Skip to content
Thoughtful, detailed coverage of everything Apple for 30 years
and the TidBITS Content Network for Apple professionals
15 comments

Security Update 2020-005 (Mojave and High Sierra)

Apple has released Security Update 2020-005 for macOS 10.14 Mojave and 10.13 High Sierra, patching a couple of security vulnerabilities in the older operating systems. The updates for both Mojave and High Sierra address a sandbox logic issue that could allow a malicious application to access restricted files and an ImageIO issue that could lead to arbitrary code execution when processing a maliciously crafted image. The update for High Sierra also resolves an issue with Mail that could allow a remote attacker to alter application state.

We recommend avoiding Security Update 2020-005 for Mojave for now. Numerous problems are being reported, including issues with creating new users. The High Sierra update does not seem to be causing problems and even addresses a problem with PPPoE connections. (Free. For 10.14 Mojave, 1.69 GB; for 10.13 High Sierra, 2.12 GB; security content release notes)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Security Update 2020-005 (Mojave and High Sierra)

Notable Replies

  1. Security Update 2020-005 High Sierra fixed a bad bug. The release note doesn’t say anything about it, but I observed the following change on my 2017 iMac 5K running macOS 10.13.6 High Sierra:

    In July 2020, I installed Security Update 2020-004, 10.13.6 High Sierra (17G14019). After that, if my iMac sleeps and then wakes up, at first it works fine, but after a few minutes, Internet connection disconnects itself. The PPPoE menubar icon shows the disconnected status, and if I use that menu and select the ‘connect PPPoE’ item, it tries to connect, but fails. The only way to connect to the Internet was to open System Preferences, open Network pane, select ‘PPPoE’ from the sidebar, and then click the ‘Connect’ button. Then the Internet connection (Fiber-optic connection by a Japanese ISP) would come back. But then if my iMac sleeps and wakes up, the same thing would happen again.

    This was the situation with Security Update 2020-004. (I had NEVER seen the problem before that.)

    On Friday (September 25, Japan Time) Security Update 2020-005 High Sierra (17G14033) came out. I installed it. After that, now that 50 hours have passed, but the problem never occured again. Internet connection is 100% reliable now. Somehow, 2020-005 must have fixed something about my PPPoE connection.

    Apple’s macOS Catalina 10.15.7 release note says:

    • Resolves an issue where macOS would not automatically connect to Wi-Fi networks

    I guess this might be related…?

  2. Freaky. We must have had an odd collision when editing, since Josh’s save overwrote the change I made to the draft to point out the problems. The article is fixed now, with the link to the thread here.

    We recommend avoiding Security Update 2020-005 for Mojave for now. Numerous problems are being reported, including issues with creating new users.

  3. Unfortunately I promptly installed both the security update and the Safari update as well. The only issues I have had since the install has been with printing to a local USB printer. No matter what the application, I will get the spinning beachball of death. I found that a reboot of the machine made that one go away.

    Haven’t (yet) seen any of the other issues being reported.

  4. And some others won’t either. Several Enterprise IT’s have run tests which show that installing Safari 14 first and then probably any Security Update (2020-005 and -004 for certain) will cause issues. They are seeing none of these issues when a Security Update is installed first.

  5. interesting. On my sample size of 1 Mac running Mojave, I installed Safari 14 before the Security Update, and other than not being able to create new users, I personally haven’t experienced any of these stated issues

  6. I encountered the same frustration with the Security Update 2020-005. My Mojave OS slowed down to an unbearable crawl taking 15 minutes to complete any operation. Ran DiskFirstAid in Recovery mode and uninstalled Avast antivirus problem. Mojave was slightly better but still not great. Decided to upgrade to Catalina 10.15.7 and everything works fine. Catalina installed without any issues.

  7. Haha! :smiley: Maybe that was the plan all along. Get those HS/Mojave holdouts to finally update to Catalina! :wink:

  8. I won’t be trying your “suggestion”, Simon! :stuck_out_tongue_winking_eye:

    But I found this “new user” problem over the weekend while trouble-shooting a HDD/S.M.A.R.T. problem. I attempted to create a new user several times (holding my tongue as many different ways as I could) but without success.

    I even tried again just now and discovered that the OS “remembers” the user names I have already used, even though none of those users appear anywhere I can see. Obviously, parts of this process are working. Hope to see a fix ASAP, even though it won’t do anything for my HDD problem…

  9. As a matter of policy, we almost never change any TidBITS article that has been sent out in email; we consider it set in stone at that point unless there’s some major confusion that could result.

    The reason is simple. Everything changes. If we allowed ourselves to go back to update articles to account for what had changed in the interim, we’d never do anything else.

    Ideally, the comments should make it clear when the world has shifted since the publication of the article, and your question and my response should make that clear for anyone who stumbles on the associated article but doesn’t see any of our subsequent coverage.

  10. That policy (not changing things after some significant event, such as sending by email) makes sense.

    In this particular case, it was a different thread that provided the all clear (and even it was not, to my mind, fully unambiguous), so I wasn’t sure. You have now provided the follow-up I was seeking. Thank you.

  11. FWIW, on my personal blog, when something like this happens, I will add a paragraph to the start or end of the article beginning with “UPDATE :”.

    The only time I ever change the original article after publication is to correct typos or to fix broken links (usually with Wayback Machine links) when I discover them, but nothing that would change the actual content.

    Of course, I usually don’t post more than 2-3 articles a week to my blog, so I can do things like this, which a site like TidBITS could never consider doing (except maybe for extreme exceptions).

Join the discussion in the TidBITS Discourse forum

Participants