Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Security Update 2017-001 (Sierra) and Security Update 2017-004 (El Capitan)

Apple has released Security Update 2017-001 macOS Sierra and Security Update 2017-004 OS X v10.11.6 El Capitan, patching security vulnerabilities that the company addressed in macOS 10.13.1 High Sierra (see “macOS 10.13.1 High Sierra Offers Minor Fixes and More Emoji,” 1 November 2017), as well as many other security breaches in the two older operating systems. The security updates include fixes for the KRACK exploits (see “Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be,” 17 October 2017), patch multiple memory corruption issues that could lead to arbitrary code execution with kernel privileges, improve input sanitization to prevent an application from reading restricted memory, address multiple issues in Apache, and more. Apple recommends these updates for all users. (Free. For 10.12.6 Sierra, 768.3 MB; for 10.11.6 El Capitan, 853.6 MB; security content release notes)

 

Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <https://www.backblaze.com/tb>
 

Comments about Security Update 2017-001 (Sierra) and Security Update 2017-004 (El Capitan)

To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Receive comments via RSS
Andreas Frick  2017-11-02 04:17
Keychain can still be hacked! The problem was fixed only in High Sierra.
Reply
Lester  2017-11-02 14:00
Hi everybody,

today I installed Security Update 2017-004 on 10.11.6. I didn't read carefully about this update's content as I use to and I hadn't realized it was a critical one. My mid-2010 MBP 13" rebooted to install the update, then my heart missed a beat because the sleep light indicator began flashing and I heard a long tone (like when an EFI ROM update is in progress and you hold down the power button?). It reappeared the Apple logo with a progress bar, but both looked old fashioned compared to El Capitan. At last the computer rebooted and I was landed to login window. Everything seems to work and Boot ROM version is the same. Did other users have the same unpleasant experience? Thanks.
Reply
Jean-Pierre SMITH  2017-11-03 17:26
Thanks. I did not know a security update existed for Sierra. It does not show on my Mac and I needed to search "security update for macOS Sierra" to find it.
Strange...
Reply
Clemens  2017-11-05 10:52
Same here with my Macbook Pro 13" early 2011 macos 10.12.6 (Security Update 2017-001). I was confused about the long tone too! But everything is running fine now!
Reply
Lester  2017-11-05 12:15
Thank you for feedback! I was somewhat worried. BTW, my Boot ROM now seems back to previous version according to System Information, even though last update's .scap file is present in /System/Library/CoreServices/Firmware Updates.
Anyway Apple can't do such things without a single warning. I was utterly bewildered.
Reply
Jean-Pierre SMITH  2017-11-03 17:26
Is there a method to protect my iPhone 5c against Krack ? Is the iPhone 5c vulnerable to it ?
Reply
The traffic between your iPhone and the base station can be secured if the base station is updated. Unfortunately, so far Apple has not released new firmware for any of its base stations to protect users against KRACK exploits.

The only version of iOS Apple has so far updated for KRACK is 11.1. Since the last iOS your iPhone 5c can run is 10.3.3 you cannot secure your device on the client end.

It appears you are stuck.

The fact that Apple has so far showed no interest in updating older hardware (just for the record: the 5c was sold until just two years ago) is surprisingly arrogant. Unless they know for a fact that these devices are not vulnerable (they have so far made no such mention), IMHO they owe their customers these security updates. We're waiting, Tim.
Reply
Chuck Kottka  2017-11-05 19:05
I have an older 2008 Mac Pro that still runs like a dream. I'm stuck on El Capitan unless I want to run a patch, which I'll avoid until I need it. This update made may main User Account inaccessible... It booted to the login screen, and my Admin account and family's accounts work fine, but mine would just sit and spin (for at least 2 days). This happened once before, with Security Update 2016-003. After using the band-aid of restoring from a Time Machine backup, I eventually re-created a new account, and eventually got everything on the old one erased. The only think I can think of that is special about this account (other than the fact that I use it all of the time) is that I set up Symbolic Links to the main User folders (Documents, Photos, Downloads, Music) to a second hard drive, because my boot SSD is only 120 GB. Any other news about Security Updates vs. Symbolic Links?
Reply
does anyone have an Office 2016 activate problem after this security update or it is just me?
Reply
Shippee Arthur   2017-11-09 19:59
I just installed the 2017-001 security patch, had to log in again, but now have trouble with Mail.

Out-going emails get into a loop and won't send. Only fix so far is restarting.

Running Sierra 10.12.6
Reply
I'm having the same problem after installing the update. I haven't been able to solve the problem
Reply
Lester  2017-11-11 11:42
Did you try the workaround reported here?
https://discussions.apple.com/thread/8156365
Reply
Terry Duffy  2017-11-12 18:57
I fixed it by reinstalling the operating system. I have not reinstalled the update and won't until a fix comes out.
Reply
Terry Duffy  2017-11-12 18:59
I fixed it by reinstalling the operating system. I have not reinstalled the update and won't until a fix comes out.
Reply
Terry Duffy  2017-11-12 18:53
2017-001 update caused my outgoing Mail to go into a loop. Had to reinstall operatiing system to stop it. Will not reinstall update until it is fixed
Reply
To leave a comment, click Add a Comment and then enter the text, your name, and your email address (which won't be displayed). Your comment will appear after you follow a link in the one-time confirmation message we send to verify that you're a real person.
Add a comment