UPDATE 04/10/20:I have noticed increased traffic to my Mac BridgeOS DFU Restore Article. I looked around a bit found a small number of reports that the 10.15.4 Supplemental Update is Bricking T2 Macs.To the user the Mac seems dead. I had 3 different reports sent to me and found 3otherreportposts. The good news is, a BridgeOS restore was able to bring some of the Macs back to life.
In a surprise today, Apple released a new Supplemental update for macOS Catalina 10.15.4. This update weighs in at 1.01gb and is available now for all 10.15.4 Catalina users. This update looks to fix 4 different issues. Apple also updated BridgeOS and re released a new installer.app, combo update and delta update.
The Catalina 10.15.4 Supplemental Update Includes the following fixes.
macOS Catalina 10.15.4 supplemental update improves the stability and security of your Mac.
Fixes an issue where Mac computers running macOS Catalina 10.15.4 could not participate in FaceTime calls with devices running iOS 9.3.6 and earlier or OS X El Capitan 10.11.6 and earlier
Resolves an issue where you may repeatedly receive a password prompt for an Office 365 account
Fixes an issue where MacBook Air (Retina, 13-inch, 2020) may hang in Setup Assistant or when disconnecting and reconnecting a 4K or 5K external display
Resolves an issue where a USB-C port in your Mac may become unresponsive
BridgeOS update
The T2 BridgeOS was updated in this macOS Catalina Supplemental Update.
T2 BridgeOS Version = 17.16.14281
Current and Previous Build Versions of 10.15
10.15.4 = (19E287) April 8th, 2020 = Current Release
If I deployed/cached the old 10.15.4 Installer.app for OS Upgrades, do I need to redeploy?
Do I have to replace my deployable 10.15 Installer.app?– Yes
If you deployed the old version of the 10.15.4 (19E266) Installer, you should update it to the new (19E287). If you don’t your users will have to install the New Catalina Supplemental Update after installing or upgrading.
Security Content
The Supplemental Update does not list any Published CVE entries.
Some Intel GPU Only Based MacBooks Airs are Freezing / Crashing while using Video Conf apps like Zoom After installing the 2020-002 Security updates.
After Apple Released the 2020-002 Security Updates, some users started to report that their Mac would would freeze up when using GPU Hardware Accelerated apps or video.
UPDATE 05/26/20 – Apple has just released the 2020-003 Security Update for macOS Mojave 10.14 and High Sierra 10.13. Please let me know if the new update fixes the issue for you!!!
UPDATE 05/18/20 – On Friday I tested Zoom client v4.6.8 on a 2017 MacBook Air with 10.13.6. I experienced a freeze & 5 different app crashes on a multi user meeting. Today I installed 2020-003 Beta and did not see a single crash for over 6 hours on the same meeting. The 2020-003 Security Update is looking really good, but I still would like to see more confirmations. If you installed 2020-003 Beta and it fixed the issue for you , please let me know. I am hoping the update is released tomorrow or sometime this week!
UPDATE 4/29/20 – Today Apple released the Developer Beta version of 2020-003 Security Update for Mojave and High Sierra. I am trying to find out if it includes a fix for this issue. I will update you as soon as I have more information.
UPDATE 4/28/20: The consensus amongst users is upgrading to Catalina fixes the issue. The only problem with this is, some users have reported other GPU related weird issues in 10.15.4. Sometimes the system will freeze for a few seconds in Finder, Safari or performing other tasks. The good news is, even if the Mac does freeze (only for a few seconds) it will not require a hard power down. With that said, you could upgrade to Catalina and not have any of the above issues! If you are cautious, it might be better to wait for an update from Apple.
UPDATE 4/08/20: As the update is installed on more Macs, reports continue to come in. Apps like Illustrator and Animate from the Adobe Creative Cloud Suite are now causing freezing A MacAdmins User who has a ticket in, says Apple is aware of the issue and is actively working on a fix.
UPDATE 4/03/20: MacAdmins User Bollman decided to test the latest Zoom installer (4.6.9) and has not had any crashes for 6 hours. I loaded up (4.6.8) 3 times to confirm the crashes and gather additional logs. Then I updated to Zoom 4.6.9 and have not had any crashes for over an hour. I added this new information to the work around section below.I can’t explain this as the Zoom update patch notes only mention updates to fix the installer issues brought up by Security Researchers.
