Some time shortly after the release of High Sierra public betas last year, I started noticing a lot of user reports on Apple Support Communities that included something odd: an Apple Launch Daemon called
com.apple.installer.cleanupinstaller.plist appeared, but oddly its program argument, a binary located at
/macOS Install Data/Locked Files/cleanup_installer was missing.
Being an Apple Launch Daemon, of course, the
cleanupinstaller.plistis owned by root:
-rw-r--r-- 1 root wheel 446 Oct 10 06:52 com.apple.installer.cleanupinstaller.plist
After discussion with a few colleagues about this oddity, I decided to see if I could catch a copy of the missing program argument. After rolling back to an earlier version first, I found that the macOS Install Data folder is created when a user runs the Upgrade installer (along with the Launch Daemon plist). A clean install with the full installer does not appear to create either the properly list or the program argument.
The Locked Files folder indicated in the program argument path is hidden in the Finder, but revealed in Terminal.
Locked Files folder is the
cleanup_installer binary. The binary is 23kb, and the strings section contains the following, giving some indication of its purpose:
Upon a successful upgrade, the
/macOS Install Data/ folder is removed, but the Launch Daemon is not, and therein lies the problem.
Let’s have a look at the plist:
The ‘LaunchOnlyOnce’ and ‘RunAtLoad’ keys tell us the program argument will be run just once on every reboot. It’ll execute whatever is at the program argument path with root privileges. With the executable missing as noted in numerous ASC reports, that leaves open the possibility that a malicious process could install its own executable at the path to aid in persistence or re-infection if the original infection were to be discovered or removed.
To test this hypothesis, I threw a quick script together that included a ‘sudo’ command.
sudo launchctl list > /Users/phil/Desktop/securityhole.txt
The legacy command ‘launchctl list’ produces different results when it’s run with
sudo and when it’s not. Without
sudo, it’ll just list the
launchd jobs running in the user’s domain. With
sudo prepended, however, it’ll instead list the
launchd jobs running in the system domain. This makes it easy for us to tell from the output of our script whether the job ran with privileges or not.
Having created my script, I created the path at
/macOS Install Data/Locked Files/ and saved the script there as ‘cleanup_installer’. It’s worth pointing out that writing to this path requires admin privileges itself, so this issue doesn’t present any kind of ‘zero day’ possibility. The attacker needs to have a foothold in the system already for the danger to be real, so I’ll repeat that the vulnerability here is the possibilty of the attacker hiding a very subtle root persistence mechanism within a legitimate Apple Launch Daemon, making it all the more difficult to detect or remediate if otherwise unknown.
The final step was to
chmod my script to make it executable, and then restart the mac. Sure enough, after reboot and without any other intervention from myself, the script was executed and my Desktop contained a text file with a nice list of all the system
Of course, that’s a trivial script, but here’s the tl;dr:
Anything – including code to reinstall malware – can be executed with root privs from that path every time a High Sierra install containing the Apple
If you’re already beyond your second reboot since updating and your /LaunchDaemons folder contains this property list, the obvious thing to do is to remove it (as High Sierra should have done when it completed the reinstall). It appears to serve no purpose once the program argument has been removed, other than to offer a way for malware to seek persistence.
Secondly, you should be able to safely remove the
/macOS Install Data/ folder if you find that exists. This is usually removed after a successful update, but it can also be left behind if a user cancels out of an update half way through. If you do find this still lurking on your system, you can check that it is what it’s supposed to be by copying and pasting this into Terminal:
strings -a /macOS\ Install\ Data/Locked\ Files/cleanup_installer
and confirm you get the same or similar as listed earlier in this post. On my system here, the file also gives a checksum of
945203103c7f41fc8a1b853f80fc01fb81a8b3a8. You can produce that on the command line with:
shasum -a 1 /macOS\ Install\ Data/Locked\ Files/cleanup_installer
However, it’s entirely possible that Apple either already have or may in the future make changes to that binary since I captured it, so a varying checksum alone should be treated with caution.
