We have been reporting on a fast-moving story on what was first called a Reboot Issue. As the dust is settling, in this article, we will outline the facts, what caused it, the combination of circumstances required, and how you can fix a computer that has suffered from this problem.

How Did It Come About?

At the start of this week, reports started to circulate that video editors around LA, using Avid’s Media Composer were finding that their Mac computers would not reboot. The internet of speculation took hold with all kinds of reasons being offered, including viruses, Apple attacking computers with Media Composer, problems with iLok, a fault in the Media Composer software, all of which were completely wrong. The problem was traced to the combination of two things, neither of which had anything to do with Avid or iLok.

1. Mac computers had their SIP (System Integrity Protection) disabled

2. Google Chrome ran what turned out to be a faulty Google Keystone automatic update.

Any computer with SIP enabled would be OK because it prevented the faulty updater from trashing key parts of the macOS.

More specifically, the exact conditions needed for the problem to occur were…

• SIP must be disabled (or not present, as is the case pre-OS X 10.11)

• The root directory, /, must be writable by the logged-in user

• A Keystone version containing the bug, 1.2.13.75, must be installed

• Keystone must update a product that it supervises.

Part 1 - System Integrity Protection

What Is SIP?

System Integrity Protection is a security technology in OS X El Capitan and later, that is designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system.

Apps that you download from the Mac App Store already work with System Integrity Protection. Other third-party software, if it conflicts with System Integrity Protection, may be set aside when you upgrade to OS X El Capitan or later.

System Integrity Protection also helps prevent software from selecting a startup disk.

Why Would Anyone Choose To Disable SIP On Their Mac Computer?

It would appear that the problem hit Avid Media Composer users because some Avid users have chosen to disable SIP so that they can use 3rd party video cards on their Apple computers. This is because the video card driver software is ‘unsigned’ and it fails the System Integrity Protection Apple has put in place to protect our computers from malicious code. The way around this is to disable SIP.

By disabling SIP any user is making their computer much more vulnerable, it has nothing to do with Avid or iLok, whether it’s Media Composer or Pro Tools or any other software, it is disabling SIP that opens up the computer to an ‘attack’.

How To Check If System Integrity Protection Is Enabled On Your Mac

SIP is not something you can disable in the System Preferences. You need to use the Terminal app and type in some code. If you are not confident in this area, we advise extreme caution as mistakes in what you type into the Terminal app can be catastrophic. You have been warned!

This is how you can check if SIP is enabled or not on your Mac.

• Launch Terminal on your Mac.

• Type in "csrutil status" (or copy and paste it in from here).

• If SIP is ON, you'll get this message in response: "System Integrity Protection status: enabled."

• If SIP is OFF, you'll get this message: "System Integrity Protection status: disabled".

How To Enable System Integrity Protection On Your Mac

• Click on the  (Apple Logo) at the far left of your Mac's Menubar.

• Click on Restart.

• Hold down Command + R during reboot to enter Recovery Mode.

• Click on the Utilities Menu.

• Launch Terminal.

• Type in "csrutil enable".

• Restart your Mac again.

Part 2 - A Faulty Chrome Keystone Update Giving Rise To The Nickname ‘Varsectomy’

The second part of this problem was traced to a new version of Google Keystone, part of Google Chrome’s automatic update system. We understand that a bug in the Chrome update inadvertently attempted to modify parts of the macOS file system. We reported that 9to5 Google a sister site to 9to5 Mac had posted an article suggesting that Google Keystone may be the cause…

“Earlier today, Mac video professionals began reporting that their computers were crashing, and many attributed the problem to Avid’s Media Composer editor. The issue instead lies with a piece of Google software that helps keep Chrome up-to-date.

Version 1.2.13.75 of Google Keystone (Google Software Update) recently shipped with a bug that damages the macOS file system on computers where System Integrity Protection is disabled. Also known as SIP, the OS security feature helps “prevent potentially malicious software from modifying protected files and folders on your Mac.” This issue also affects Macs that do not support SIP (pre-OS X El Capitan).

Google tells us that it has paused the rollout of Keystone 1.2.13.75 until a solution is developed.”

When SIP is enabled, as it is by default, SIP works as intended and prevents the change. For any system where the protection was disabled, the file system can be modified in such a way that it puts the damaged Mac computer into a reboot cycle, where the boot process would not complete and instead it starts the boot process again and goes into a loop.

According to the Chrome bug thread, the buggy Chrome update removed a crucial symbolic link pointing to the /var folder and this has given rise to the nickname ‘Varsectomy’ which we understand was coined by some Mac Admins whilst they were tracking down the issue.

In the Google Chrome Online Help, a Google Chrome Support Manager said…

“We recently discovered that a Chrome update may have shipped with a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled, including machines that do not support SIP. We've paused the release while we finalize a new update that addresses the problem.

If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.11 or later, this issue cannot affect you.”

The Google Help page continues with a description of how to recover a machine with a varsectomy. It involves putting the Mac into the Recovery Mode and then entering specific instructions in the Terminal app, so it is not for the faint-hearted as using the Terminal incorrectly can enable you to further damage your computer.

For those so inclined, the best resource we have found on this subject that gives the facts, without the hype and hysteria, is a post on the Mr. Macintosh blog, which includes fixes for pre-macOS 10.11 computers as well 10.11 to 10.14 computers, a fix for Hackintosh users and Google Support’s recommended fix as well as links to a wide variety of sources and information.

What Can We Learn From This?

Firstly, unless there is a very strong, almost ‘deal-breaker’ reason, users should not disable security measures on your computer. If you do, you have to accept that by doing so, you are making your computer more vulnerable to attack, and that attack may come from a benign source such as a faulty Chrome updater.

If SIP had been active, all those Media Composer users would have been safe from the damage inflicted by the faulty Google updater.

Manufacturers need to keep their software and drivers up to date with the security systems that Apple and Windows put in place to help us protect our computers from malicious code. If those video card drivers had been ‘signed’ then users would not have needed to disable SIP.

Software developers, please test and test again. Yes, it may have taken longer to roll out an update, but if Google had been more careful, they would have found the fault in their Keystone software before it hit the field.

As users, we need to learn to be patient when developers seem to be dragging their feet releasing an update. Wouldn’t you rather wait longer and get a reliable update than get a dodgy piece of software that almost immediately needs a fix to fix the fix?