Skip to content
Thoughtful, detailed coverage of everything Apple for 29 years
and the TidBITS Content Network for Apple professionals
20 comments

Security Update 2019-004 (High Sierra and Sierra)

Apple released Security Update 2019-004 for macOS 10.13 High Sierra and 10.12 Sierra a week ago and then pulled them quickly due to kernel panics experienced by MacBook Pros in sleep. The company is now trying again with the security updates, which patch a variety of security vulnerabilities that were also dealt with by macOS 10.14.6 Mojave (see “Apple Releases macOS 10.14.6, iOS 12.4, watchOS 5.3, tvOS 12.4, and More,” 22 July 2019). In particular, the updates address instances where a remote attacker could cause arbitrary code execution or view sensitive information via a Bluetooth memory corruption issue, a stack overflow in the libxslt library, and out-of-bounds reads in the UIFoundation and Foundation frameworks. The security updates also patch vulnerabilities related to Quick Look and extracting Zip files. (Free. For 10.13.6 High Sierra, 1.9 GB; for 10.12.6 Sierra, 927.6 MB; release notes)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Security Update 2019-004 (High Sierra and Sierra)

Notable Replies

  1. Like many people no doubt, I ran the 2019-004 update last week. I now see the 2019-004 update listed twice in the App Store: once as a new available update and once as an already installed update. I assume that this means that my Mac is protected from the vulnerabilities patched by this update and that I do not need to rush to install (or re-install) the update.

    When I eventually run the “new” update (since I assume that there is no way to refuse to install it) will it reinstall the patches or will it realize that the patches are already in place and leave my Mac as is?

    Thanks!

  2. So I also updated last week. and the about this mace shows macOS
    High Sierra version 10.13.6

      The software update shows it as a new update but that that it did
    

    it last week.

      So Should I run it again?  or as Geoffrey says below When I
    

    eventually run it…

  3. I’m sure it will do the right thing since Apple knows full well that people had installed before they pulled the Security Update. And if it were my Mac, I’d install the new version sooner rather than later—there was a reason Apple pulled and re-released it, so I think the best assumption is that the second version is better than the first in some way.

  4. The installer will likely replace any file that contains a newer created date, but everybody that has looked at the newer update has said that most all of the files appear identical.

    Although Apple has not made any statements concerning the reasons for all this, it’s pretty clear that it only impacted T1/T2 users by creating sleep/wake kernel panics, so those users should run the update immediately. Others who feel a need to wait and who aren’t seeing any issues after the previous update can probably safely do so.

  5. Yes I decided that too and did the update yesterday, All went
    well.

  6. I also ran the update, if only to get rid of the pesky notifications. :grinning: Everything went swimmingly.

  7. I’m one of the people who was negatively affected by the update. It was one of those rare instances in which I didn’t hold off applying a patch, and what I got for departing from usual practice were the advertised kernel panics on my 2017 MBP. I had to go through the typical round of troubleshooting steps with Apple to confirm that it wasn’t some third-party software or hardware issue. Things were so bad that the panics persisted even when I started the computer from an external drive with a fresh installation of of 10.13.6, completely bypassing my locked and encrypted internal drive. Interestingly enough, when I took the computer to the Apple Store here, they they determined that it needed an unspecified part replaced (but there was no mention of the update on their side). Could it be that the update broke something or revealed an underlying flaw, so much so that whatever it was had to be replaced? That’s a good reason to pull an update…

  8. blm

    I had to update (and download it) twice, but the second time it seemed to work fine.

  9. In that case, either your hardware issue was indeed to blame or it was related to the firmware update part rather than the OS update. In rare cases, hardware issues only get exposed after software changes. The issue has been there for a while already, but only after software changes does it actually manifest in crashes etc.

  10. Hi Adam,
    I installed the patch Security Update 2019-004 twice, each time the update was issued. Each installation seemed to work, however, after the second time I installed the -004 patch, I occasionally (on my Mac Mini) lose the arrow-pointer (cursor) for the mouse. To get the pointer back, I perform a “desktop” (multi-desktop) overview (that is, invoke “Mission Control”) for my screen. It is a simple work-around solution, although the situation is annoying.

  11. Comment 13 for this article. I hope that does not fortell that you folks will now find yourselves tired of my old complaint:

    Why in the world would anyone issued two different updates with the same number. I trust Apple is not embarrassed that they sometimes issue buggy updates. So why do they do this. My guess is that it is a matter of the all-important style. It would not look sharp to issue Security Update 2019-004.1. 2019 004a would look even less sharp. (Don’t tell me that I can find a distinct identifier somewhere. That would be missing my point.)

    Second rate, folks.

  12. It is interesting when they released the parallel update for Mojave, it was called the 10.14.6 Supplemental Update. The full version designation is 10.14.6 (18G87).

  13. I suspect size was the reason for that. The 2019-004 updates are 1.9GB for HS and .928GB for Sierra. The 10.14.6 Supplemental is only .955GB but the new 10.14.6 update is 2.67GB.

    What I found unique was that they recompiled the 10.14.6 Installer Assistant (full installer), Update and Combo Updates to the 18G87 build, so that users who had not updated yet would not need to also install the Supplement.

  14. Agreed. It just adds unnecessary confusion.

  15. I wonder if there’s some Apple release policy about what level of change requires a new version number. With Take Control books, for instance, we had very specific policies that governed what was a X.0 release, and X.Y release, and an X.Y.Z release. And in fact, we did have the concept of a silent update for something like a trivial single-character typo fix we discovered within an hour of initial release. If only a few people had already purchased, it was easier and less confusing for everyone to just silently update the book than to update the version number in any way.

    For instance, if the problem was in the wrapper, rather than the internal code, that could explain why the overall version number didn’t change.

    Not defending it; just suggesting a possibility.

  16. I think that’s a perfectly reasonable guess, Adam. Alas, it now sounds like it was rather an issue with the actual firmware update code.

  17. Thanks for the interesting link, Adam.

    His analysis does paint a picture where Apple preferred not to communicate openly and retract updates in order to save themselves from embarrassment. Instead of just yanking all three updates, they chose to leave the OS update online which continued to install the bad firmware. To make matters worse they didn’t warn those with the affacted 2016/2017 MBPs.

    What I find really disconcerting is that Apple apparently simply didn’t test the update sufficiently. The MBP is easily their most sold Mac and 2017 is well within their support range. How they could release a firmware update that they had apparently not tested on any 2017 MBP (13" or 15", TouchBar or not) is beyond me. Even more so since those are the only MBPs with the T1 that apparently triggers the kernel panics with that EFI version. I’d get it if they tested against only one T1 model, but no testing against any? C’mon.

  18. It has been some time, but I want to add this for the record.
    I agree with SImon that “Apple apparently simply didn’t test the update sufficiently.”

    But I insist that there is no excuse whatever for not checking every change (every single change whatsoever; period) on every machine model. (No testing against only one T1 model. Test against every model.)

    Testing is exercising software with the intent of breaking it.

    If, after testing against many models, the software has not yet failed, testing is not finished. If you are a good tester, you are determined to do your very best to break the software. If there are any models on which your tests have not been run, you are not finished. Try those. Perhaps one of them will break the software. That is your goal.

    Notice folks, that Google testers just the other day failed to test their software change on every computer model out there. You know what happened.

    Credit to Google for owning up to their failure.

Join the discussion in the TidBITS Discourse forum

Participants