Skip to content
Thoughtful, detailed coverage of everything Apple for 30 years
and the TidBITS Content Network for Apple professionals
22 comments

Security Update 2020-004 (Mojave and High Sierra)

Apple has released Security Update 2020-004 for macOS 10.14 Mojave and 10.13 High Sierra, patching a couple of security vulnerabilities in the older operating systems. The updates for both Mojave and High Sierra address an issue with the Vim command-line text editor that could allow a remote attacker to cause arbitrary code execution, and the update for High Sierra also improves CoreAudio bounds checking to prevent buffer overflows from resulting in arbitrary code execution. (Free. For 10.14 Mojave, 1.68 GB; for 10.13 High Sierra, 2.11 GB; security content release notes)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Security Update 2020-004 (Mojave and High Sierra)

Notable Replies

  1. I have Mojave. I must have a conflict with a third party app (between DropBox, ProXPN, LastPass, Little Snitch). I’ve had different apps “freeze” for about 30 seconds: Safari, Mail. The issue is neither reproducible nor consistent in when it happens. I wonder if only certain apps are affected and perhaps only after I restart my laptop.

  2. I use DropBox, LastPass, & Little Snitch with Mojave and are not seeing any such problem. Freezes such as you are experiencing with browsers and email apps are often due to Internet issues, especially your DNS provider. You might want to discuss that with your ISP or try alternative DNS services.

  3. Hmmmm… Nothing about High Sierra Security Update 2020-003, which, for some folks, fails to complete installation and leaves the machine with three features: 1. Will shut down only two ways: a) from the initial screen, before anyone has logged in or b) by holding the power button to force shutdown. 2. Asks every day if the owner would like to install High Sierra Security Update 2020-003.

    This just in: AppStore now offers only -004, no longer -003. I am afraid what might happen if I try to install it. I need my machine.

    (I’m in the process of setting up to migrate to a newly arrived MacPro. I won’t use this forum to tell that long and still underway story. Meanwhile, I’ll limp along with the good old antique MacPro (late 2010). Without High Sierra S U -003 and -004.)

  4. I think Malwarebytes was causing a similar problem for me. Now I run it periodically and shut it down when not using. Also check activity monitor to try to isolate

  5. After the 002 & 003 debacle, I too am very cautious about the 004 update (to Mojave). I’m hanging back waiting for comments and results from other braver souls. No news is good news???

  6. I let Software Update install the 2020-004 update on my MacBook Pro with Mojave (and Dropbox and Little Snitch). The installation process appeared to succeed, but when the Mac rebooted it promptly crashed with a kernel panic (a page full of white text on a black screen).

    When I restarted the MBP, Software Update indicated that -004 was still available to be installed.

    I went through the update process again, and this time it succeeded.
    After reboot, the CPU was extremely busy for over an hour. Activity Monitor indicated various processes related to indexing and Time Machine (backupd, mdworker, etc), as well as “pkd”, a process I’ve never noticed before. Other than that, no mysterious side effects, no stalls, or freezes.

    Presumably, my MBP is now twice as secure, since the -004 update has been installed twice :grinning: .

  7. I had no issue with the -004 update on High Sierra (not running Dropbox, LastPass, or Little Snitch, though; I have my own row of icons across the menu bar). Mid-2014 MBP 15"

  8. Haha! I’ll be sure to let my wife know. :smiley: Her 13" MBP (still on HS, last supported OS for that 2010 Mac) always needs its sec updates installed twice. The first time around it reboots fairly quickly to then only show the app store updates page indicating the sec update is still waiting to be installed. WTF? So what did I just download those 3GB for??? Anyway, the second time around it then actually installs the update. This has been going on like that for several updates already (and reported in another instance here). Clearly a bug. Anybody still think Apple’s QA/QC hasn’t tanked as of late? Ugh. :exploding_head:

  9. To be fair, there’s a difference between Apple QA issues and local problems. If a large number of Macs suffer from some problem, it’s Apple’s responsibility and it’s a QA failure. If a handful of Macs suffer from some weirdness, it’s probably related to some local configuration or corruption and thus not something Apple would be able to fix.

