Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
10 comments

Security Update 2019-001 (High Sierra and Sierra)

Apple has released Security Update 2019-001 for macOS 10.13 High Sierra and 10.12 Sierra, patching security vulnerabilities also dealt with by macOS 10.14.3 Mojave. Both updates address an out-of-bounds read in Bluetooth that could enable an attacker to execute arbitrary code, a memory initialization issue, a buffer overflow with FaceTime that could enable an attacker to initiate a FaceTime call and execute arbitrary code, and a couple of kernel-related memory corruption bugs. We’re hearing some reports of this update causing problems (see the comments), so we recommend holding off on it for a week or so. (Free. For 10.13.6 High Sierra, 1.83 GB; for 10.12.6 Sierra, 832.9 MB; security content release notes)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Security Update 2019-001 (High Sierra and Sierra)

Notable Replies

  1. Anecdotal only at this point, but one reader is reporting a bricked Mac after installing.

  2. Looks exactly like what some of us reported with the last security update. The only difference being, there we were able to boot into safe mode, re-install the update, and eventually get it to boot normally again.

    I really don’t understand what’s up with Apple’s QA/QC these days. With their tens of thousands of employees and millions of developers, their betas, public betas, and all the other hoopla, how hard can it be to test these macOS updates on more than just one config of the latest MacBook? How can you advertise the longevity of your hardware, when the required security updates tend to brick that hardware once it’s no longer the latest and greatest?

  3. This Security Update turned out to be a complete disaster for me on a 13-inch, Mid 2010 MacBook. Instead of applying the update it also tried to install Mojave. This MacBook is unsupported for Mojave so imagine my delight when, upon reboot, I was greeted with the barred symbol of a circle with a slash. Rebooting brought the same result. Rebooting while holding the Option Key showed a Recovery Volume for Mojave which also brought the barred symbol when I tried to boot from it.

    Since this machine only has USB2 it would take significant time to restore a clone so I opted to reinstall macOS High Sierra after booting from a Recovery Volume on a USB stick which has DiskWarrior. This part went as expected and took relatively little time and upon this reboot everything was pretty normal except for a few tweaks.

    I suppose operator error in that I had elected to stay at iTunes 12.6.5.3 while I slowly migrated App control over to iMazing. However, the delightful effort for Apple’s update system to move me to Mojave resulted in an install of a newer version of iTunes. I did not think about it or discover it until, on reboot, I was presented with the dialog box stating my iTunes Library was created with a newer version of iTunes and did I want to update. So, this borked my iTunes setup but thankfully, being able to restore a version of my iTunes Library.itl from my backup brought things back to normal.

    Something that should have been a straightforward Security Update wound up not being that at all and vacuumed up significant time I would have gladly used for something more productive.

    It also left me still needing to apply the Security Update again if I choose to take the gamble, update Safari again and oddly, it offers to update iTunes to 12.8.2. I say oddly because I previously had installed, and now reinstalled, the special version of iTunes 12.6.x that is not supposed to ask for updates.

    Sigh.

  4. Installed on 2011 iMac and a MacBook Air; no problem in either case.

  5. I used the App Store method. My laptop rebooted and started the installation but then kept throwing up a console log telling me I could find hints there about what was wrong. I have to say that the log was singularly uninforming. By holding down Option at boot time and choosing my normal startup volume I was able to get macOS up but that approach was needed for every restart. There was a folder (I can’t now remember the name) at the root level of my startup volume which had a whole lot of locked files and nothing I tried would let me delete it or anything in it. I wondered whether holding down Command+R at restart time would let me turn off SIP and then delete the strange folder but it turned out that the recovery volume was so damaged it would not boot at all. I went back to the normal startup volume and tried redownloading the update via “systemupdate”. Most of the packages would not install and those that would did not affect the restart behaviour (no key held down wound up at the console log, Option would let me choose the normal startup volume, Command+R would not work). I have made a practice of always creating an external bootable drive for all system versions so I booted from the High Sierra boot volume and reinstalled High Sierra on my laptop. That worked and I then applied the 10.13.6 combo updater and everything else App Store wanted except the 2019-001 security update. At that point, the App Store app did NOT propose installing 2019-001 and it was not clear why. However, 24 hours later 2019-001 popped up again. What I’m intending to do next is to wait a week, then use Carbon Copy Cloner to image my internal drive, then download the 2019-001 updater from the Software Updates web page, cross my fingers (and every other appendage), and see how that goes. Worst case will be another foul-up, in which case I will be able to boot from the image and Carbon Copy Clone the image back to the internal volume. An interesting side-effect of reinstalling macOS is that all my Safari saved passwords have vanished.

