No, it wasn’t a virus; it was Chrome that stopped Macs from booting
On Monday night, Variety reported that film editors around Los Angeles who had Avid Media Composer software installed were suddenly finding that their Macs were unable to reboot. The publication speculated that malware may have been the cause. On Wednesday, Google disclosed the real cause—a Chrome browser update.
Specifically, it was a new version of Chrome’s Keystone updater that caused so many Macs to stop rebooting, according to this Chrome open bug post. When the update was installed on Macs that had disabled a security feature known as system integrity prevention and met several other conditions, a crucial part of the Mac system file was damaged, a Google employee said in the forum.
“This appears to be an issue with a new version of Google Keystone,” a different Google employee wrote earlier in the thread. “We have halted the rollout and are working on remediation right now.”
When your Mac gets a “varsectomy”
SIP, as system integrity protection is usually abbreviated, was introduced in 2015 in the El Capitan version of macOS (called OS X at the time). As its name suggests, SIP is designed to protect the integrity of the OS by, among other things, protecting certain files and folders from being deleted or modified, except by specific, authorized processes.
It would appear a bug in the Chrome update inadvertently attempted to modify parts of the macOS file system. When SIP was enabled—as it is by default—SIP worked as designed and prevented the change. When the protection was disabled, however, the file system was modified in a way that prevented Macs from rebooting. Specifically, according to the Chrome bug thread, the buggy Chrome update removed a crucial symbolic link pointing to the /var folder.
“This results in system instability that may include failure to launch new UI applications, failure to resolve hostnames in most already-running programs, and failure to reboot successfully,” one of the Google employees said.
The specific conditions required for the Chrome update to make this change are:
- SIP must be disabled (or not present, as is the case pre-OS X 10.11)
- The root directory, /, must be writable by the logged-in user
- A Keystone version containing the bug, 1.2.13.75, must be installed
- Keystone must update a product that it supervises.
The reason so many users of the Avid Media Composer program were affected, Mac enterprise blog Mr. Macintosh reported, is that some users of the film-editing software must disable SIP when using third-party graphics cards. The publication has dubbed the /var-killing bug “varsectomy.”
Google has instructions for restoring unbootable Macs here. The process involves booting into recovery mode and then opening a terminal window, which among other ways can be accessed from the utilities folder. From there, run the following commands:
chroot /Volumes/Macintosh\ HD # "Macintosh HD" is the default rm -rf /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle mv var var_back # var may not exist, but this is fine ln -sh private/var var chflags -h restricted /var chflags -h hidden /var xattr -sw com.apple.rootless "" /var
Then reboot.
If everything goes right, the Mac will restart with the buggy Chrome update no longer installed and with the damaged file system repaired. It wasn’t immediately clear when a fixed version of the Chrome update will be available.