macOS Sierra 10.12.2 and security updates (updated)

macOS Sierra 10.12.2 update was made available through the App Store today, and accompanied by much more detailed release notes and a very long list of the security vulnerabilities which it addresses.


On this iMac17,1, this took less than half an hour to install. It proceeded with two full restarts (marked by startup chimes, sorry if you’ve got a new MacBook Pro), and after the second there was a period of several minutes during which only a black screen was displayed. Do not panic or try to shutdown/restart: your patience should be rewarded. At the end of all that, there was no login required, as the Finder just magically re-appeared.

Apple has already made the downloadable Combo update from 10.12 available here. It is 2.05 GB in size, and the incremental update (from 10.12.1) is available here at a mere 1.94 GB. It looks like the Combo update is the better bargain.

MacBook Pro (late 2016)

One important point for those with new MacBook Pros: although it is claimed to fix the problem of SIP being turned off on some computers, I have already seen a report that it still fails to fix them all. If you have a new MacBook Pro (or any other new Mac, perhaps), read this article for details on how to check this, and a simple free tool to use.

Apple has, now, made it possible to turn SIP on without entering Recovery mode. According to One More Admin, the shell command
sudo csrutil clear
followed by a restart will address this.

It currently looks as if ‘ordinary’ users updating from 10.12.1 to 10.12.2 should have no further problems with SIP, as that should ensure it it enabled. Users who appear to be at most risk of this not working, and leaving SIP disabled in spite of updating to 10.12.2, are those who have had beta-releases of 10.12.2 installed before making the full update.

One controversial change is that Apple has removed the ‘Time Remaining’ estimate of battery endurance from recent MacBook Pro models. This is apparently because of inherent inaccuracies in its forecasts. This information remains available from the Terminal command
pmset -g batt
and from several utility widgets such as iStat.

What is fixed?

Initial indications are that some old cosmetic Finder bugs remain, but it looks like the problem with alias icons has been fixed. I will provide a more detailed report on bugs left in 10.12.2 over the coming days.

One important security vulnerability in FileVault is fixed: if you use FileVault in Sierra, this update is essential and urgent, as explained here.

This update includes Safari 10.0.2. Appropriate fixes are also available in security updates for OS X Yosemite 10.10.5 and El Capitan 10.11.6, which should be available now through the App Store.

Among the issues addressed in 10.12.2 are:

  • setup and reliability of Auto Unlock
  • taking screenshots of the Touch Bar using Grab or Command-Shift-6 (MacBook Pro)
  • graphics issues on the new MacBook Pro (Late 2016)
  • setup and opt-out for iCloud Desktop and Documents, and the delivery of Optimized Storage
  • audio quality with Bluetooth headphones
  • stability of Photos
  • incoming messages from a Microsoft Exchange account to Mail
  • installation of Windows 7 and 8 using Boot Camp
  • improved screen resolutions on some external displays.

Safari 10.0.2 has many security fixes, mainly in WebKit, most of which address problems arising from processing crafted web content.

Among the significant security fixes in 10.12.2 are:

  • PHP is updated to version 5.6.26
  • several fixes in Bluetooth
  • fixed the processing of malicious strings in CoreFoundation
  • curl is updated to version 7.51.0
  • several vulnerabilities to maliciously crafted font files
  • several fixes to the kernel
  • OpenLDAP no longer uses RC4 as the default cipher
  • 3DES is removed as a default cipher in Security
  • security certificates are now properly validated.

I cannot see any mention of the SIP vulnerability being addressed yet.

Updated 15 December 2016 at 2205 UTC.