OS X Security Update 2016-001: it is really OS X

Apple released an important, if not compelling, security update to OS X El Capitan 10.11.6 and Yosemite 10.10.5, late on 1 September 2016. There is also an equivalent Safari 9.1.3 update for users of Mavericks 10.9.5.

According to its release notes, this addresses three significant vulnerabilities:

  • two vulnerabilities in the OS X kernel,
  • one vulnerability in WebKit, therefore updating Safari to version 9.1.3, which is available separately.

These vulnerabilities were the OS X versions of those fixed recently in iOS 9.3.5, which were being exploited there in NSO Group’s Pegasus hacking tool. There is no indication (yet) that they were being exploited under OS X, although other intrusion tools sold to hack into OS X could have been using them, or might have intended to.

Apple has released a standalone installer which will also perform this update for El Capitan, available from here, or you can of course use the normal App Store update feature.

At 414 MB, the installer appears to contain a minor system update for El Capitan, and could perhaps have been dubbed rather than just a security update. Among the other components which are updated are:

  • most Bluetooth support, including Bluetooth Audio
  • iOS Screen Capture
  • Web Clip widget
  • RAID Utility
  • System Image Utility
  • Setup Assistant
  • XProtect
  • many Apple kernel extensions
  • file systems, including acfs and hfs
  • many frameworks
  • emacs (22.1), dtrace.

This may therefore be Apple’s final intended update for El Capitan, before the release of macOS Sierra. It will be interesting to see if it has fixed any of the remaining bugs.

Updating is fairly straightforward and swift, although there is quite a long pause with just a dark grey screen, which can be worrying. Your Mac should sound a single startup chime, and at the end you will be returned to OS X without the need for any further login.