What has changed in macOS 11.6?

Today’s update to take Big Sur from 11.5.2 to 11.6 isn’t as extensive as you’d expect for a ‘minor’ update. Its main purpose appears to be addressing two serious vulnerabilities, both of which are common to iOS, and are being exploited by malware.

The first is a vulnerability to crafted PDF files, identified by Mikey @0xmachos as being part of the Megalodon/FORCEDENTRY iMessage zero click exploit, involving a bug in CoreGraphics decoding of JBIG2-encoded data in a PDF file. The second is a vulnerability to crafted web content. Full details of the fixes are given here.

Other than those, Apple provides no information in its macOS release notes, nor is there any information for enterprise users.

Software which has changed version or build numbers between macOS 11.5.2 and 11.6 includes:

  • Books, single-point increment in build number to 2218
  • Migration Assistant, increase in version number from 11.5 to 11.6
  • loginwindow (CoreServices), significant increment in build number to 2024.6.2
  • AppleH11ANEInterface kext, version number increase from 4.75.0 to 4.76.0
  • APFS, including its kext and other components, a single-point increment in build number to 1677.141.2
  • SMBFS kext and file system, version number increase to 3.6.1
  • CoreFoundation, CoreGraphics, CoreServices, Foundation and ImageIO frameworks, increased build numbers
  • DirectoryServices framework, version number increase to 11.6
  • ModelIO framework, version number increase to 246.7
  • OpenDirectory framework, version number increase to 11.6
  • Ruby framework, version number increase to 11.6
  • OpenDirectory modules, many version number increases to 11.6
  • Some private frameworks have version or build increments, including AVConference, CoreServicesStore, DirectoryServer, GameKitServices, PasswordServer and RunningBoard
  • Spotlight’s RichText mdimporter has another single-point build increment.

There don’t appear to be any firmware updates, nor is there any change in the version or build number of Safari.

Although it does contain some minor fixes – that to SMB looks of potential interest – the 11.6 update is primarily a security update. So why has it been given a whole minor version increment? My suggestion is that Apple intends to number future security updates as 11.6.1, 11.6.2, and so on, rather than using numbered Security Update as in the past. In any case, this appears to be an additional and unplanned update, and the first of Big Sur’s two years in maintenance.

If you’re still running Mojave, this almost certainly means that your macOS is no longer supported by Apple, and may well be vulnerable to either or both of these bugs.