UPDATE 4/02/20: New reports are still rolling in. As each new report rolls in with a confirmed .gpuRestart log I will add that application to affected list below. The issue might not be only related to Video Conference Apps. Some users are seeing the issue with anything that is related to Hardware Accelerated Video.Full screen video, video in Safari, or YouTube.
I reported on a similar issue in August of 2019 when the macOS Mojave 10.14.6 Update started to cause Kernel Panics if you used the Built In FaceTime Camera.
This article has seen a big uptick in traffic as of a few days ago. Then I started to receive emails from users who were having their Mac freeze up after installing the Security Updates. After that the reports started to come in on MacAdmins Chat.
In this article, I will give you you an overview of the issue. In the end, I will show you a few workarounds that might work until Apple releases a fix.
Let’s dive right in and see what’s going on here.
Table of Contents
1. Affected macOS Build Versions
2. Affected Mac Hardware & Intel GPU Versions
3. User Reports
4. What is the Issue? Mac will Freeze up requiring a hard shutdown
5. .gpuRestart Freeze Log Report
6. Software that can cause the FreezingIssue
7. This time around the issue CAN be reproduced
8. Why rolling back with Automatic Update Snapshots will NOT work.
9. Workarounds
10. If you are seeing this issue, please let Apple know.
11. Conference Software Freezing Issue Links
12. Hat Tip/Credits
1. Affected macOS Build Versions
This issue affects the following macOS Build Versions.
Catalina 10.15.4 Update(19E266)March 24th, 2020
Mojave 10.14.6 Security Update 2020-002(18G4032) March 24th, 2020
High Sierra 10.13.6 Security Update 2020-002 (17G12034) March 24th, 2020
2. Affected Mac Hardware & Intel GPU Versions
I have looked over a bunch of MacAdmin and User reports reports. It looks like the affected machines are 5th Generation Intel HD Graphics GPU only based Macs.
This is the Hardware that we think is affected so far.
1. 2015 MacBook Air
2. 2017 MacBook Air
3. 2015 12″ MacBook
4. 2015 13″ MacBook Pro
5. 2015 21.5″ iMac
Intel only GPU Versions
1. Intel HD Graphics 6000
2. Intel HD Graphics HD 5300
3. Intel Iris 6100
4. Intel Iris Pro 6200
If you have the issue on other Macs like the Mac Mini or older Macs, please do not hesitate to Contact Me.
3. User Reports.
The first report came in just two days after Apple released the Security Updates.
Anyone have issue with Zoom 4.6.7 for the Mac running on 10.14.6 where the use of the internal camera causes it to crash.
The next day more detailed reports started to roll in.
We’ve seen hard crashes on macs running 10.13.6 with latest security update (17G12034) and latest zoom version 4.6.8 (19178.0323). So far, 4 out of 80 machines with this combination of OS and zoom. What’s more in common with these machines is that they are MBA 2015 (non-retina). Anyone else seeing problems with latest security update on 10.13.6?
After doing this job for many years, I get an sense when things are starting to become an issue. It was not until this post came in on the following Monday.
For those running 10.15.4 (or latest 10.14/10.13 Security Update 2020-002 update) on the following hardware, can you try starting a zoom video conference (possibly may happen with other video conference software)? do you experience a hard crash?
After Balmes posted this, it was enough for me to take a closer look. Sure enough, users have started to report the same issues.
4. What is the Issue? The Mac will Freeze up requiring a hard shutdown.
UPDATE 04/01/20: After posting the article, I am getting a ton of reports that this issue is not just Video Conference Apps. Users are saying the Freeze / Lockup issue happens when using GPU Hardware Accelerated Video. This could be full screen video based activity.
How does the issue start? All you need to do is use some type of Video Conference Software that has multiple users with video enabled.
Once in the meeting the affected Mac can freeze up within one minute!
After the Mac Freezes, it will become 100% non responsive. The screen will freeze up and you will not be able to force quit. The only thing you can do is force power down the Mac.
5. .gpuRestart Freeze / Crashing Log Report
After you power up the Mac again, macOS will say that it was shut down due to a problem. At this point you need to look at the log to find the .gpuRestart log file.
UPDATE 04/02/20: To get the .gpuRestart log to show up, you have to let the Mac say on the frozen screen for at least a few minutes.
/Library/Logs/DiagnosticReports
You can also do a quick search by running this command
sudo ls -lah /Library/Logs/DiagnosticReports | grep .gpuRestart
Or use the Console.app, select “System Reports”.
A look at the console app and a few 2017 MacBook Air .gpuRestart error log files.
