Skip to content
Thoughtful, detailed coverage of everything Apple for 31 years
and the TidBITS Content Network for Apple professionals
6 comments

Security Update 2021-003 Catalina and 2021-004 Mojave

Apple has released Security Update 2021-003 for macOS 10.15 Catalina and Security Update 2021-004 for 10.14 Mojave, patching 36 security vulnerabilities in Catalina and 30 vulnerabilities in Mojave. Both updates address logic issues with the kernel that could allow an application to execute arbitrary code with kernel privileges, resolve a logic issue with AppleScript that could allow a malicious application to bypass Gatekeeper checks, and address several Heimdal-related memory corruption and logic issues. None of these vulnerabilities are actively being exploited in the wild, so there’s likely no harm in waiting a week or two before installing. If you notice any problems after updating, please let us know in the comments. (Free, various sizes, Catalina release notes and Mojave release notes, macOS 10.15.7 and 10.14.6)

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For 29 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About Security Update 2021-003 Catalina and 2021-004 Mojave

Notable Replies

  1. :warning: WARNING!!!

    Mojave Security Update 2021-004 breaks Kerberos! If you are bound to Active Directory using a Mobile AD account then you will have a very bad day.

    • System Prefs Unlock Hangs
    • SMB / AFP Shares will hang
    • Screen cannot be unlocked force reboot required
    • Azure login may not work.
    • NoMAD won’t load.
  2. I was able to create a workaround that should work until Apple releases a fix. I recommend you back up any files you make changes to prior to saving your work. Please follow these few easy steps below.
    Please update at your own RISK. These issues were resolved for me on two different workstations but I cannot guarantee that they will work the same for you.*****

    
    1. Open up the following two files (/etc/pam.d/authorization and /etc/pam.d/screensaver) in your favorite text editor.  You may need to open it as an admin.  I suggest using nano via terminal.  Open a terminal and enter sudo nano /filepath/filename
    
    2. Now remove the "use_kcminit" from each file and then save the file.
    
    
    /etc/pam.d/authorization
        # authorization: auth account
        auth       optional       pam_krb5.so use_first_pass **use_kcminit**
        auth       optional       pam_ntlm.so use_first_pass
        auth       required       pam_opendirectory.so use_first_pass nullok
        account    required       pam_opendirectory.so
    
    /etc/pam.d/screensaver
        # screensaver: auth account
        auth       optional       pam_krb5.so use_first_pass **use_kcminit**
        auth       required       pam_opendirectory.so use_first_pass nullok
        account    required       pam_opendirectory.so
        account    sufficient     pam_self.so
        account    required       pam_group.so no_warn group=admin,wheel fail_safe
        account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe
    
    3. Once you have removed the entries you will need to reboot your Mac.
  3. Wow, @mashedgear - thank you VERY much for that fix!
    This was causing me headaches, locking up a remote machine I use for work, which meant having to ssh in to do a forced restart.
    One point: It looks like the formatting in your post marked the words “optional” in bold, and there are extraneous asterisks around the “use_kcminit” keyword in your post. So, if anyone else is confused, the instructions are to open each of those files, delete just that keyword (use_kcminit) at the end of the line, keeping the rest of the line.

    Very useful workaround!

  4. Made an account just to thank you. Thanks for saving the headaches! This solves all the login issues freezing/hanging, etc. Much appreciated. Works as of 6/25/2021 on Mojave after the update.

  5. Just like litePenguines, signed up for this site for thanking. Also could you plz elaborate abit on what are the purposes of thoese files and the meaning of parameters used in them that we removed. Thanks again…

  6. It’s a trend: I too signed up just to say thank you. After a few weeks, it finally got to be too big a pain to put up with, and yours was the second article I found. You’ve also saved me a lot of headaches. THANKS!

Join the discussion in the TidBITS Discourse forum

Participants