  6. Phew! Sorry to hear it was such a fuss. It sounds to me like there may have been multiple things wrong on your disk that the security update revealed. Reinstalling macOS was undoubtedly the right thing to do.

  7. What is fascinating about that idea is that I only upgraded the laptop to High Sierra two weeks ago (I always used to be one of the first to jump onto any new OS but in recent years I’ve tended to only go to “n.final” when “n+1” has a few updates under its belt). My standard practice is to build an external boot volume with the new OS, boot from that, run Disk First Aid on the volume to be updated, then run the install, the “final” combo updater, then anything App Store suggests. As it happens, Disk First Aid did have a few grizzles but pronounced the disk clean before I moved to High Sierra. That, of course, upgrades to APFS. When I found myself needing to boot from the external drive I again did a precautionary Disk First Aid and, again, it found and repaired a whole passel of issues which I put down to the failing 2019-001. I’ve just done another Disk First Aid and it declares the disk clean. As to “wrong” at a higher level, who knows? I also fiddle with Arduinos so I have (had?) several USB/UART drivers installed. Maybe those were in the way. The “had?” is because I have not yet checked to see whether they survived the reinstall. Unlike the person earlier in this thread who suggested this problem was typical of Apple’s recent decline in QA, this is the first major hassle I’ve had - since forever. I say that as a 1987-era “System 6” Mac person (and yes, I do remember, and did run, RamDoubler). To say that I’m highly surprised and slightly freaked out by the unusual outcome of applying a security update would be a bit of an understatement.

  8. Using MAS, I just ran 2019-001 security update on my laptop (running high sierra) together with updating safari. The latter would not update by itself: clicking its update button would pop a dialog telling me that safari’s plugins are used by spotlight and I need to quit it before the upgrade. Well, as we know, spotlight is a background process, spawning several threads, so I felt uneasy just killing it. However, upgrading safari seemingly worked after the security update restarted the computer. On the other hand, after the system restarted, MAS told me that I need to install the same 2019-001 security update. Hmm! Considering the problems mentioned by others, I might be lucky that the upgrade failed in a way that allows me to continue using my computer without further ado. I am postponing this upgrade until later date.

    Robert

  9. The exact same thing happened to me updating an old 2010 15" MBP I still sometimes use at work. After I thought the update had been applied and the MBP had rebooted, MAS showed the update again as available and didn’t list it as applied. So I selected to have it install again and the MBP eventually rebooted. This time MAS showed the update as applied/completed and didn’t suggest any other updates to apply. No idea what that was about. But since this is not the first time a recent macOS update has given me some form of grief on this older MBP, I wasn’t exactly surprised either.

  10. Here is my magic incantation:

    1. Optional for the extra cautious - use the latest Carbon Copy Cloner to image your internal HD to an external HD.

    2. Download 2019-001 for High Sierra from:

      https://support.apple.com/en_AU/downloads/macos

    3. Make sure Time Machine backups are up-to-date.

    4. Optional (but will save time in step 5), copy and paste this:

      for d in $(tmutil listlocalsnapshotdates); do sudo tmutil deletelocalsnapshots $d; done

    That will spit out some errors but ignore them.

    1. Boot while holding down Command+R, go into Disk Utility and run First Aid on the boot volume.

    2. Quit Disk Utility, then quit the tools and let the machine reboot normally.

    3. Run this command:

      sudo find /var/folders -name "*.csstore" -delete; sudo reboot

    4. After the machine comes back, run the 2019-001 installer from step 2

    Acknowledgements

Join the discussion in the TidBITS Discourse forum

Participants

Avatar for ace Avatar for agen Avatar for Simon Avatar for pmk.46j06 Avatar for mark4 Avatar for papagordie Avatar for rjb