Skip to content
Thoughtful, detailed coverage of everything Apple for 30 years
and the TidBITS Content Network for Apple professionals
34 comments

Security Update 2020-003 (Mojave and High Sierra)

Apple has released Security Update 2020-003 for macOS 10.14 Mojave and 10.13 High Sierra, patching a variety of security vulnerabilities in the older operating systems. The updates address a denial of service issue related to AirDrop; patches multiple kernel vulnerabilities that could execute arbitrary code, cause unexpected system termination, or read kernel memory; fixes an out-of-bounds read with DiskArbitration that could allow a malicious application to break out of its sandbox; and resolves several Wi-Fi issues. (Free. For 10.14 Mojave, 1.68 GB; for 10.13 High Sierra, 2.11 GB; security content release notes)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Security Update 2020-003 (Mojave and High Sierra)

Notable Replies

  1. In Mojave, it also turns off softwareupdate --ignore. You can no longer hide individual updates (major or minor) when running Mojave. Your only option to avoid being hounded by notices for Catalina (or 10.16 when it comes out) is to turn off “check for updates” for everything, which means you won’t be notified of any future Mojave security updates either.

  2. Is this really true? Are they actually strong arming their users to expose themselves to Apple’s marketing? Against the users’ deliberate and explicit declaration of opt out? Really?

  3. I’m in a situation in which I don’t want Apple deciding when I upgrade or hounding me to do it. I’ve turned off automatic updates and can turn off check for updates. Sites like TidBITS let me know about the important packages.

  4. At least on Catalina turning off automatically check for updates does not remove the badge. Does it on Mojave?

  5. I just encountered the nagging Catalina update issue and posted comment on another thread. The Terminal command to ignore Catalina now responds with:
    " Ignoring software updates is deprecated. The ability to ignore individual updates will be removed in a future release of macOS."

    In fact that should read “has been removed in the latest update”!

  6. TidBITS doesn’t normally notify us of the background Security and database updates that include such things as XProtect, MRT and Gateway updates, so you may have to watch elsewhere if you turn those off and have a method to manually update those.

  7. I guess I’m on enough Mac sites that mention those updates that I didn’t recognize TidBITS wasn’t one of them. I do see notes about them. I also run SilentKnight periodically (along with Onyx and some other maintenance apps); that picks up lagging versions of such updates.

  8. Aren’t those managed by the “Install system data files and security updates” checkbox?

  9. Yes, but you must also have “Check for updates” enabled for that to work. Steve mentioned that he “can turn that off.”

  10. You’re right, look at that. I’ve never turned that off, but the presence of the horizontal line separating the last option from the others suggested to me that it was independent. That’s bad UI—if the first checkbox controls the others, they should be indented under it.

  11. I’ve set the preference exactly that way, but XProtect and MRT are never downloaded automatically. Here is what I see in Install.log:

    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: startDownloadingPackagesWithIdentifiers: (
    “com.apple.pkg.MRTConfigData_10_14.16U4110”
    )
    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: startDownloadingPackagesWithIdentifiers: (
    “com.apple.pkg.XProtectPlistConfigData_10_14.16U4111”
    )
    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: ContentLocator: Looking up content locator for original URL: http://swcdn.apple.com/content/downloads/17/41/001-09568-A_SRAT5WXGOE/vffzshb0cynjiv06qmx5v8cf4u8bqhga6l/MRTConfigData_10_14.pkg
    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: ContentLocator: Looking up content locator for original URL: http://swcdn.apple.com/content/downloads/29/46/001-09569-A_FULD3PRVML/3bxzq6x0wocp7gknok09wrsxi0bonqpdy3/XProtectPlistConfigData_10_14.pkg
    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: ContentLocator: No modified URL found
    2020-05-29 10:31:54+09 119-228-78-249f1 softwareupdate_download_service[1273]: ContentLocator: No modified URL found

    Somehow the download fails to find the file to download.
    27-inch iMac 5K 2017, High Sierra 10.13.6.

