Skip to main content

As an FYI - we have Apple auto-updating and they released the specter/meltdown fixes. I've started getting a few people bringing me machines that are now crashing on boot up after installing, incl rebuilds that ran the updates.



Anybody else seeing similar behavior?

Same here, but its due to our DLP software that has its digital hooks in the kernel. The 2018-001 update must of changed the kernel once again. So any DLP or tough Virus/Malware software that uses kernel hooks can cause the system to crash. We ultimately have to uninstall prior or go into safemode and remove after.



SMH. Is this installing automatically on your side? Because I have auto install security updates turned off in my enviroment.



-Frank J


If it becomes epidemic, what I would suggest ignoring it with the softwareupdate command:



softwareupdate --ignore "macOS Security Update 2018-001-10.12.6"


But if you do so, I believe you will have to deploy manually as the softwareupdate will ignore this update.


I can confirm we are also experiencing the same issues for users on 10.12.6
Yet to test on 10.13.3 ( High Sierra )


We have 8 users experiencing the same issues.



Any fixes?


@mtapal we reinstalled macOS from the recovery partition.


@ShadowGT, they'll actually want to run softwareupdate --ignore "Security Update 2018-001". Per the man page for softwareupdate:



--ignore identifier ...
Manages the per-machine list of ignored updates. The identifier is the first part of the item name (before the dash and version number) that is shown by --list. See EXAMPLES.


You can test it by running softwareupdate --list command twice, once before the ignore command and once after, and you should see the update not appear on the second run if the ignore was successful.



The nice thing is that then this ignore command covers both Sierra and El Capitan, since the update identifier is the same, without the OS version number after the last dash.



(Anyone else having trouble editing comments? Like it doesn't keep the original text and instead brings up a blank field and I have to copy and paste the original text, reformat it, and add the edit.)


Any commonalities? We have Macs that have installed this that hasn't had problems, and Macs that have. Any anti-malware software installed? Any kernel extensions mentioned in the kernel panic message (if you're getting kernel panics)?


Any additional info (specifics from kernel panic messages) is much appreciated. I ran the updates on my 10.12.6 MBP, am now on build 16G1212, have Symantec Endpoint Protection.app version 14.0.2332.0100, and haven't had any issues so far.


Does anyone know if this affects 10.11.6 clients that have the 2018-001/Safari 11.0.3 patch?



Thanks!


I've had six 10.12.6 MBP's run the update, all 6 had the issue. One user claims the issue fixed itself after a couple of reboots, two others had to have 10.12.6 reinstalled. The other three we have yet to try the reinstall. We were not running DLP on these machines but run a lot of other security agents that might be conflicting. I'll do more testing tomorrow.


We were running an older version of Trend AV 3.0.1098, updated to 3.0.3044 and the issue is resolved for us. Likely issue was incompatible kernel extensions. I have tested successfully on two seperate 10.12.6 machines.



Who is using what AV and what version?



Try updating to latest available version.



This is very similar to Microsoft when they released their Meltdown patch which caused BSODs because of incompatible AVs.


I had 2 users on 10.11.6 who ran this update and doing a kernel panic on their MacBook Pro


I'm running Trend 3.0.1106. I'll play with that tomorrow.


we are using Sophos Antivirus ver. 9.6.2, also Carbon Black. going to uninstall it and see if it fixes it.


@pcrandom I am having the same issue as well for editing comments


Upgrading Trend to 3.0.3044 didn't work for me :(


Hey @mcampbel ,



How did you upgrade to 3.0.3044? did you install over the top or did you run Trend's specific uninstaller and then run the installer? I have had issue with just trying to install over the top.



Cheers,



Pat


@PatrickD , I "checked for updates" and let it update itself. Nothing's ever easy I guess. Thanks Pat, I really appreciate the help.


For those running SEP14:



10.12.6- no kernel panics to report (installed security update and Safari 11.0.3)
10.11.6- will test to tomorrow


To add a further point, both 10.11 and 10.12 patches change some things in the Kernel (required to patch the Meltdown vulnerability), so possibly causes could be anything that has a kernel extension. This would include AV, but could also include:
- Carbon Black and other deep level security solutions
- Some printer drivers (yea I know, right?)
- Data Loss Prevention software (an example is EndPoint Protector (EPP), but I don't know if that specifically causes, or indeed doesn't cause, an issue).



Safe Boot (hold down "Shift" on startup) should boot without third party Kernel Extensions, but may take longer to boot too. That might get you in enough to start troubleshooting causes



Good Luck, and I hope that helps



Darren


@daz_wallace
I can confirm carbon black's Bit9 v7 patch 8 is causing problems - and that version was released a week or two ago.


@jwojda That seemed to be the common feeling on the MacAdmins Slack channels too.
Fun Times


@daz_wallace and @jwojda I can also confirm the Carbon Back agent is causing the crash 10.12.6 latest security patch. Currently testing 10.13.3 to see if it has the issue as well.


@pcrandom and @sahmed The editing bug for Jamf forum posts is a known issue, and hopefully will be fixed when they next update the forum software (tentatively next week)


@rqomsiya Oh that is a relief. I accidentally left my test machines set to install updates overnight and forgot to remove the security updates from our SUS.



I'm hoping the machines that got the update don't crap out...it was only a few thankfully.


Reply