Application exampleGoogle Chrome He - Slack Helper (GP - zoom.us
Graphics Hardware exampleIntel HD Graphics 6000 - Iris Pro 6100
Signature example 803 - 802 - 806
6. Software that can cause the Freezing Issue
The following software can cause your affected Mac to freeze up. Below is a list of confirmed applications with a confirmed .gpuRestart freeze.
Zoom.us
Slack
Webex
Teams
Skype
BlueJeans
FaceTime
Sublime Text
Google Meet
Google Hangouts
Adobe Creative Cloud apps
Illustrator & Animate
VMWare Fusion
Spotify Helper
AnyDesk
ScreenConnect
Visual Studio Code
NOTE: Some of the new reports say that this happens when running the Video Conference Software from a Chrome Browser.
7. This time around the issue CAN be reproduced
I am able to reproduce this issue. If you would like to see what happens all you need to do is setup your Mac with the following.
2015-2017 MacBook Air
10.13.6 High Sierra with the 2020-002 Update installed.
Install zoom.us
Join any zoom meeting with multiple active users with their camera activated.
Join with Computer Audio. You can activate your own video or not does not matter.
Wait
Within about 1-5 min the MacBook Air screen will completely freeze and become unresponsive. You will need to hard power it off.
UPDATE 04/01/20: I was able to ssh into one of the MacBook Airs that was frozen. You can run commands like top and others. I attempted to force quit zoom.app and that did not change anything. I also tried to kill the loginwindow no go. Finally I attempted to restart the device with sudo reboot , I got the message that the ssh connection was closed like it was going to reboot but it didn’t.
8. Why rolling back with Automatic Update Snapshots will NOT work.
You might think, what if I roll back to a previous version of Mojave before the Security Update? In the past, this might have worked as the Update or security update is supposed to take an automatic tmutil localsnapshot before installing the update. If something went wrong you could boot to recovery and restore from that snapshot taken just before the update.
In this case that will not work because Update Snapshots are no longer working since 10.15.3!
Most issues like this have some type of workaround. Sometimes a workaround is found by accident or after hours of testing. This time around a few users on MacAdmins Slack have reported the following workarounds.
UPDATE 4/02/20: We are now hearing that Apple Support is recommending that users upgrade to macOS Catalina 10.15.4 to fix the issue. I can’t confirm if this fixes the issue but after looking at a large amount of .gpuRestart logs, I have not seen one from 10.15.4 yet. Many users are writing to me that after updating to 10.15.4, they are not having the freezing issue anymore.
UPDATE 4/03/20: For users who are having the freezing issue when using the Zoom.app, update to the latest version (4.6.9) and you should not see any more crashes.
Disable Zoom’s “Enable hardware acceleration for receiving video” option in the application video preferences. Scroll down and then hit the advanced button.
If the issue is happening in Chrome, some users found success with turning off Use hardware acceleration when available in Preferences > Advanced> System .
Use Firefox instead of Chrome when joining a browser based conference meeting.
Use conferencing in a browser instead of the application. An example of this is zoom. If you cancel out of the constant prompts to download the zoom.app, you will finally get an option to “Join Meeting with your Browser”
If you find any other workarounds please Contact Me
10. If you are seeing this issue, please let Apple know.
The only way to let Apple know that this is a big issue is to file a FeedBack Report. AppleCare Call or an Apple Enterprise Support Ticket.
This will help Apple Prioritize the issue.
11. Conference Software Freezing Issue Links
I created a MacAdmins Chat Channel to disccus the issue.
Bollman – MacAdmins Slack User who did a ton of testing. He also spun up a zoom meeting room where we could all test.
bp – MacAdmins Slack User who’s post get me to take a closer look.
vplc – MacAdmins Slack User who was able to get me info and logs
Georgia – MrMacintosh Reader who was able to quicly answer a bunch of questions along with logs and a sysdiagnose.
Apple Engineer – Who jumped on the issue almost immediately after being invited to the #conf-freezing-issue chat. Gathered logs and FB and Enterprise Support Tickets to help get attention on the issue.
Everyone who emailed me, shared information in Slack, DM’d me or shared my article. Without your help I wouldn’t have been able to put all this information together.
Today, Apple released macOS Mojave Security Update 2020-002 and High Sierra Security Update 2020-002. Below you will find Build Versions, Download Links, Update Sizes and previous Security Update Links. MacOS Sierra is no longer supported by Apple for Security Updates.
How do I keep track of all the macOS Build Versions?
