Safari app upgrade issue

Question

Level 1

13 points

Safari app upgrade issue

Hi Everyone,

Recently I'm struggling with a weird issue on our Kandji managed Macbooks.

I'm getting reports by our Qualys console on some devices that has a vulnerable version (16.2) of Safari app installed.

While I'm crosschecking I see that in fact there are 2 different versions installed to these devices. They have both 16.2 and 17.0 (17.1) installed. Safari update is not managed by Kandji, it is still controlled by native Apple Software Update.

Attached screenshot shows the 2 different version under 2 different paths.

In the same time our users confirm that they have 2x Safari app in /Applications:

I need to find a way to get rid of 16.2 and in general I just would like to understand what is really going on with these devices.

Have anyone seen such issues recently?

Thanks!

Posted on Nov 27, 2023 12:49 AM

Reply

Answer 1

jfriedel80 Author

Level 1

13 points

Nov 27, 2023 7:04 AM in response to dialabrain

Thank you for that and I really appreciate your contribution to my issue!

However as I mentioned that app is not present in our company, not installed to our devices. So it cannot be the case. I could find the same link you shared but just because they mention about cryptexes is does not have to be right for my case.

I understand that this is a legit thing implemented by Apple related to Rapid Security Responses.

Rapid Security Responses on Apple devices - Apple Support (OM)

I have also seen this explanation on Cryptexes that justifying that Safari is involved:

https://eclecticlight.co/2023/04/05/how-cryptexes-are-changing-macos-ventura/

My problem currently is that since ver. 16.2 is vulnerable I need to update it somehow or get rid of it.

Reply

Answer 2

dialabrain

Level 10

125,705 points

Nov 27, 2023 4:52 AM in response to jfriedel80

My only thought is Kandji must have caused a problem. Normally Safari is replaced and updated when updating/upgrading macOS. Since Safari is a protected app, I don't know how you would uninstall the earlier version. That is short of erasing the drive and reinstalling macOS.

Reply

Answer 3

jfriedel80 Author

Level 1

13 points

Nov 27, 2023 5:39 AM in response to PRP_53

Yes I'm fully aware of these 2 different paths, that is where this whole story started at actually.

And it happened even before I wanted to force update Safari app using an audit and enforce script in Kandji.

By the time it all started the impacted Macbooks had macOS Ventura 13.6 installed. Since then there were 2 minor upgrades released and none of them triggered Safari upgrade. The softwareupdate -l command did not either listed Safari 17.0 (17.1, 17.2) as an available update.

Not only I cannot delete Safari app from /Appliations folder (obviously) but /System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app is also protected since Cryptexes are part of Apple's RSR.

Reply

Answer 4

jfriedel80 Author

Level 1

13 points

Nov 27, 2023 6:08 AM in response to jfriedel80

I have quickly checked on my device that is on Sonoma 14.1.1

It does not have any previous version of Safari, only 17.1 is installed.

However I can find Safari.app under these 2 paths:

/applications/Safari.app

/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app

I guess it is by design so I just need to sort out how come those impacted have got different versions.

Reply

Answer 5

dialabrain

Level 10

125,705 points

Nov 27, 2023 6:37 AM in response to jfriedel80

jfriedel80 wrote:

Seem like it's been there for a while:

https://forums.macrumors.com/threads/question-about-this-symlink.2375942/

Apparently the users in that forum have iBoostUp installed and are confused. 😎

Reply

Answer 6

PRP_53

Level 10

91,927 points

Nov 27, 2023 6:51 AM in response to jfriedel80

Sorry but MDM Services I know about.

Though do not every attempt to offer solutions as this is;

1 - Out of my knowledge and experience

2 - The MDM controls the computer, what it can be uses for and exactly how the Operating System works.

Good Luck with this issue

Reply

Answer 7

dialabrain

Level 10

125,705 points

Nov 27, 2023 6:57 AM in response to jfriedel80

jfriedel80 wrote:

I'm just trying to understand how come you don't have that folder.

Well, turns out I have to retract what I have been saying. I went back to take a screen shot to show I didn't have the folders, but now, both Macs I checked have the folders in question. Magic. 🤔

Reply

Answer 8

dialabrain

Level 10

125,705 points

Nov 27, 2023 7:11 AM in response to jfriedel80

jfriedel80 wrote:

My problem currently is that since ver. 16.2 is vulnerable I need to update it somehow or get rid of it.

You're welcome. See my previous post about the folders in question. As far as your problem, as I said previously, I have no idea how to fix it short of an erase and reinstall.

Reply

Answer 9

BDAqua

Level 10

245,507 points

Nov 27, 2023 7:17 AM in response to jfriedel80

What are cryptexes?

A cryptex on macOS is a cryptographically-sealed archive that contains a well-defined filesystem hierarchy. It is essentially a sealed Disk Image that contains its own file system and is mounted at a randomly chosen location within the root file system during the boot process. macOS verifies the cryptex to ensure it has not been tampered with before mounting it.

Cryptexes on macOS contain various system components, including command tools, system executables, libraries, man pages, apps, frameworks, a "clone" of the OS image and dyld shared caches.

https://www.iboostup.com/blog/what-are-cryptexes-why-they-take-up-mac-space#:~:text=A%20cryptex%20on%20macOS%20is,system%20during%20the%20boot%20process.

Reply