Of course, even after having removed these items, there’s nothing to stop an attacker that’s already compromised a machine from recreating both of those (as indeed, there’s nothing to stop a privileged attacker creating anything else on your system!). Thus, it’s always a good idea to keep track of what changes occur on your system on a regular basis. My free/shareware tools DetectX and DetectX Swift are designed to do exactly this. In DetectX, after running a search, the log drawer will tell you if the /macOS Install Data/ exists:
1. This issue was reported to Apple Product Security in August 2017.
If you are preparing to install macOS on multiple computers, one of the things that can make your life simpler (and the waiting shorter) is a bootable USB installer.
The idea of the installer is that you only need to download the macOS Installer.app from the App Store once. Usually, when you run the installer after downloading it, it’ll delete itself and you have to go through the whole download process again on each machine or disk that you want to install macOS onto. By making a bootable USB drive, you simply plug the drive in to your mac, launch the installer app and tell it where to install the OS. You can repeat this as many times as you like as the installer will remain safe on your USB.
There are various ways to make a bootable USB installer, but they all involve the same process:
1. Download the macOS Installer from the App Store.
2. Run the
createinstallmedia command from the Terminal, an AppleScript or a helper app.
3. Reboot your mac, choosing the newly created USB as the startup disk.
4. Run the installer.app from the USB.
Step 2 is where the fun is. The
createinstallmedia command can be tricky to get right, particularly if you’re not familiar with working on the command line. For those of you that are, follow Apple’s instructions here.
For a little more convenience, I wrapped all that inside an AppleScript which will first ask you for the location of the installer, then ask you to choose the USB target.
For maximum convenience, I also wrote a free little Swift app I’ve dubbed ‘Boot Buddy‘ (cos “Create bootable macOS Installer Drive.app” just didn’t quite have the right ring to it..!) that will present the whole thing in a neat little user interface. Three clicks, more or less, and you’re done.
Boot Buddy doesn’t require an admin password to install, but you do need to provide an admin password to actually create the bootable installer as the
createinstallmedia process has to be run as root. Boot Buddy doesn’t see or use this in any way whatsoever other than to start the
createinstallmedia process or to cancel it (if you choose to do so); authorisation is handed off to macOS to take care of.
Boot Buddy requires macOS 10.11 or higher and can create bootable USBs from Mavericks, Yosemite, El Capitan, Sierra and High Sierra installer apps.
Share and enjoy! 🙂
For those participating in Apple’s public beta program or developer program, here’s a script that will make a bootable flash drive installer of Sierra for you. Of course, you’ll need to have downloaded and saved the original installer before running it on your mac for this to work.
When an installer is made available to you from Apple, the first thing to do after downloading it is to quit the installer if it auto runs. Insert your blank USB thumb drive, and make sure it’s at least 8GB (16GB recommended).
You can either run the script immediately with the installer app still in your /Applications or /Downloads folder, or you can move the installer first to your preferred location. It doesn’t make any difference to the script since it’ll ask you for the location of both the Installer and the USB drive before doing its thing. It’ll also give you an option to cancel out if you made any mistake in specifying the location or you just change your mind. The script will ask you for an administrator password as it needs elevated privileges to run the
Note the script continues to run in the background until the installer has been created. It sleeps for an interval of 10 secs between checking the job status. Since it takes around ten minutes for the createInstallMedia routine to finish its work, you could comfortably increase that sleep time 30 secs or more if you desire. The script will present you a dialog when it detects all is done:
To use the bootable installer, just pop it into a mac, reboot holding down the ‘option’ key and choose the USB drive to kick off the installation process on a partition of your choice.