I document all of the macOS Build Versions like the latest Mojave 2020-002 High Sierra 2020-002 along with most Apple Applications, XProtect, Gatekeeper and MRT updates in one database. You can check out the link below.
Security Update 2020-002 Mojave, Security Update 2020-002 High Sierra
Released March 24, 2020
AppleGraphicsControl
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved state management.
CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team
Bluetooth
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2020-3907: Yu Wang of Didi Research America
CVE-2020-3908: Yu Wang of Didi Research America
CVE-2020-3912: Yu Wang of Didi Research America
Bluetooth
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2020-3892: Yu Wang of Didi Research America
CVE-2020-3893: Yu Wang of Didi Research America
CVE-2020-3905: Yu Wang of Didi Research America
Bluetooth
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitization.
CVE-2019-8853: Jianjun Dai of Qihoo 360 Alpha Lab
IOHIDFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3919: an anonymous researcher
IOThunderboltFamily
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6
Impact: An application may be able to gain elevated privileges
Description: A use after free issue was addressed with improved memory management.
CVE-2020-3851: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai
libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz
libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size validation.
CVE-2020-3910: LGTM.com
Mail
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A remote attacker may be able to cause arbitrary javascript code execution
Description: An injection issue was addressed with improved validation.
CVE-2020-3884: Apple
TCC
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A maliciously crafted application may be able to bypass code signing enforcement
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3906: Patrick Wardle of Jamf
Mojave 2020-002 High Sierra 2020-002
The Security Update 2020-002 for Mojave and High Sierra is now available.
Security Updates for macOS 10.14 & 10.13 are now Available.
Today, Apple released macOS Mojave Security Update 2020-002 and High Sierra Security Update 2020-002. Below you will find Build Versions, Download Links, Update Sizes and previous Security Update Links. MacOS Sierra is no longer supported by Apple for Security Updates.
How do I keep track of all the macOS Build Versions?
I document all of the macOS Build Versions like the latest Mojave 2020-002 High Sierra 2020-002 along with most Apple Applications, XProtect, Gatekeeper and MRT updates in one database. You can check out the link below.
The macOS Catalina 10.15.4 Update is now available.
macOS Catalina 10.15.4 Update (19E266) is now Available.
10.15.4 is Catalina’s forth update, which is sometimes called the “Spring Release Update” is live! MacOS Catalina 10.15.4 is now available for download as a full installer.app, delta and combo update. Let’s take a look at the Catalina 10.15.4 Update (19E266) to see what’s new.
UPDATED: 03/26/20
10.15.4 Patch Notes Summary
12 New Features
7 Resolved Issues
20 Security Fixes
7 Enterprise Content Fixes
Apple’s Public Patch Notes / Release Notes Documentation
NOTE: Apple Documentation takes a bit to come online, I will update when the articles are posted.
With folder sharing in iCloud Drive, you can share entire folders of files with friends, family, or colleagues. Then, you can work together on your iPhone, iPad, iPod touch, Mac, or iCloud.com.
If you use smart card to log in to your Mac and reset your Active Directory password from another computer
If you reset your Active Directory password from another computer and use smart card and FileVault, learn how to log in to your Mac in macOS Catalina 10.15.4 or later.
macOS Catalina 10.15.4 introduces iCloud Drive folder sharing, Screen Time communication limits, Apple Music time-synced lyrics view, and more. The update also improves the stability, reliability, and security of your Mac.
