What has changed in the Mojave 10.14.3 Supplemental Update?

macOS Mojave’s Supplemental Update for 10.14.3 is claimed to fix three security vulnerabilities:

  • The widely-described Group FaceTime bug which enabled the initiator of a call to force the recipient to answer.
  • A second bug found during security audit of the FaceTime service, involving Live Photos.
  • A memory corruption issue in Foundation which could allow an app to gain elevated privileges, and appears unrelated to the others.

Apple details these in the security release notes here.

The install amounts to 667 MB on disk from a download of nearly 1 GB, and replaces three major apps:

  • FaceTime, of course, which remains at version 5.0 but is now build 3080, and built on 3 February 2019;
  • Messages, which remains at version 12.0 but is now build 5500, also built on 3 February;
  • Safari, which remains at version 12.0.3 and shows build number 14606.4.5, and was built on 5 February.

One Widget is replaced, Web Clip, which was built, like Safari, on 5 February.

Several of the items in /System/Library/CoreServices are also replaced. These include MRT, which has updated dylibs, so has been signed afresh on 5 February, but hasn’t changed its version number. Remote management tools for screensharing and VNC/ARD have also changed. Seven of Apple’s kernel extensions are replaced, and many public and private frameworks.

Plenty of command tools are replaced in /usr/bin and /usr/sbin, and there is a complete new CUPS suite too.

Around 300 MB of the installation package is a complete set of current EFI updaters, although there are no changes to any firmware versions among those.

These may explain why the macOS fix for this vulnerability amounted to more than ten times the size of that for iOS.