With the last seven days of July upon us, the suspense is just killing some people waiting for the release of Apple’s latest version of OS X, 10.8 Mountain Lion. While rumours abound for just about every conceivable day left being the ‘official’ release date (with the 25th being the most popular, it seems), the sensible are making sure they’re prepared. So here’s a few things to do both before and on the big day:
1. Check the tech specs
Check out the tech specs for Mountain Lion and the list of supported machines to make sure you can run it on your current system. If you are upgrading from Snow Leopard, you should also check out will my old apps work with Lion?.
2. Run Software Update
Make sure you have the latest version of everything by running
> Software Update
before you upgrade. This will help to cut down any compatibility problems when installing Mountain Lion.
3. Backup your current install
Without a doubt the biggest cause of trouble and frustration with every OS release is among users who didn’t backup their systems before trying to install the new one. Like Lion, Mountain Lion will be delivered as a download from the App Store, and while this method is certainly convenient, corrupted downloads are not uncommon. Moreover, even when the install proceeds as expected, you want to be able to get back to your previous system if you find things are not to your liking. An OS installation is like performing major surgery on your computer and the chances of complications are always a significant risk. As the old boy scout saying goes ‘Be Prepared’. Backup, backup, backup.
4. Remove everything from your Login Items.
For Lion users, that’s
> System Preferences…> Users & Groups | Login Items
If you’re upgrading from Snow Leopard 10.6.8, go to
> System Preferences…> Accounts | Login Items
There’s a couple of reasons for doing this, but mainly it’s to ensure that you can log in without difficulty. Login Items are one of the main causes of OS problems at the best of times, but with a major upgrade like this, you don’t want any incompatible software choking the system from booting up. See Steps 8 & 9 below about re-activating your Login Items after the installation.
5. Uninstall AV software & other utilities
If you have Sophos, VirusBarrier, iAntiVirus, F-Secure, or similar uninstall these prior to upgrading. After upgrading, if you must use them, look for updates. Uninstall MacKeeper, Little Snitch, LogMeIn or any other 3rd party utility that runs prior to user login.
6. Be prepared for slow download times
Apple’s servers will be hotter than a forest fire on release day, so you can expect download times to be pretty poor. At the very least, connect your computer to your router via ethernet cable rather than wifi – that’ll at least help push things along a bit faster at your end. If you can do it from the office or somewhere else that has a lot more bandwidth than the usual home connection, do so.
7. Save the installer
After the download completes the installer will run automatically. Do NOT click ‘Install’, but instead quit it. Then go to your Applications folder and copy the ‘Install OS X Mountain Lion .app’ and save it to your Downloads folder or somewhere else. Then you can run the installer in your Applications folder.
The reason for doing this is that when you install Mountain Lion the Install app in your Applications folder will self-delete. If the install shouldn’t work for some reason the first time round, you won’t have to go through the whole tiresome wait of a download from the App store again if you save a copy to your Downloads folder.
8. Update 3rd-party apps
Assuming Mountain Lion boots up just fine, the first thing you’re going to want to do (after having a nose around, of course!) is update your 3rd party apps. Start off by opening the App store to see if any that you’ve sourced from there have updates waiting for you. After that, start up all the main apps that you normally use and use their ‘Check for Updates’ option (usually in the Apps main menu), or contact the developers through their websites. If you use Parallels 7, you will need to update that before trying to run your virtual machines.
9. Test your Login Items apps
In particular, you’re going to want to test out the apps that you want to put back in your Login Items, before you put them back in there. Run each app and play around with the system for a couple of hours before deciding to put it back in your Login Items list. If you notice any weird behaviour with Finder, the Dock or Desktop backgrounds, problems with wifi or graphics, chances are one or more of your 3rd party apps needs updating to work with Mountain Lion. If there is no update yet, stop using that app till one becomes available or find an alternative. In general, it’s always best to keep Login Items down to a bare minimum. Running apps at login is a sure fire way to slow down boot up times.
10. Check back with Applehelpwriter.com
As always, I’ll be here with tips on how to get the most out of OS X and how to solve some common problems. See you then! 🙂