Apple released 11.6 and macOS Catalina Security Update 2021-005 today.

AJPinto
Contributor III
11 REPLIES 11

mschroder
Valued Contributor

And again no mail on the security announce list? What's up with Apple? So thanks for the hint @AJPinto !

I only noticed this when smart groups started updating. JAMF's patch management still shows 11.5.2 as current as does the App Store. Apple is getting sloppy(er then usual). 

kevin5495
New Contributor III

There doesn't seem to be a stand alone installer. I've only had success through System Preferences/Software Update, and that's been flakey maybe due to traffic. Softwareupdate CL doesn't want to download -d, or install -i.

I got it using sudo softwareupdate -aiR (install all reboot) yesterday.

mm2270
Legendary Contributor II

I have 2 Macs that are overseas and need their web traffic routed all the way back to the US due to how our orgs network restrictions are set up (always on VPN), and I've been unable to get these Macs to update to 11.6 despite multiple attempts. I'm pissed that Apple no longer supplies a standalone installer for these updates. Having everything going thru the software update mechanism every time can be flakey. WTH is Apple thinking sometimes?

AJPinto
Contributor III

We have much the same restriction. You may be able to push back to your security team that you are unable to install security patches to the Macs to patch several 0-day exploits until they allow *.Apple.com (or at least apples update servers and needed ports) around the captive gateway.

 

You security team would need to decide what is the greater risk. Not being able to patch the Macs or not having total control over Apple traffic which they already cannot inspect or monitor in any way shape or form. If your security team says no save the email and wash you hands of it and move on.

kevin5495
New Contributor III

You can get a stand alone installer now using --fetch-full-installer.

mm2270
Legendary Contributor II

The MacRumors article doesn't mention it, but the 11.6 and Catalina 2021-005 Security Updates supposedly address a zero day that may be actively being exploited (at least on Big Sur), so it's highly recommended you get all your Macs up to date as soon as possible. We're doing an emergency push to all our Macs starting this evening.

https://support.apple.com/en-us/HT212804

https://support.apple.com/en-us/HT212805

 

AJPinto
Contributor III

My gut had a feeling this was a 0 day. I have told our security teams and see what they want us to do. Wasn't 11.5.2 also a 0 day?

VintageMacGuy
Contributor

From what I have read (and it is only a few pieces of info) the attack vector is through Messages.app. A quick "patch" may be to add Messages.app to the restricted software list until they upgrade to 11.6.

We already restrict iMessage and do not allow the use of AppleID's. I find it a bit strange they did not just roll this in to 11.5.3 or something to get it out faster and less impactful. They could have updated iMessage without rebooting the Macs with a much smaller update like they do with Safari.