listed above:
| Hosts | Ports | Protocol | OS | Description | Supports proxies |
|---|---|---|---|---|---|
| crl.apple.com | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| crl.entrust.net | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| crl3.digicert.com | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| crl4.digicert.com | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| ocsp.apple.com | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| ocsp.digicert.com | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| ocsp.entrust.net | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
| ocsp.verisign.net | 80 | TCP | iOS, tvOS, and macOS | Certificate validation | — |
Firewalls
If your firewall supports using hostnames, you may be able to use most Apple services above by allowing outbound connections to *.apple.com. If your firewall can only be configured with IP addresses, allow outbound connections to 17.0.0.0/8. The entire 17.0.0.0/8 address block is assigned to Apple.
HTTP proxy
You can use Apple services through a proxy if you disable packet inspection and authentication for traffic to and from the listed hosts. Exceptions to this are noted above. Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy.
- See a list of TCP and UDP ports used by Apple software products.
- Find out which ports are used by Profile Manager in macOS Server.
- Learn about macOS, iOS, and iTunes server host connections and iTunes background processes.
- Customize the Notarization Workflow.