hoakley September 13, 2021 Macs, Technology

What has changed in macOS 11.6?

Today’s update to take Big Sur from 11.5.2 to 11.6 isn’t as extensive as you’d expect for a ‘minor’ update. Its main purpose appears to be addressing two serious vulnerabilities, both of which are common to iOS, and are being exploited by malware.

The first is a vulnerability to crafted PDF files, identified by Mikey @0xmachos as being part of the Megalodon/FORCEDENTRY iMessage zero click exploit, involving a bug in CoreGraphics decoding of JBIG2-encoded data in a PDF file. The second is a vulnerability to crafted web content. Full details of the fixes are given here.

Other than those, Apple provides no information in its macOS release notes, nor is there any information for enterprise users.

Software which has changed version or build numbers between macOS 11.5.2 and 11.6 includes:

Books, single-point increment in build number to 2218
Migration Assistant, increase in version number from 11.5 to 11.6
loginwindow (CoreServices), significant increment in build number to 2024.6.2
AppleH11ANEInterface kext, version number increase from 4.75.0 to 4.76.0
APFS, including its kext and other components, a single-point increment in build number to 1677.141.2
SMBFS kext and file system, version number increase to 3.6.1
CoreFoundation, CoreGraphics, CoreServices, Foundation and ImageIO frameworks, increased build numbers
DirectoryServices framework, version number increase to 11.6
ModelIO framework, version number increase to 246.7
OpenDirectory framework, version number increase to 11.6
Ruby framework, version number increase to 11.6
OpenDirectory modules, many version number increases to 11.6
Some private frameworks have version or build increments, including AVConference, CoreServicesStore, DirectoryServer, GameKitServices, PasswordServer and RunningBoard
Spotlight’s RichText mdimporter has another single-point build increment.

There don’t appear to be any firmware updates, nor is there any change in the version or build number of Safari.

Although it does contain some minor fixes – that to SMB looks of potential interest – the 11.6 update is primarily a security update. So why has it been given a whole minor version increment? My suggestion is that Apple intends to number future security updates as 11.6.1, 11.6.2, and so on, rather than using numbered Security Update as in the past. In any case, this appears to be an additional and unplanned update, and the first of Big Sur’s two years in maintenance.

If you’re still running Mojave, this almost certainly means that your macOS is no longer supported by Apple, and may well be vulnerable to either or both of these bugs.

18Comments

Add yours

1

artiste212 on September 13, 2021 at 9:45 pm

Once again, thanks for the early heads up on an important security update. After installing 11.6, I ran Silent Knight. It’s surprising that a security update didn’t install the current version of MRT, but that’s the case. MRT took care of it for me just fine! 😉

LikeLiked by 1 person
- 2
  
  hoakley on September 13, 2021 at 10:41 pm
  
  Thank you.
  Howard.
  
  LikeLike
3

Paul McGrane on September 13, 2021 at 10:56 pm

I don’t think Mojave is entirely out to pasture yet. One of the 2 CVE’s in the Big Sur and Catalina updates is addressed by a Safari 14.1.2 update today that is also for Mojave. https://support.apple.com/en-us/HT212808

LikeLiked by 1 person
- 4
  
  hoakley on September 13, 2021 at 11:01 pm
  
  Thank you. It’s interesting that 11.6 doesn’t update Safari at all, and it remains on the previous build.
  Howard
  
  LikeLike
  - 5
    
    Paul McGrane on September 14, 2021 at 7:25 pm
    
    I sure have no idea but one might wonder if the problem is in the OS, so Apple was willing to fix it in Catalina and Big Sur, and simply patch around it in Safari while Mojave clings to life.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on September 14, 2021 at 7:30 pm
      
      Thank you. It might just be that it was easy to build a patched version of Safari to cover both OSes.
      Howard.
      
      LikeLike
- 7
  
  John on September 14, 2021 at 7:24 am
  
  I find it puzzling, and frustrating, that Apple won’t deign to explicitly declare support EOL for its software, like it does for its hardware. Forcing users to read the tea leaves, or guess, belies a lack of respect.
  
  LikeLiked by 1 person
  - 8
    
    hoakley on September 14, 2021 at 7:25 pm
    
    Thank you.
    Howard.
    
    LikeLike
9

Aaron Shepard on September 14, 2021 at 12:24 am

The New York Times talks here about this update and its importance for security:

LikeLiked by 1 person
10

almeath on September 14, 2021 at 1:36 am

Mojave was released on 24 September 2018. Seems Apple owed us this last security update with 10 days of official cover to spare. (I say in slight jest.. Apple makes the rules and can do whatever it likes)

LikeLiked by 1 person
- 11
  
  Gord on September 14, 2021 at 3:06 am
  
  I dread migrating my media library from the iTunes app to the Catalyst replacement apps, and I’d prefer to put that off as long as I can, so I do hope these security bugs also get fixed for Mojave. Maybe the security update for Mojave is just coming a little later, because it’s less of a priority?
  
  Wishful thinking on my part—you’re probably right that the “two-year” period of security support is now up.
  
  LikeLiked by 1 person
  - 12
    
    josehill on September 14, 2021 at 8:27 am
    
    Indeed. I’ve kept my main personal Mac on Mojave primarily because of my strong preference for iTunes over the post-Mojave replacement apps. I’m actually contemplating making a Windows computer my main computer for music so that I can keep using iTunes in a supported configuration.
    
    LikeLiked by 1 person
- 13
  
  Gord on September 14, 2021 at 3:36 am
  
  If these security issues are as bad as they seem to be, you’d think Apple would make an exception to the two-year rule, for the sake of whatever percentage of users are still on Mojave. I’m pretty sure there’s a precedent for that.
  
  LikeLiked by 1 person
  - 14
    
    hoakley on September 14, 2021 at 7:25 pm
    
    Thank you.
    Yes, there have been very rare exceptions. I think some of the CPU vulnerabilities were the last.
    Howard.
    
    LikeLike
    - 15
      
      Gord on September 15, 2021 at 5:55 pm
      
      I found a site that said 7% of Mac users are still on Mojave. Not huge, but nothing to sneeze at. Lots of users.
      
      Another reason I am a little reluctant to upgrade past Mojave is fear of the dreaded Mail.app data loss bug, introduced in Catalina. From a perusal of your MacOS bulletins, it seems like that bug was never fully addressed. Was it really not fixed, either in a Catalina update, or in Big Sur, or a Monterey beta?
      
      And does anyone remember: did the data loss bug only affect IMAP accounts, or were POP accounts hit by it too?
      
      Thanks for any guidance.
      
      LikeLiked by 1 person
    - 16
      
      hoakley on September 15, 2021 at 7:00 pm
      
      Thank you.
      Apple has been proud of its high adoption rate for new versions of macOS. It’s not surprising that there are quite a few still using Mojave, though, as it was the 32-bit divide. I still keep copies in VMs, just in case.
      The best person to check with on Mail’s bugs is Michael Tsai and his blog: he’s been tracking them carefully. I think the number of users reporting problems has been steadily shrinking, but there’ll always be a few, I suspect, as there were before Catalina.
      Howard.
      
      LikeLike
- 17
  
  hoakley on September 14, 2021 at 7:23 pm
  
  Thank you.
  The curious thing is that none of us can find the rules either: nowhere does Apple ever appear to have said officially how long it will support versions of macOS.
  Howard.
  
  LikeLike
18

Michael Tsai - Blog - macOS 11.6 on September 14, 2021 at 8:13 pm

[…] Update (2021-09-14): Howard Oakley: […]

LikeLike