Monday, September 13, 2021

macOS 11.6

Juli Clover:

According to Apple’s release notes, macOS Big Sur improves the security of macOS and is recommended for all users. Apple has also released security update 2021-005 for macOS Catalina, and both updates address an issue that could allow a maliciously crafted PDF to execute code. Apple says that it is aware of a report that this bug may have been actively exploited.

It’s unclear why this update isn’t numbered 11.5.3. It was also weird in that the Update Now button was disabled for me in Software Update even though the text said that the update was available. I had to click the text to see the sheet with the list of updates and then click the checkbox next to it before macOS would start downloading the update.


This document describes the security content of macOS Big Sur 11.6.

Howard Oakley:

Congratulations to Mikey @0xmachos, who has worked out that the PDF vulnerability is most probably the same as the Megalodon/FORCEDENTRY iMessage zero click exploit, involving a bug in CoreGraphics decoding JBIG2-encoded data in a PDF file.

See also: Mr. Macintosh (tweet).


Update (2021-09-14): Howard Oakley:

Software which has changed version or build numbers between macOS 11.5.2 and 11.6 includes[…]


Although it does contain some minor fixes – that to SMB looks of potential interest – the 11.6 update is primarily a security update.


If you’re still running Mojave, this almost certainly means that your macOS is no longer supported by Apple, and may well be vulnerable to either or both of these bugs.

The standalone download is still not available.

Update (2021-09-17): Mr. Macintosh:

The macOS Big Sur 11.6 full installer is now available. 🎉

Update (2021-10-19): Howard Oakley:

One great advantage of the new sealed system in Big Sur is that failed updates should be a thing of the past. Updating should now be almost totally reliable, and in the rare cases where something does go wrong, that Mac should be returned to its pre-update state or Recovery, ready to try again. It has been widely assumed that the primary purpose of Big Sur’s sealed system volume is for its improved security. Although that’s clearly important, improved reliability of updates and assurance of the total integrity of the system affect far more users directly.

So far the big disadvantage of the new update mechanism required to accomplish this has been the size of updates. Each has brought an overhead of around 2.1 GB on Intel Macs and 3 GB on M1 models.


In a year’s time, when Big Sur has reached 11.6.5, for example, how will a user be able to install or reinstall that on their Mac? Will they have to download and run the 11.6 full installer app, then use Software Update to obtain and install a single Combo update to bring that up to 11.6.5, or will they have to plod painfully through each individual delta update starting from 11.6.1 and ending with that to 11.6.5?

6 Comments RSS · Twitter

Kevin Schumacher

> It’s unclear why this update isn’t numbered 11.5.3

Perhaps to make people more likely to install it sooner rather than later? Without reading anything more about it, would you think 11.5.3 or 11.6 is more important?

I'm not saying their versioning system makes sense anymore at all (why are we are on watchOS x.6, but every other iOS update is on x.7? [well, now x.8 for iPhone/iPad]), but that would be the only logic I can find in it.

@ Kevin: as a dev, it has the opposite effect on me. I expect 11.x to have more drastic changes than 11.5.x, so I’m more hesitant to install it.

My guess is they’ve rolled it into a more major architectural change (new kernel version?); perhaps it was difficult to backport.

Big Sur not showing on my System Pref.
Apple store still showing 11.5..2 for download

@Kevin Interesting question. To me, 11.5.3 implies a security update (important and unlikely to cause problems for me) while 11.6 implies a feature update (maybe should hold off for a while to avoid breaking things), but so far it seems this was only a security update.

Kevin Schumacher

@Michael @Sören Yeah from a developer perspective it's bonkers. Just thinking "normies" might think it's more important, but I don't have any data to back that up.

I dont like it either, but I think it is a good strategy and also suggest the severity of the security concern here. Add in a bit of marketing to push for 11.6

Leave a Comment