    Such as I have with installing any security update on my iMac, through multiple macOS versions.

    It might be interesting to look in System Information > Software > Installations and see if it’s really being installed twice or if the first install is failing for some reason.

  10. Oh no, the install only really happens once. What the shenanigans on the first download/“install”/reboot iteration are I have no idea. I’d check system logs, but that no longer works ever since logging on macOS was “improved”.

    This happens on different types of Macs on both HS/Mojave (to my knowledge) and with different types of setups. I’m confident this is a bug. And I’m pretty sure Apple simply feels no great urge to devote resources to it because it’s older versions of macOS and older hardware that’s predominantly affected. I’ve reported it, several times actually. Alas, crickets.

  11. Yeah, I keep reading Howard Oakley’s explanations of how to do log checking and it boggles my mind. I really don’t get why Apple changed the logging approach.

    Have you tried running the install from a clean admin account? That fixes my problem and shows that whatever the reason is somehow related to issues with my account.

    When I search on keywords that would seem related, I find only a handful of results. It’s obviously happening, and your wife’s MacBook Pro isn’t unique, but it would seem to be quite unusual. Are you seeing a lot more reports with some other searches?

    https://www.google.com/search?q=%2BmacOS+security+update+install+%2Btwice

  12. Yeah, it happens independent of which user account the update is initiated from.

    I don’t know what that search query is supposed to prove. This bug has come up in at least three different locations on this board alone and not a single one of those show up with your search. As I already mentioned, Apple has previously received all the relevant information they need to fix the issue should they so feel inclined. I doubt their Google search results are relevant.

  13. It indicates that 2020-004 was installed 3 times on my Early-2015 MBP (Mojave), in the span of twelve minutes.
    Similarly, 2020-003 also got itself installed three times, on 2020-05-31.
    2020-002 - three times on 2020-03-24.
    Pretty consistent behavior.

    These triplicates started with my upgrade to Mojave. The /Installations list shows that the various 2019 Security Updates only happened once.

    One might conclude that Apple’s QA is now so poor that they’ve decided it’s best to install each Security Update three times, hoping to ensure that one of them actually works😷.

    When Apple posts -005, I’ll try to remember to install it from a clean admin account and see if it makes a difference. That’s a good idea.

  14. What the search results suggest is that not that many people are posting about the problem. It’s obviously fuzzy, but whenever I’m trying to evaluate someone’s suggestion that I write about some problem they’re experiencing in TidBITS, it’s one of the ways that I use (assuming I can’t easily reproduce the problem myself) to try to determine if the information will be helpful to a large number of people. There are huge numbers of inexplicable problems out there, but if they’re related to unusual local conditions, it’s very, very unlikely that Apple would ever change code to address them, especially since a change might introduce other problems.

    All I’m saying is that not everything odd that happens on a Mac is Apple’s fault, or even within Apple’s control. And even when an issue is theoretically within Apple’s control, there are other factors that often result in it staying unresolved, not the least of which are how many people will be affected and the potential downside of touching that code. So while it’s easy to say that Apple’s QA has tanked, security updates seemingly installing twice on a particular MacBook Pro running a several-year-old version of macOS doesn’t feel to me like a good example.

    iOS 13’s release and frantic update schedule was the poster child for Apple QA (or, more likely, management) problems; the question is if this year’s releases will be more stable. :slight_smile:

  15. I would also reboot before installing and only log into the clean account. It feels to me like there’s something that’s causing the first two installs to fail to complete—permissions, a corrupt flag file, etc. What I can’t figure out is what would change for the third.

    (@Simon’s problem of two installs actually feels more explicable, since I could see the first install failing but leaving the machine in a state where it can accept the second install; it’s much weirder to have two attempts fail and only the third work.)