Finder
iCloud Drive folder sharing from Finder
Controls to limit access only to people you explicitly invite, or to grant access to anyone with the folder link
Permissions to choose who can make changes and upload files, and who can only view and download files
Screen Time
Communication limits for controlling who your children can communicate with and be contacted by throughout the day and during downtime
Playback control of music videos for your children
Music
Time-synced lyrics view for Apple Music, including the ability to jump to your favorite part of a song by clicking a line in lyrics view
Safari
Option to import Chrome passwords into your iCloud Keychain for easy AutoFill of your passwords in Safari and across all your devices
Controls for duplicating a tab and for closing all tabs to the right of the current tab
HDR playback support on compatible computers for Netflix content
App Store with Apple Arcade
Universal Purchase support enables the use of a singular purchase of a participating app across iPhone, iPod touch, iPad, Mac, and Apple TV
Pro Display XDR
Customized reference modes that you can tailor to specific workflow needs by selecting from several color gamut, white point, luminance, and transfer function options
Accessibility
Head pointer preference for moving a cursor on the screen based on the precise movements of your head
This update also includes bug fixes and other improvements:
High Dynamic Range output to HDR10-compatible third-party displays and TVs connected with DisplayPort or HDMI
OAuth authentication support with Outlook.com accounts for improved security
CalDav migration support when upgrading to iCloud reminders on a secondary device
Addresses an issue where text copied between apps may appear invisible when Dark Mode is active
Resolves an issue in Safari where a CAPTCHA tile may display incorrectly
Fixes an issue where you may receive notifications for updated or completed reminders
Fixes an issue with screen brightness for the LG UltraFine 5K display after waking from sleep
Enterprise content:
Apple Push Notification Service traffic now uses a web proxy when specified in a PAC file
Resolves an issue where updating the login keychain password after resetting a user password would cause a new keychain to be created
After enabling ”Search directory services for certificates” in Keychain Access preferences, searching by email address in Keychain Access or Mail now locates a user certificate stored in directory services
When setting the DisableFDEAutoLogin key in com.apple.loginwindow, you can now sync your FileVault password with the Active Directory user password after updating the user password
Reinstates the ability to update or restore iOS, iPadOS, or tvOS devices by dragging .ipsw files to the device in an Apple Configurator 2 window
Addresses an issue where sending the EraseDevice MDM command might not cause the device to be erased
When logging in as an Active Directory user after using deferred FileVault enablement, the user is now prompted for their password to enable FileVault
Some features may not be available for all regions, or on all Apple devices.
NOTE: Listed below are only security fixes for 10.15, fixes for 10.13 and 10.14 are listed in my 2020-002 security update article.
Apple HSSPI Support
Available for: macOS Catalina 10.15.3
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2020-3903: Proteas of Qihoo 360 Nirvan Team
AppleGraphicsControl
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved state management.
CVE-2020-3904: Proteas of Qihoo 360 Nirvan Team
AppleMobileFileIntegrity
Available for: macOS Catalina 10.15.3
Impact: An application may be able to use arbitrary entitlements
Description: This issue was addressed with improved checks.
CVE-2020-3883: Linus Henze (pinauten.de)
Bluetooth
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A local user may be able to cause unexpected system termination or read kernel memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2020-3907: Yu Wang of Didi Research America
CVE-2020-3908: Yu Wang of Didi Research America
CVE-2020-3912: Yu Wang of Didi Research America
Bluetooth
Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2020-3892: Yu Wang of Didi Research America
CVE-2020-3893: Yu Wang of Didi Research America
CVE-2020-3905: Yu Wang of Didi Research America
Call History
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to access a user’s call history
Description: This issue was addressed with a new entitlement.
CVE-2020-9776: Benjamin Randazzo (@____benjamin)
CoreFoundation
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to elevate privileges
Description: A permissions issue existed. This issue was addressed with improved permission validation.
CVE-2020-3913: Timo Christ of Avira Operations GmbH & Co. KG
FaceTime
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to view sensitive user information
Description: A logic issue was addressed with improved state management.
CVE-2020-3881: Yuval Ron, Amichai Shulman and Eli Biham of Technion – Israel Institute of Technology
Icons
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to identify what other applications a user has installed
Description: The issue was addressed with improved handling of icon caches.
CVE-2020-9773: Chilik Tamir of Zimperium zLabs
Intel Graphics Driver
Available for: macOS Catalina 10.15.3
Impact: A malicious application may disclose restricted memory
Description: An information disclosure issue was addressed with improved state management.
CVE-2019-14615: Wenjian HE of Hong Kong University of Science and Technology, Wei Zhang of Hong Kong University of Science and Technology, Sharad Sinha of Indian Institute of Technology Goa, and Sanjeev Das of University of North Carolina
IOHIDFamily
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3919: an anonymous researcher
Kernel
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: An application may be able to read restricted memory
Description: A memory initialization issue was addressed with improved memory handling.
CVE-2020-3914: pattern-f (@pattern_F_) of WaCai
Kernel
Available for: macOS Catalina 10.15.3
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed with improved state management.
CVE-2020-9785: Proteas of Qihoo 360 Nirvan Team
libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved bounds checking.
CVE-2020-3909: LGTM.com
CVE-2020-3911: found by OSS-Fuzz
libxml2
Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: Multiple issues in libxml2
Description: A buffer overflow was addressed with improved size validation.
CVE-2020-3910: LGTM.com
Mail
Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.3
Impact: A remote attacker may be able to cause arbitrary javascript code execution
Description: An injection issue was addressed with improved validation.
