Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

macOS Big Sur 11.6.5 and Security Update 2022-003 Catalina

Apple has released macOS Big Sur 11.6.5 and Security Update 2022-003 for macOS 10.15 Catalina, patching 19 security vulnerabilities in Big Sur and 16 in Catalina. Both updates address multiple AppleScript- and kernel-privilege-related issues and resolve a problem with QuickTime Player that could allow a plug-in to inherit the app’s permissions and access user data. The Big Sur update also improves Siri validation to prevent a person with physical access to a device from obtaining some location information from the Lock screen. You can download these updates using Software Update on Macs running either Big Sur or Catalina. It’s worth waiting a week or two before installing to make sure these updates introduce any bugs; if you notice any problems after updating, please let us know in the comments. (Free, various sizes, macOS 11 and 10.15)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About macOS Big Sur 11.6.5 and Security Update 2022-003 Catalina

Notable Replies

  1. For what it is worth, my mid 2015 iMac 27 inch (can’t update beyond Big Sur) won’t even acknowledge the Big Sur update using Software Update. This also applied to 11.6.4. Anybody else had this problem?

  2. It can take an install’s own softwareupdate engine up to 24 hours to become aware of the newest update, and once aware it adds a random delay of up to 72 hours before informing the user that such an update is available (which sudo /bin/launchctl kickstart -k system/ usually resets). Apple does this to stop the entire planet from pummeling Apple’s servers & CDNs simultaneously. A restart will be required if you use that Terminal command.

  3. That is very helpful and thanks. In fact I have been trying to update 11.6.4 more or less since it came out (I habitually wait for about a month before updating anyway - usually Adam’s advice) and was wondering whyI was having problems. Just to clarify, are you saying that if I try to update before the update is for my Mac, I will have to use the sudo parameters each time? Again many thanks.

  4. That has been the experience of many, many enterprise ITs attempting to get updates immediately after release recently. Even the old way of using -R doesn’t seem to work now in Software Updates.

  5. Greetings, The latest update was installed on my MBP Catalina 10. 15.7 last night. Today none of my external Hard Drives will mount. They show up in Disk Utility but won’t mount. Tried a number of things in Disk Utility but no luck. Tried resetting nvram and SMC as well. It could be something else other than the update but I thought I would post here and see if anyone else had an issue. Thanks

  6. Before you do anything drastic, leave the drives connected and powered up for a few days.

    I saw something like this years ago (not part of a system upgrade, but after a system crash), where a drive wouldn’t mount. As it turns out, it was because the boot sequence detected a problem and started running the fsck utility to inspect/repair the volume prior to mounting. The process took a long time (many hours) to complete, but once it did, it mounted and seemed to work fine.

    To see if this is happening in your case, connect the drive and from a Terminal, type the command

    ps ax | grep fsck

    If you see any line other than the grep fsck command you just typed in, then the fsck command is running in the background. You want to let it run to completion, no matter how long it takes and anything you do to them (like unplug, reboot the computer, etc.) until it completes will likely make the process take even longer.

    Note that APFS volumes can take a long time to inspect, because it will have to inspect every snapshot. A Time Machine APFS volume will have a snapshot for every backup, which could take a very long time to complete.

  7. No issues here on a Mac Mini 2012 with Catalina. As David said, it could be running Disk First Aid.

    I had a problem recently where I thought I had ejected all of the volumes on a drive but apparently had not and when I took it back to the computer I normally use it with, only one volume came up. I ran Disk First Aid and it said it went through the process but some were not showing up. However, I waited for some time and then restarted and after that, they all reappeared although a bit slowly so you might have to be patient but in my case, nothing was lost.

  8. There’s a bug in macOS where you can eject a volume, but the icon will disappear from the Finder before the unmount operation completes. If you disconnect it during this time, then the system will need to inspect/repair it before it can mount again.

    This is especially significant if there are multiple APFS volumes (I see it big-time on my bootable backup media).

    The workaround is to run Disk Utility and wait for all the volumes to turn gray after ejecting the volumes. This may take a few minutes. And then for good measure, if your drive has an in-use light, wait for it to stop blinking before disconnecting it.

    I’ve reported this to Apple as a bug, but so far it hasn’t been fixed. If they would leave the drive icon in the Finder (desktop, sidebar, etc.) in a grayed-out form until the unmount completes, then most users would know enough to wait before disconnecting it.

  9. These were HFS volumes. It had never happened before like this one where I had some issues so thankfully it was not a big deal. I do have backups in any event.

  10. The one time when it took hours for fsck to complete was on an HFS+ volume, but I think it was before Apple implemented journaling (on a PowerPC running either 10.4 or 10.5).

    I simply mention it because even with journaling, a glitch can cause the system to run a full fsck when a volume is mounted, and it can take a long time, depending on the complexity of the directory structure (number of files, number of directories, fragmentation) and the extent of any damage it finds and needs to correct.

  11. I noticed that Samsung T5 and T7 SSDs will sometimes flash a red light after the icon has disappeared from the desktop. Would that be an example of the bug you described?

    FWIW, the red light alternates with a blue light, sometimes many times. Usually within 15 seconds (and often much sooner), the flashing stops and both lights go out. Occasionally, the blue light will remain, more faintly than when it alternates flashes with the red. Usually, but not always, this is when another external drive is connected (and it doesn’t happen every time that another external drive is connected). Any ideas what’s going on here?

  12. I found the T5 manual, which says that LEDs mean:

    • Solid blue: idle
    • Blinking blue: drive activity - reading and writing
    • One red flash: safe to disconnect

    So the single red-flash is good. It means the drive thinks it is safe to disconnect.

