hoakley April 30, 2021 Macs, Technology, Updates

Apple has pulled Safari 14.1 update for Mojave and Catalina (updated)

Included in the macOS updates this week was Safari version 14.1 for Mojave and Catalina (this was also included within Big Sur 11.3 update). Apple has pulled those Safari updates today, apparently because on those two versions of macOS the update breaks WebAuthN.

If you have already updated Safari to version 14.1, and are running Mojave or Catalina, Mr Macintosh says that reinstalling macOS 10.14.6 or 10.15.7 over your current macOS, then applying security updates should roll Safari back to version 14.0.3 without wiping current user data.

If you haven’t yet updated Safari to 14.1, then you should avoid doing so until Apple has fixed this problem [see update below]. If you’re running Big Sur, then this shouldn’t apply to you, as it’s not thought that the bug affects 11.3, although that isn’t yet confirmed. We could be in for an update to 11.3.1 in the not too distant future. [We got it, but for other reasons, apparently.]

Update 0530 UTC 5 May 2021

Apple has now released updated versions of Safari 14.1 for Mojave and Catalina, which address the two serious vulnerabilities which have just been fixed in Safari for Big Sur, and apparently address the bugs in the previous update. Full details are here.

Following update, the build number of Safari (and all its component frameworks, etc.) should be 14611.1.21.161.7 on Mojave, and 15611.1.21.161.7 on Catalina. I strongly advise anyone still running those two versions of macOS to update as soon as they can, and confirm the build number is correct.

Those running Big Sur should of course already have updated to 11.3.1, which brings its own WebKit and Safari update to address the two serious vulnerabilities. Don’t delay installing this update, as Apple believes that both of these vulnerabilities are already being actively exploited.

Thanks to Justin for drawing my attention to this.

30Comments

Add yours

1

hstriepe on April 30, 2021 at 9:13 pm

On the beta program Apple uses a method to hide Safari on the system volume and install a beta app and framework on the Data volume. I wonder whether the same method is used for Catalina updates. Of course, the system volume on Catalina is not sealed, so this is not an absolute requirement.

LikeLiked by 1 person
- 2
  
  hoakley on April 30, 2021 at 10:02 pm
  
  Thank you.
  The better example is Safari Tech Preview, which includes all its own frameworks within the app.
  Howard.
  
  LikeLike
3

Bryan Wellander on April 30, 2021 at 11:04 pm

They messed the Safair on ios and ipados too. Just different issues. I am sure that we will see a lot of updates soon.

LikeLiked by 1 person
4

alvarnell on May 1, 2021 at 12:41 am

Not sure whether Safari 14.1 for Big Sur also breaks WebAuthn or not. Apple can’t pull it because, as indicated, it was included with macOS 11.3 update, so those users will continue to receive it with their update until a replacement is released.

LikeLiked by 1 person
- 5
  
  hoakley on May 1, 2021 at 5:13 am
  
  Thank you.
  Maybe we’re in for 11.3.1 very shortly? I still haven’t seen any reports of Safari problems with 11.3, though.
  Howard.
  
  LikeLike
  - 6
    
    alvarnell on May 1, 2021 at 6:00 am
    
    I have seen a few, but they are not the same as the one’s seen in Catalina and Mojave.
    
    LikeLiked by 1 person
7

b on May 1, 2021 at 2:48 am

But apple can piull the 11.3 update.

LikeLiked by 1 person
8

Mark Anderson on May 1, 2021 at 2:01 pm

Thanks for this. Too late for me: 14.1 on 10.14.6 but no issues, yet. 1Password certainly still working. For non-tech folks, what sort of browser activities should we watch for breaking? IOW, in lay terms what user activities generally involve WebAuthN?

LikeLiked by 1 person
- 9
  
  hoakley on May 1, 2021 at 9:24 pm
  
  I’ve been looking around to see where a problem with WebAuthn might catch a Mac user out, and it’s likely to be confined to TouchID and FaceID used to sign into web services. So the great majority of users aren’t likely to notice its absence.
  Howard.
  
  LikeLike
  - 10
    
    almeath on May 2, 2021 at 4:30 am
    
    Certainly not experiencing any issues on my 2019 iMac, blissfully unencumbered with Touch ID, Face ID or even a T2 chip.
    
    As much as I like Safari, I also keep Microsoft’s Edge and FireFox handy for emergencies. I would never let Google chrome get its tentacles into my system.
    
    LikeLiked by 1 person
11

BKDad on May 1, 2021 at 2:58 pm

Hmmm…

I wonder if a better plan these days is to use third-party applications in place of the supplied Apple versions. As much as I like Safari and Mail, bugs seem to pop up and cause real problems, not just annoyances. In the case of Mail, people have lost a lot of emails if they haven’t executed a back-up plan that saves their emails independently from Apple’s Mail solutions. Safari has been broken a few times over the past couple of upgrades.

