Security Update 2015-002

H3144-IT
Contributor II

Apple addresses 'FREAK' attack in latest OS X Security Update.

Alongside Issues in the Components: iCloud-Keychain, IOAcceleratorFamily, IOSurface and the OS X Kernel according to Apple.

Security Update 2015-002 Yosemite (Early 2015 Mac) - https://support.apple.com/downloads/DL1795/en_US/SecUpd2015-002YosemiteEarly2015Mac.dmg

Security Update 2015-002 Yosemite - https://support.apple.com/downloads/DL1796/en_US/SecUpd2015-002Yosemite.dmg

Security Update 2015-002 Mavericks -
https://support.apple.com/downloads/DL1797/en_US/SecUpd2015-002Mavericks.dmg

Security Update 2015-002 Mountain Lion -
https://support.apple.com/downloads/DL1798/en_US/SecUpd2015-002MtLion.dmg

27 REPLIES 27

CasperSally
Valued Contributor II

@H3144-IT

Thanks for posting the links for the individual OSs. I'm definitely appreciating Apple has more often than not over the last year released security updates that are <100MB versus waiting and rolling them up into some big OS point upgrade. Makes it much more feasible for us to push out. Now to try to see if I can get the Mavericks one working on 10.9.4

Josh_Smith
Contributor III

Thanks for the links. I see there are two 10.10 updates....is Yosemite forked now? I'm thinking the "Early2015" version is just for the hardware that was announced yesterday, does that sound right? (I think only the Airs and 13" Pros are available for purchase as of today)

elliotjordan
Contributor III

It's notable that this update, like the previous few security updates, require you to be on the latest version of whatever OS you have: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, or OS X Yosemite v10.10.2.

DraconicBlue
New Contributor III

As an FYI, it is updating the build number for the OS:

10.8.5 is upgraded to 12F2501
10.9.5 is upgraded to 13F1066
10.10.2 is upgraded to 14C1510

carmand
New Contributor

@JRossA Thank you! was looking for this.

sardesm
New Contributor III

Anyone know if these can be applied to lesser versions i.e 10.8.3 or 10.9.4?

DraconicBlue
New Contributor III

As listed above, it does require each OS to be at the latest version.

nessts
Valued Contributor II

and one would wonder why you are worried about security update 2015.002 when you have not applied any of the most recent security updates to your old clients, you had to be at .5 for both 10.8 and 9 to apply the super scary bash update, or any of last years security updates to my recollection.

jwojda
Valued Contributor II

anybody check the boots to 50% error with this new build revision?

CasperSally
Valued Contributor II

@nessts - in some environments, it isn't practical to push/install updates that are over a gig. I installed the bash update and a few others without being 10.9.5.

sardesm
New Contributor III

Worried because of the following. I am new to this environment and have inherited a mixed environment. I am currently working on getting everyone up to standards and I only got licensed to use casper in this environment 2 weeks ago. Answered your question?

rtrouton
Release Candidate Programs Tester

nessts
Valued Contributor II

well step one is to update them to the latest update that is available for each OS as they each have their own set of security updates embedded in them. then worry about the latter. @CasperSally you either worry about security updates or you worry about network speed and stability i suppose. I just find it ironic to worry about today's security update when you a machine is at a state that is more than a year and a half behind on security updates. Not trying to start a war. Just bringing up the inconsistency in my eyes.

And there are good reasons to stay not updated, the more updated my machines get the more unstable they seem to get, the boot stuck at 50% thing, random system freezes after the security update that was released in October, that go away with 10.10.2 but then some machines and users get the 50% boot stuck thing, why not all of them. Anyway until Apple focuses on stabilizing the OS and not on making a thinner laptop with fewer ports and slower processors and memory so it can have a longer battery life we will have to make those choices I guess.

elliotjordan
Contributor III

@sardesm Depending on the client, I often deploy a set of policies that prompt people to update only if they have certain updates available that the IT department has deemed "critical." For example 10.8.5, 10.9.5, or 2015-002.

Smart groups collect the computers for which these critical updates are available, and a policy uses the jamfHelper to prompt the owner to either install now or defer for a day. People are given 3 deferrals before the updates are forced. (There are a few good JAMF Nation threads containing script snippets that can be used to accomplish this.)

In this way, we can make sure our Macs have the important updates, while leaving it up to the owner to install the unimportant updates at their discretion.

CasperSally
Valued Contributor II

@nessts - For us, it's about having thousands of laptops in students hands where they open and close lids all day long. We would get a ton of JSS network related errors pushing something that big, but we could cache it for install later. Unfortunately, I can't trust a 2nd (or 10th) grader to wait for even a cached OS upgrade to properly install on a 3.5 year old white macbook, for example.

Our machines are imaged to latest OS once a year, 10.9.4 was released June 30th, so we're never a year and a half stale. We push the smaller updates (like bash and NTP) where we can. They didn't really require the latest, just a flag they looked for during install. This update is more complicated so still looking at it.