CVE-2020-3884: Apple
sudo
Available for: macOS Catalina 10.15.3
Impact: An attacker may be able to run commands as a non-existent user
Description: This issue was addressed by updating to sudo version 1.8.31.
CVE-2019-19232
TCC
Available for: macOS Mojave 10.14.6, macOS Catalina 10.15.3
Impact: A maliciously crafted application may be able to bypass code signing enforcement
Description: A logic issue was addressed with improved restrictions.
CVE-2020-3906: Patrick Wardle of Jamf
Time Machine
Available for: macOS Catalina 10.15.3
Impact: A local user may be able to read arbitrary files
Description: A logic issue was addressed with improved state management.
CVE-2020-3889: Lasse Trolle Borup of Danish Cyber Defence
Vim
Available for: macOS Catalina 10.15.3
Impact: Multiple issues in Vim
Description: Multiple issues were addressed by updating to version 8.1.1850.
This worked for some users but stopped working early in 2017. It’s possible that Apple disabled the old way with a firmware update.
The old command was
sudo nvram BootAudio=%01
The new command is
sudo nvram StartupMute=%00
BONG!!!!!!!!
I can’t believe it. You have to understand the emotions of a true Mac fan hearing a brand new 16″ MacBook Pro producing the startup chime. The startup chime is something that has been around since 1984. To say the chime is iconic, would be an understatement to any Mac Fan.
I tested this on at least 5 different MacBook Pro’s with different BridgeOS and T1 firmware versions.
I did find a difference, the T1 Macs have the same sound as the 2017 Macbook Air and 2016 Macbook. (The final Mac Laptops to have the sound enabled by default). The T2 sound is different, it sounds a little deeper.
I would love to find out this was a hidden easter egg for 4 years!
Was this nvram value recently added? Was it hidden in plain sight for almost 4 years? I would really like to find out. The first sighting of this seems to be a Reddit Thread from 2/20/20.
Mac models from early 2016 and earlier make a chime sound when they start up. Mac models from late 2016 and newer don’t have a startup chime, with the exception of MacBook Air (13-inch, 2017).
The 10.15.3 Update Erases almost all of the log files in /var/log – System, Custom & Vendor Logs
The 10.15.3-10.15.6 Update Erases Almost all /var/log files
UPDATE: 09/01/20 – The problem is still in the latest build of 10.15.6.
Think about the last issue time that you had an issue and needed to troubleshoot. Right off the bat, you would start looking over the logs to pinpoint the exact point of failure. After installing the Catalina 10.15.3 Update, it’s going to be a little harder to do that. Almost all the /var/log files have been erased and start over the minute after the 10.15.3 update finished installing.
10.15.3 Update Problems
This is my 4th article on 10.15.3 Combo Update issues. If you have not seen them yet, you can view them below.
All log files have the exact “Created” date and time when the 10.15.3 combo update was installing.
Almost all /var/log files erased and have the same “Created time”. The install.log was spared.
What can I do about this?
Let Apple know about this! Hopefully this can be fixed in 10.15.4!
Until then you probably want your log files. The best thing you can do for now is to run a Jamf policy that will backup your /var/log files. We install our updates with a Jamf policy.
Right before we kick off softareupdate -iaR we backup all /var/log files to a temporary directory. We put them back with a LaunchDaemon that kicks off after the combo update reboot.
I hope that these articles have helped you! If you have any questions, leave a comment below or Contact Me.
10.15.3 Combo & Security Updates are no Longer Creating Restore Snapshots + 10.15.3 Update Deletes All Previous tmutil localsnapshots /
The 10.15.3 Combo & Security Update Automatic Backup Snapshots are no Longer Created.
UPDATE: 5/15/20 –A few questions came up on MacAdmins Slack about the current state of Automatic Snapshots today. To clarify, the following is now true.
Automatic Update Snapshots are no longer automatically created during the 10.15.3+ Combo but ARE for 10.14 & 10.13 Security Updates
The 10.15.3+ Combo Update REMOVES previous manual localsnapshots.
10.14 & 10.13 Security Updates do NOT remove previous manual snapshots.
Automatic Snapshots were never taken during an OS Upgrade.
UPDATE: 4/24/20 – Apple has removed the “Restore from snapshot” feature description from apple.com/macos/catalina/features! This means that the feature is no longer available in Catalina. I really hope Apple can fix this.