LikeLiked by 1 person
- 12
  
  hoakley on May 1, 2021 at 9:32 pm
  
  With the exception of Mail and Notes, I generally use bundled apps. I don’t use Preview for anything PDF (which is why I developed Podofyllin), and try to avoid TextEdit (preferring DelightEd). But I seldom use any other browser, nor have I ever really had any lasting need to.
  Mail on the other hand sucks badly. I use Postbox instead.
  Howard.
  
  LikeLiked by 1 person
13

Dakotamoons on May 2, 2021 at 3:08 pm

Anyone using BRAVE as their primary browser, or not worth all the hype?

LikeLiked by 1 person
14

Jeff Hecht on May 2, 2021 at 6:22 pm

I made the mistake of accepting the Safari 14.1 update for Mojave and I can no longer access any of my three Gmail accounts through Apple Mail. It does not affect my icloud mail or mail to my personal domain. I can access Gmail through the webmail access on Firefox, which is my standard browser, but I prefer getting all my mail through Apple Mail, so this is a pain,

LikeLiked by 1 person
- 15
  
  hoakley on May 2, 2021 at 10:35 pm
  
  I’m not sure how a Safari update might alter Mail. Have you checked your Mail account settings meticulously?
  Howard.
  
  LikeLike
  - 16
    
    jeffhecht on May 3, 2021 at 12:12 am
    
    What may happen is that once WebAuthN is broken Apple Mail thinks the password for the email account is broken and asks the user to enter the password, but Apple routes those password inquiries through Internet Accounts which appears to be done by Safari.
    
    The bug bit my iCloud account a couple hours later, and I spent two hours on the phone with Apple. The good news was that they were able to fix it; the not-so-good news is that it took significant trial and error, and I don’t think they understand the situation yet.
    
    LikeLiked by 1 person
- 17
  
  John on May 3, 2021 at 6:57 am
  
  FWIW, no issues with Mail.app accessing Gmail here, after applying SecUpd 003 and Safari 14.1. Breaking practice, I threw caution to the wind for this latest round of Apple updates, and wouldn’t youi know it…
  
  OTOH, my confidence in Mail has eroded with each new version Apple produces.
  
  My understanding is that Catalina’s version didn’t even allow users to resize the list columns?!
  
  And overall, newer, more recentt versions, post 10.6 seem to lag, and “churn” in the background more, before producing results.
  
  I wonder if there is a modern equivalent to Eudora?
  
  LikeLiked by 1 person
18

Henry on May 3, 2021 at 11:55 am

Regarding the rescue procedure: ‘… reinstalling macOS 10.14.6 … over your current macOS, then applying security updates should roll Safari back to version 14.0.3 …’ I’m wondering to what extant — if at all — the security updates are cumulative? There have been 12 security updates since 10.14.6 (3 in ’21, 7 in ’20 and 2 in ’19). Do they all need to be re-installed? If so, do they have to be in sequence? Or do (at least some of?) the later ones incorporate the fixes of the earlier ones? TIA.

LikeLiked by 1 person
- 19
  
  hoakley on May 3, 2021 at 12:22 pm
  
  That’s a very interesting question, and I don’t know of any Apple documentation which might answer it. You certainly shouldn’t and can’t (I think) install them in the wrong order. But I don’t know if they are deltas or Combos in their contents.
  In theory, the simple answer might be to install whatever Software Update offers you. If that goes straight to the latest, at least that should include the current firmware update and presumably a matching kernel.
  One good way of telling is using Mints, which contains a check for the recent sudo bug. If you install the latest updater and that bug is also fixed, then it implies the update is a Combo or cumulative and does include the previous fixes.
  Howard.
  
  LikeLike
20

BKDad on May 3, 2021 at 12:32 pm

Is it my imagination, or have updates become much more problematic over the last year or so? If so, I wonder why.

It feels lousy to wait to update anything and let other people be the guinea pigs. But, the alternative isn’t very savory.

The tools Howard has provided have definitely saved me many hours of probable pain from these flawed updates. Bravo for Howard! Not so much for Apple.

LikeLiked by 1 person
21

Ivan Drucker on May 4, 2021 at 2:45 pm

I saw this problem in the flesh on a client computer running Mojave. There were simply several websites he could not go to without a “a problem repeatedly occurred” error, e.g. Suntrust Bank. Fortunately he was happy to simply use Chrome instead until Apple fixes it. More in Apple’s discussion forum here: https://discussions.apple.com/thread/252705424

LikeLiked by 1 person
- 22
  
  hoakley on May 4, 2021 at 10:01 pm
  
  Thank you.
  Howard.
  