  16. This is not a one off. It happens with every single sec update. It’s a persistent bug, not some random flag or error that gets reset upon the successful second iteration. Apple has been informed multiple times about it.

    I’m not going to bicker with you about if and how much blame Apple deserves for this ****show.

  17. I didn’t say it was a one-off. I’m just saying it’s not a common experience. The problem I have on updating from my normal user account is similarly bad and has persisted through multiple versions of macOS. But since it doesn’t affect hardly anyone else, I consider it my problem to resolve, not Apple’s. It’s a puzzle, and a particularly tricky one, since I can only test when a new update comes out. (Well, I suppose I could virtualize my account and try multiple updates, but it’s not worth that much effort.)

    You’re welcome to blame Apple for your problem, but it might be easier to adjust your expectations than to wait for them to fix it, since if it hasn’t happened by now, it’s unlikely to ever happen.

  18. For what it’s worth, my MacBook Pro Mid 2012, currently running MacOS 10.14.6, has been double-, triple-, and even quadruple-installing security updates beginning with Security Update 2018-001. Not one update since then installed just once. Why am I one of the potentially many users with this experience that Apple hasn’t heard from about this problem? For one, until just now, when I read the thread above, I was unaware of the multiple installations.
    What I do know, and that refers back to one of the earliest posts in this thread, is that my Mac also just sits there and thinks (ahem) for 20–30 seconds perhaps two or three times a day. I have been unable to discern a real pattern or reason for this annoyance.

  19. One additional recommendation from me. Dismount and detach everything except the drive you are applying the update to. If you need a wired keyboard and / or mouse, those should be the only things attached. That has been shown to eliminate problems such as have been outlined here for a number of users.

  20. I’ll throw my two cents into the pot. First, I found the logs by clicking on About This Mac, then System Report…, then Software > Installations. Was that the correct place to look?

    Typically, I do my day-to-day stuff in a User account. About once a week, I will log out and log into an Admin account and then install any updates. Recently, I have begun to reboot the MacBook before logging into the Admin account. Perhaps I started this before the most recent Security Update, perhaps not.

    It’s a MacBook; when I’m installing updates, I’m connected to an external display and using an external keyboard and mouse, obviously through the USB. All external drives are unmounted. Those that take external power are powered down but connected; those that are bus powered are disconnected. Almost always, at least one and more recently two ethernet networks are connected, again through the USB.

    With all that said, I have installed five Security Updates since I installed Mojave. All five show as double installations, 7 to 14 minutes apart. (Two of them are shown as “Security Update : 10.14.6” and might be the same one; if so, the double installations were two months apart.)

    Personally, I see the double installations as a much smaller issue than the lack of feedback from the Macintosh during installations. Whether the Mac is doing once, twice, or more, it should let me know that it’s doing something.

  21. iMac (Retina 4K, 21.5-inch, Late 2015)
    Mohave 10.14.6

    Wow. I’ve never noticed anything amiss with the installation of Security Updates, but curiosity prompted me to look at the About This Mac > System Report > Software > Installations ‘log’ and I see that all system updates going back to at least 2018 show up as having been installed twice on the order of 10 minutes apart. There’s no way to tell in this view of the ‘logs’ if there was an installation failure, or if this is normal behavior.

    Is this just an indication of a two part installation process where the system reboots in the middle?

    I’ll reiterate that I have not had to reinitiate any of these installations/updates after a failure. It just appears in this version of ‘logs’ that something is happening twice each time.

  22. My MacPro 2010 just got a new EFI 580 Radeon this week when it came on the market because I wanted to see the Apple start-up screen and updated to Mojave from High Sierra. The problem Apple and I couldn’t fix with Apple Mail after hours of trying was fixed. Even Safari was working better and things are looking good.

Join the discussion in the TidBITS Discourse forum

Participants