The APFS Update Automatic Snapshot was a new option offered when Apple released APFS in macOS 10.13 High Sierra. If you were worried about something going wrong after installing a macOS Combo or Security update, you could always fall back to a backup taken right before the update. The process was automatic and was performed by the Combo Update and Security Update Installer. To restore, all you needed to do is, boot to the recovery partition and restore to a tmutil localsnapshot / right before the update.
NOTE: you only have 24 hours to restore or the snapshot is automatically deleted.
Automatic Update Backup Snapshots are no Longer Working.
Something happened in the latest set of Apple updates released on January 28th. The Automatic Backup Snapshots are no longer working!!! At first, I thought it only happened on the 10.15.3 Combo update. I then checked the 2020-001 Security Update on High Sierra and it’s not working either!
I found this out while I was writing another article on Catalina Logs. I built a 10.15.2 device and updated it to 10.15.3. I booted to recovery to restore the from the automatic snapshot only to find that it was missing!
Manual tmutil localsnapshots are deleted during the 10.15.3 Update installation!
Ok, what would happen if I created a manual snapshot before the update? If the automatic snapshot is not working, I could get by with just creating one right before I install the 10.15.3 combo update.
Manual tmutil localsnapshot / created before the 10.15.3 combo update.
After installing the 10.15.3 Combo Update, I booted back into Recovery only to find that the manual tmutil localsnapshot / that I created was gone!!!
What should happen after the update.
Below is what you should see if you booted to recovery after a combo or security update. The below example is a backup snapshot taken by the 10.14.2 Combo Update.
This is what you should see if you booted to recovery after a combo or security update. (within 24 hours after the update install)
Let’s take a look at the logs
What do the logs say? Well first I would like to see what a successful snapshot says. Searching the install.log, I found exactly what I was looking for.
That is just what I’m looking for. The automatic snapshot was taken right before the installation.
Let’s take a closer look to see what’s happening during the 10.15.3 combo update install. Looking at the install.log again, I found this entry.
The 10.15.3 Combo Update purging snapshots.
There it is, the Installer is purging available snapshots on /Volumes/Macintosh HD. The 10.15.3 install.log does not contain any of the log items like the one from 10.14.
The good news is that the (2020-001) 10.14 and 10.13 Security Update installers do NOT purge your manual tmutil localsnapshots.
What’s going on, is this a bug?
I am not totally sure what’s going on here, if I had to guess this a bug. I wanted to let you know about this. The last thing you want to do is rely on that automatic backup snapshot only to find out it was never created.
Either way, please let Apple know about this!
If you have any questions or comments please Contact Me or leave a note below. Thanks!
If you set custom /etc/pam.d or sshd_config settings be sure to re apply the after the 10.15.3 update!
If you use custom pam.d or sshd_config settings, you will need to apply them again after the 10.15.3 Update.
Apple allows us to set multiple custom settings using pam.d configuration files. We can use pam.d configuration files to set different options for, sudo, login, su, screensaver& Smart Card.
The following is a few examples of what you would set in the pam.d configuration files.
/etc/pam.d/screensaver = Set the screensaver window to allow the local admin to get past the Mobile Account password lock.
/etc/pam.d/sudo = Enable smart card-only for the sudo command.
/etc/pam.d/sudo = Enable Touch ID for the SUDO command
/etc/pam.d/su = Enable smart card-only for the SU command
/etc/pam.d/login = Enable smart card-only for the LOGIN command
Custom /etc/ssh/sshd_config Settings
The same goes for the the /etc/ssh/sshd_config file. This file can be used to set custom ssh settings.
Set SSH Banner File (so ssh users see a banner warning message)
SSH HostKey Settings
SSH Logging
SSH Authentication
Kerberos Options
PAM Authentication
In comes the Catalina 10.15.3 Update, only to revert everything!
I started noticing reports of pam.d and sshd_config settings getting reverted back about a day after the 10.15.3 update went live.
For those who’ve modified /etc/pam.d/sudo to enable Touch ID for sudo auth, looks like 10.15.3 reverted this to stock.
MacAdmins user markcohen – 01/30/20
Other MacAdmins started to check and confirm that the same thing. Some of the specific settings revolved around Smart Card controls. Apple explains the Smart Card settings in the document below.
Allen Golbig then noted that the same thing happened to the /etc/ssh/sshd_configfile!
Is it normal for /etc/ssh/sshd_config to revert during point updates?
MacAdmins user golby – 01/31/20
The test and verification
When reporting issues like this, it’s important to verify the problem as much as possible. For this test, I built out a fresh copy of 10.15.2. I then edited the following files.