  LikeLike
23

Justin McMurtry on May 5, 2021 at 12:56 am

Hi Howard. I just returned from a week’s vacation, and am assessing the state of my 2018 Mini running Catalina 10.15.7. According to SystHist, the last system updates installed were XProtect 2145 and MRT 1.78, both on Fri Apr 30, while I was away. SilentKnight says that my EFI firmware, currently v1554.80.3.0.0/18.16.14346.0.0, needs updating to v1554.100.64.0.0/18.16.14556.0.0, and reports that Software Update wants to install “macOS Catalina Security Update 2021-002” and “Safari14.1CatalinaAuto-14.1”. How do you recommend I proceed? Thanks.

LikeLiked by 1 person
- 24
  
  Justin McMurtry on May 5, 2021 at 1:13 am
  
  Update: I see that a new version of the Safari 14.1 Update for Catalina and Mojave was released today, May 4th (details available in Apple Support article HT212340) — not to be confused with the buggy original version, which was released on April 26th (details available in Apple Support article HT212318). It’s unclear whether the update that’s queued up to be installed on my system is the Apr 26 or the May 4 version; whichever it is, its size is reported in SilentKnight as “91266K”.
  
  LikeLiked by 1 person
  - 25
    
    Justin McMurtry on May 5, 2021 at 3:41 am
    
    Update #2: I first installed the Catalina Security Update 2021-002 alone, without the Safari update. After completing that, I installed the Safari 14.1 update, and it proved to be the corrected version. I’ve also learned that, in Catalina, the Safari 14.1 build number following installation of the buggy update released Apr 26th was 15611.1.21.161.5, whereas after the corrected update released May 4th, it’s the same except ending in “.7” rather than “.5”. (In Mojave, the build numbers of the two incarnations of Safari 14.1 are the same as stated above, except that they begin with “14” rather than “15”.)
    
    Incidentally, the Catalina Security Update 2021-002 knocked my MRT version from 1.78 back to 1.62! The MRT 1.78 update then came up for re-installation, and completed normally.
    
    LikeLiked by 1 person
  - 26
    
    hoakley on May 5, 2021 at 6:32 am
    
    Thank you – updated with credit and incorporated into a summary which is just published.
    Howard.
    
    LikeLiked by 1 person
27

markbot2zero on May 5, 2021 at 6:34 pm

Dear Howard,

A whine and a question:

1. Whine

I wish Apple would not issue corrective updates with the same version number as the original.

OK, so they botched the initial release of Safari 14.1. Then they compound the error for those of us in MacLand by issuing the fixed release with the exact same number. Is it that hard to bump the version to, I dunno, maybe 14.11?

It just makes a bad situation more confusing. It’s a nuisance having to track down build numbers, especially for me, whose clientele includes many elderly people.

“Oh, hello, Mrs. McCuddy. Could you repeat that please? Was that Build 15611.1.21.161.7, or 15611.1.21.161.5? I said, does it end in SEVEN or FIVE?”

2. Question

So you can open Safari and click About Safari and in the itsy-bitsy, tiny font there’s the build number (15611.1.21.161.7, 15611 and NOT labeled as such) after the Version Number.

Are there alternative ways of finding the build number?

Best regards,

-Mark

LikeLiked by 1 person
- 28
  
  hoakley on May 5, 2021 at 8:11 pm
  
  Thank you.
  I don’t agree about version numbers: minor changes and fixes should be reflected not in version number changes, but in the build number, and I think that was entirely appropriate here.
  The snag is that the Finder’s Get Info dialog, which is the easiest way to inspect version numbers, hasn’t heard of build numbers. So yes, they are hard to reveal. I must confess that I do this using Swift and inspect the build number of each bundle. I think the app’s About box is the only ‘easy’ way to read them.
  Howard.
  
  LikeLike
  - 29
    
    Justin McMurtry on May 6, 2021 at 6:05 pm
    
    I’ve noticed in recent years that some app developers have adopted the practice of appending the build number as an additional segment of the version number, which can be handy because it appears easily in the Finder (in a “Get Info” panel, and/or a “Version” column in list view). If applied to Safari, this would render the complete version number of the latest edition for Catalina as “14.1.0.15611”, or perhaps “14.1-15611”. Or at least, it would _if_ the “15611” were sufficiently specific, which apparently it’s not. I can’t help but wonder why the full build number of Safari has _five_ segments, all of which appear to be quite independent of the version number! Sheesh.
    
    LikeLiked by 1 person
    - 30
      
      hoakley on May 6, 2021 at 10:02 pm
      
      Thank you.
      Apple is actually quite prescriptive about what should be used for version and build numbers, although its own engineering teams don’t all follow the rules. In bundles, these are set in the Info.plist file as CFBundleShortVersionString and CFBundleVersion, which are quite distinct. Playing around with them can have disruptive side-effects, for example confusing Launch Services into opening the wrong version of an app. The failing is in the Finder, not the system.
      It’s also worth noting that once an app has been signed these can’t be changed, as any changes to Info.plist break the app signature very badly.
      Howard.
      
      LikeLike