    I use SilentKnight, which successfully download the latest version of XProtect and MRT.

  12. Sorry to change the subject, folks; this is an good conversation. But…

    I now have a machine that downloaded this update and a Safari update; then was shut down without clicking Restart; was started again later; and now shows the Safari update as installed and offers Restart for the security update.

    I click Restart, the screen goes black, and there we sit. I force the 2010 Mac Pro to turn off; turn it back on, log in, do as I please, then start AppStore, click Restart, and we are back in the loop.

    I have searched for, but do not find, a file (a .dmg perhaps?) that I can download to try to install the security update.

    Am I correct there there is no help from AppStore here? (If I click UpdateAll, it offers to restart.)

  13. Oops. HighSierra 10.13.6.

    (I have a technical reason for not moving yet to Mojave.)

  14. It seems that Security Update 2020-03 may have resolved a problem created in Security Update 2020-02 with Macs crashing while using hardware accelerated video. I just posted a link in the discussion for that earlier update.

  15. I called Apple Support. (See below in this message for details.)

    After trying all but the last on their list, the suggestion was: Reinstall macOS.

    I posting here for three reasons:

    • To report that Apple Support says others have reported the very same symptoms when trying to install this Security Update.
    • To report that Support will not escalate the problem because my 2010 Mac Pro is obsolete.

    And to ask: Does anyone have any suggestion, other than reinstall the OS.

    I suppose reinstalling from the Recovery partition is, in the following respect, no different that installing a new macOS version: namely, that none of my applications or data will be affected. (And that the re-install will take a long time. (I have a slow DSL line.) )

    … details …

    The gentleman at Apple Support took me through the drill: try restarting from the Apple menu; try shutting down from the Apple menu; reset SMC; reset NVRAM; boot in Safe Mode; boot Recovery partition >DiskUtility >FirstAid.

    Curiously, FirstAid said this: Can’t repair volume because other APFS volumes on its container are mounted. (Yes, they are.)
    Amusingly, it offered this: Unmount them, or perform repair while running from another macOS system (such as the Recovery system). (Ha!!)

    After the call, I ran FirstAid as a logged in user “using live mode,” and the file system passed all tests.

    The command, diskutil apfs list, shows, as usual, four volumes in the system drive APFS container, the system, VM, and two not mounted, Preboot and Recovery.

  16. I’m puzzled by something I’ve seen several times. A security update comes along and gets installed. A few days later I find the same security update is again waiting to be installed. The AppStore shows the latest security update has been installed twice, five days apart.

    Huh?

  17. I just saw that in the installation log (that I was reviewing for a comment in a different thread). Several entries were shown at least twice, and there was at least one entry (High Sierra) for an installation that I never made. As you said, “Huh?”

  18. For months now, on my wife’s High Sierra MBP every security update needs to be installed twice. I install it once and it downloads, installs, and restarts. Then upon launching the updates section I see that it claims the update is still there. So I select to install it again and it does the exact same thing: download, install, reboot. Then finally it claims no new updates. It’s a super annoying bug. And it’s been left this way without a fix now for months if not years. I don’t know how many updates I’ve had to install twice just because of this. Ugh. :exploding_head:

  19. In this particular case, I think Apple has re-released Security Update 2020-03 for High Sierra, so it makes sense that you’d see it again.

    But in general, I don’t have a good answer. I’ve not seen that problem before. I could imagine that if something caused the initial install to fail silently toward the end, it might try again and still show up in the logs as having completed twice. But that’s total speculation based on no evidenced whatsoever. :slight_smile:

  20. blm

    What I saw in the past pretty regularly was that there would be a Safari and security update available and I’d tell it to install everything. It would download and install Safari, then download the security update and restart to supposedly install the update, but wouldn’t, and would eventually restart normally, but the security update would still be available to install, so I’d have to download it again, and then it would install. So what I’ve been doing recently is installing everything one at a time, with the security update last. That’s generally worked and it’s only taken one try to install the security update.