/etc/pam.d/su
/etc/pam.d/sudo
/etc/pam.d/login
/etc/pam.d/screensaver
/etc/ssh/sshd_config
I modified the files using pico and set some of the Apple recommended settings. I noted the modification date of all the files and tested to make sure the modifications worked.
I then used softwareudpate to install the 10.15.3 update.
Results
Sure enough, after the 10.15.3 update was finished, I checked the files and all 5 of them were reset back to the original modification date of
Nov 9 2019 at 4:xx AM
This problem may not be “New”
I noted in my previous article that some of the pam.d files were reverted back to stock on twitter. A few users noted that this issue is not new and has happened in previous updates. I can’t verify if this is true right now but would like to hear from you if noticed this.
I hope Apple will fix the update process so it will not revert our custom settings.
If you have noticed other custom settings that were reverted by the latest Catalina update, let me know below!
Have you noticed anything new that is fixed or broken in the new update? Let me know!
Active Directory Domain Admin Access Removed!
This issue was first reported in the MacAdmins Slack a few hours after the 10.15.3 update was release.
I just installed the 10.15.3 update and now I can’t admin elevate using an AD domain account. This was working this morning pre-update and nothing has changed on the AD domain.
The domain account is in a security group that is set in Directory Utility > Active Directory as allowing administration. I can authenticate with the account successfully in Terminal using su, it’s just the admin rights that are broken.
MacAdmin User aaron
A few other users started to report the same issue after Aaron did.
Let’s Examine the issue.
The issue will most likely be reported by a user who says this…
I updated to 10.15.3 and when I use sudo I get this error.
User is not in the sudoers file. This incident will be reported.
Reported to who? Am I in trouble now???
User
Let’s check to see if Active Directory Group “Domain Admins” has admin access on your Mac.
/usr/sbin/dsconfigad -show
This command will give you a list of all your Active Directory Settings.
The screenshot below is what you will see AFTER the 10.15.3 Update.
The Domain Users group group was removed and is now “not set”
This is what you SHOULD see.
This is what you SHOULD see, Allowed admin groups = domain admins.
Quick and easy command to show just the Allowed admin groups value.
HT goes out to Eric Holtam(@eholtam) for the command!
You could still have the issue even if “Allowed admin groups” shows domain admins.
In one of my tests to confirm this issue after the 10.15.3 update finished, I still had the domain admins group but my admin access did not work.
Do you use a custom Active Directory Admin Global Group ?
What if you use a custom AD group like “Pretendo_Admins” ?
You can have the same issue.
I did not have this issue after updating
Did you use a profile to bind? This is one example that I was unable to test.
Was the Mac connected to your directory for a few hours -1 day ? See Fix #3 below, it’s possible that the AD connector refreshed your information.
How can I fix this Problem?
The issue can be fixed in 3 ways.
Re-Bind to Active Directory
Run dsconfigad to set the group access again
WAIT – It was reported that the issue is fixed automatically after the Mac is left online for a certain amount of time. The configuration is refreshed. – Thanks to MacAdmins user awickert for testing this out.
To reset the domain group setting run this command.
dsconfigad -groups "DOMAIN\domain admins"
NOTE: If you use a custom AD Global group for admin adccess you need to replace domain admins with your custom group.
dsconfigad -groups "DOMAIN\Pretendo_Admins"
You can now run dsconfgad -show then check the Allowed admin groups and it should say = domain admins or your custom group.
You can also run this command to double verify the user now has admin access. (Thank you to a well known MacAdmins wizard for this command)
MacOS Security Updates – Mojave 2020-001, High Sierra 2020-001 & Safari 13.0.5
On January 28th, Apple released macOS Mojave Security Update 2020-001 and High Sierra Security Update 2020-001. Below you will find Build Versions, Download Links, Update Sizes and previous Security Update Links. MacOS Sierra is no longer supported.
How do I keep track of all the macOS Build Versions?
I document all of the macOS Build Versions like the latest Mojave 2020-001 High Sierra 2020-001 along with most Apple Applications, XProtect, Gatekeeper and MRT updates in one database. You can check out the link below.
HT goes out to Dan Kuehling, for the Mojave Security Update Build Version!HT goes out to Nicolas Aragone, Ian Trimnell & Joost-Wim for sending over the Security Update Download Links!
MacOS High Sierra Security Update 2020-001 (17G11023)
10.13.6 High Sierra Security Update 2020-001 (17G11023)