    In my searching, the T7 manual doesn’t mention any LEDs (does it have any?) The T7 Touch manual describes a “motion LED” has one one color, but with anumation:

    • Solid blue: connected to power
    • Turning off: idle
    • Animating: drive activity - data transfer
    • Blinking: standby for security unlock

    None of these modes indicate a safe-to-disconnect mode.

    It’s hard to say, since the Samsung manuals I found don’t describe this, but it definitely looks like macOS is continuing to access the drive during this time.

    The next time you see this, go launch Disk Utility and take a look at the drive. If it’s what I’ve been seeing on my drives, you will see that the drive is still mounted (the volume’s name is still black, not gray in the sidebar), even though the icon disappeared from the desktop.

    Wait for the unmount to complete (the name in Disk Utility will turn gray) and then for drive activity to stop (the LED stops blinking, whether it’s on or off) before disconnecting it.

  13. My Samsung SSD’s sound similar to yours. The blue light is normal behavior when a disc is being accessed. When I eject them, the red light appears for a second and goes off. But I don’t watch them consistently to know if there is any red and blue alternate flashing as you mentioned.

  14. Yes, the T7 has the same indicator as the T5.

  15. I’ll plug them in and give it some time and try ps ax | grep fsck in Terminal. The good news is nothing is corrupted. Two of the drives are formatted NTFS for compatibility with Windows, so I use NTFS for Mac. When I plug them into the PC with Windows 10 everything is as it should be.
    A drive dedicated to Time Machine formatted APFS doesn’t mount either. I’ll plug one in and let it do it’s thing for a while. Thank You. Patience is a virtue. :slight_smile:

  16. That’s good to know. It certainly can’t hurt anything to just wait and be patient. I appreciate the input.

  17. It’s a total guess, but I’ll suggest that the drive thinks it’s safe to disconnect (red blink), then macOS writes something (blue blink), then the drive thinks it safe to disconnect (red blink), then macOS writes something… Repeat as many times as macOS feels like. One anomaly is that sometimes the (faint) solid blue stays on after dismount and sometimes it turns off after dismount.

    I plan on doing that. Plan is the operative word; I have a short attention span.


    That has been my course of action. Perhaps I’m wasting up to 15 seconds (more commonly three seconds), and perhaps I’m saving myself great anguish.

  18. It’s really annoying to discover afterwards that a security patch destroys essential functions of our computers. With a previous update, it was the Intel HD4000 graphics card that didn’t read Open GL code anymore, which prevented the use of Google Earth and Firefox. It took five weeks to get this defect fixed. Now the last update 2022-03 breaks the read/write functions on my NTFS Bootcamp volume. This is unbearable! We should not be faced with the choice of reducing our needs to increase the security of our systems or breaking access ton NTFS volumes. Wake up in Cupertino ! To solve this issue you can test Mounty. Works for me…
    MacBookPro 2012 / Catalina 10.15.7

    all the best

  19. Thanks for posting the information. I didn’t realize the NTFS issue until I saw your post and tried to access one of my drives. It’s not something I use that often but I access it with Tuxera and have for years. I tried erasing a flash drive with NTFS and while the process completed successfully, it could not mount in Catalina yet mounts fine on an older computer running Leopard. Here is a link to the Tuxera page and workaround they posted:

    The app you mentioned looks easier so I will have to try that until it’s rectified.

  20. This took a long time. I mount the T5 less than once a day and I mount the T7 about once a week.

    With both the T5 and T7, a common sequence is for the drive’s icon to disappear from the desktop, the drive’s red light to come on (often alternating with the bright blue light), the drive’s icon in Disk Utility to turn gray, and then the drive’s red light to turn off (sometimes with another cycle of blue-red before the red turns off). After the red light turns off, almost half the time, a faint blue light remains; just over half the time, the faint blue light goes off.

    What does it all mean? Well, for me, it means I wait until either there is no light or the faint blue light, with no change for at least three seconds, before I disconnect the cable. If anyone is disconnecting the cable while the lights are blinking, I’d like to know if there have been any ill consequences (but I probably won’t change my behavior).

    Related to the title of this thread, I finally installed macOS 11.6.5, with no apparent problems (yet).

  21. That sounds like what I would do under the circumstances.

    If someone disconnects the cable before the drive finishes whatever it is doing, I would expect the file system journal to prevent any data loss, but I would also expect it to take longer (maybe as much as a minute or two) to mount the next time it is used, as the system inspects the file system and replays the journal.

    Since I wrote my post, I’ve been working with a WD Elements hard drive. It is formatted as ExFAT (for full read/write compatibility with Windows). When I eject it, the icon disappears immediately. Disk Utility shows it unmounted a second or two later. A few seconds after that, the single white LED goes into a slow-blink state (2 seconds on, 2 seconds off), which I believe means it is idle and safe to disconnect.

    I’ve also changed by clone/backup (hard drive) volumes from bootable (four volumes in the APFS container, including bound system/data volumes) to data-only backups (only one volume in the container). It still takes a few seconds after the icon disappears until the unmount completes and a few more seconds until the drive’s in-use light stops blinking, but it is much faster than it was when there were two bound volumes trying to unmount together (which would usually take more than a minute).

  22. Now I’ve found a problem. Similar to what I experienced with 11.6.1 (and reported in macOS Big Sur 11.6.1 and Security Update 2021-007 Catalina - #19 by Will_M), Time Machine is no longer completing backups, either on a Time Capsule or an external (spinning) drive. My recollection is that many days or weeks later, Time Machine just started working again, but maybe it was when I upgraded to 11.6.2.

Join the discussion in the TidBITS Discourse forum


Avatar for agen Avatar for alvarnell Avatar for spugh Avatar for Will_M Avatar for Shamino Avatar for jk2gs Avatar for pommier.denis Avatar for David_Simpson