    While there are probably lots of causes to this sort of behavior, installing things one at a time fixed it for me, so it’s worth a shot if you’re seeing a similar problem.

  21. Sounds like the exact same thing I’ve been seeing on my wife’s MBP. Except that I already resorted to doing all updates separately and doing the security update at the very end. The security update still always seems to require two full installation cycles to actually acknowledge it’s been fully updated.

  22. [This was posted in the thread about the spate of security-related updates that did not include Mojave, so I’m guessing that it’s associated with Security Update 2020-03. -Adam]

    I received notice of an update for my Mac Pro running Mojave. I initiated the update. The process seemed to be working like all other updates. Then it shutdown like it was going to restart. Then it never started. Black screen. Let it run for half an hour. Never came back.
    Shut it down, then tried restarting, with the same results.
    I recently replaced the video card with an RX580. It worked just fine for over six months this way until this update.
    Beware of this update. I really would like to know how to get my Mac working again.
    Val Pistilli

  23. Thanks, vpistilli. So the problem I reported in detail earlier in this thread occurs both in High Sierra (me) and in Mojave (you).

    Adam, I read the TidBits notice of the replacement* for Security Update 2020-003, installed it, and still have this behavior: machine will not shut down, whether by shutdown command or by restart. (Cursor shows and moves; volume control keys show the popup and move the bar; other keyboard input recognized, but rejected with a dull beep.)

    Power off, boot, runs as expected until next attempt to shutdown or to restart.

    I still hope to see someone reply to my request for any suggestions of what to try before reinstalling High Sierra.

    Also whether reinstall from Recovery partition is the way to do that.

    Footnote: “Replacement” !! Let’s divert some of the rioters to Apple Park and have them take out the design department, or whoever decided that the name for the “replacement” update must–in order to preserve Apple’s reputation for a slick appearance–must not, can not, be allowed to be “Security Update 2020-003.1” or some such. At least break some windows. (Please remove this footnote if my suggestion is beyond the pale.)

  24. Much as I hate to say it, yes, I’d ensure that you have current backups (because, always), and then reinstall macOS. You’ll have to be careful to get the right version—see

  25. Thanks, much, Adam for the advice. And for the link.

    I certainly will have good backups (a Carbon Copy Cloner total clone, which I update daily and will again just before reinstall (plus TimeMachine, should I need to use it)). The CCC clone drive is internal in my old Mac Pro. I’ll pull that and the other drives before the reinstall. Belt and Suspenders.

  26. It appears that there was an update to Mojave, at least that’s what came up when I clicked on “software update” a few days ago. After I did install the update, a change occurred which I don’t understand. For some reason photos I added to the Photos app by scanning them are no longer able to be displayed as desktop background. Everything was fine before this update, and I can’t seem to find out anything about why this happened. “About This Mac” still shows OS 14.6.

  27. does security update 2020-003 include fixes from 2020-002 or must they be installed sequentially on Mojave?

    TIA,
    Peter Donlevy

  28. Security updates have been combo updates for years now, so yes it contains everything needed.

  29. I’m using high sierra 10.13.6 and after applying the update i checked under Apple Menu > About This Mac > Overview > System Report > Software > Installations but the only listed Security Update is Security Update 2019-007 with Install Date:12/12/2019, 17:39 however when app store shows no updates available. any ideas?
    can it be that i am used http://dosdude1.com/highsierra/ patcher to allow installation on my mbp 5.2 early 2009?

    thanks in advance,
    qil

  30. What’s the build number? ->About This Mac and click on the version number to see. Should be (17G13035) for 2020-003, but latest 2020-004 is out now which is (17G14019). 2019-007 is build (17G10021). If it’s (17G65) you only have 10.13.6 with none of the security updates that have come out over the last two years.

  31. thanks for the reply!
    ->About This Mac shows version number 0.13.6 (17G14019) !
    how can this be that security updates are not listed on System Report > Software > Installations?
    that’s weird

Join the discussion in the TidBITS Discourse forum

Participants