Ideally we'd be latest security wise. I too wish Apple would to forgo the thinner laptop with fewer ports and work on stability of OS and also instead make all security update separate from OS updates and small (i.e. microsoft model), but that'll never happen. Their way or the highway.

nessts
Valued Contributor II

I do the same thing with one account where people open and close laptops all day long, and yes there are caching errors, but they get them eventually. As I said it depends on your priority.

sardesm
New Contributor III

@nessts I have been a casper admin twice certified for over 5 years and don't need advice on how to get my machines up to standards. I was just asking if it was confirmed the latest updates needed those revisions. Having found that out, i will proceed as i have been on getting all the machines in my environment up to date.

Thanks for the info.

donmontalvo
Esteemed Contributor III

@nessts was being helpful, this one seems like a curve ball, since the update doesn't show on all Macs.

@John.Smith asked:

is Yosemite forked now?

@magarvalp tweet:

Build less than 14C2043 is checked inside https://t.co/Nz36jf4Jet . Forked 10.10.2 builds coming for new macs. #macadmin
--
https://donmontalvo.com

sardesm
New Contributor III

Someone in another post had mentioned a way to script Jamf helper to allow reboot deferments, anyone know where that thread is?

sardesm
New Contributor III

think i found it.

https://jamfnation.jamfsoftware.com/discussion.html?id=5404

elliotjordan
Contributor III

@sardesm That's pretty close to what we're doing. The main difference is we're using defaults write instead of writing to a text file. That way we can save a bunch of useful information in the same plist.

bentoms
Release Candidate Programs Tester

FWIW, you may want to hide the /mach_kernel file on 10.8.5 & 10.9.5 post this update on clients to keep them booting.

Myself & @rtrouton have blog posts on 2 different ways to do this via the JSS.

Mine can be found here. & contains a link to Rich's post, as well as @timsutton's post explaining it.

jimmy-swings
Contributor II

@elliotjordan - you mentioned that you use

Smart groups collect the computers for which these critical updates are available, and a policy uses the jamfHelper to prompt the owner to either install now or defer for a day. People are given 3 deferrals before the updates are forced. (There are a few good JAMF Nation threads containing script snippets that can be used to accomplish this.)

Are you able to post your criteria or the threads to help create these groups. At the moment I'm populating a smart group based on the information available in the output from the terminal command: /usr/sbin/system_profiler SPInstallHistoryDataType

Thanks, James

elliotjordan
Contributor III

HI @jazzyj,

Sure, here are the smart groups I've been using effectively for the generic OS updates:

  • Critical update needed: Mac OS X 10.9.5:
    • Operating System like 10.9
    • and Operating System is not 10.9.5
  • Critical update needed: Mac OS X 10.10.5:
    • Operating System like 10.10
    • and Operating System is not 10.10.5
  • Critical update needed: Mac OS X 10.11.4:
    • Operating System like 10.11
    • and Operating System is not 10.11.4

And here's an example for a security update that, when installed, increments the OS build number. The build numbers listed below are for 10.8.5 and 10.9.5 without the security update applied:

  • Critical update needed: Security Update 2015-002:
    • Operating System is 12F45
    • or Operating System is 13F34

And here's a more complex smart group for a security upgrade that doesn't increment the OS build number. We need to refer to installed receipts for this:

  • Critical update needed: Security Update 2015-001 for Mavericks:
    • Operating System like 10.9
    • and Packages Installed By Installer.app/SWU does not have com.apple.pkg.update.security.10.9.5.13F1056.2015.001

Hope that helps.

donmontalvo
Esteemed Contributor III

Over time we've come up with a stack of Smart Computer Groups that have become Lego Blocks for policies. They come in handy for scoping, as well as exclusions. The first one was easy. Subsequent ones were cloned and edited.

82ea05ca03cf4f1a9efd58ad1eb177f6

--
https://donmontalvo.com

sean
Valued Contributor

@elliotjordan That seems like a lot of work which will require updating overtime with each new update, which Apple are already handling for you.

Apple has this logic built into the installer (and there were 3 different installers for 2015-002). The Software Update mechanism will choose the correct one for you. Using 2015-002 as an example:

$ cat 031-17121.English.dist | grep "system.compareVersions"
    if (system.compareVersions(system.version.ProductVersion, '10.9') &lt; 0 || system.compareVersions(system.version.ProductVersion, '10.10') &gt;= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9') &lt; 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10') &gt;= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9.5') &lt; 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9.5') &gt; 0) {
    if (system.compareVersions(plistKeyValue, '13F34') &gt; 0) {
    if (system.compareVersions(plistKeyValue, '13F34') &lt; 0) {

$ cat 031-18424.English.dist | grep "system.compareVersions"
    return system.compareVersions(lhsMatch.slice(1).join(","), rhsMatch.slice(1).join(","));
    if (system.compareVersions(system.version.ProductVersion, '10.10') &lt; 0 || system.compareVersions(system.version.ProductVersion, '10.11') &gt;= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10') &lt; 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.11') &gt;= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10.2') &lt; 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.10.2') &gt; 0) {
    if (system.compareVersions(plistKeyValue, '14C2000') &gt;= 0) {
    if (system.compareVersions(plistKeyValue, '14C1000') &gt;= 0) {

$ cat 031-17115.English.dist  | grep "system.compareVersions"
    if (system.compareVersions(system.version.ProductVersion, '10.8') &lt; 0 || system.compareVersions(system.version.ProductVersion, '10.9') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8') &lt; 0 || system.compareVersions(my.target.systemVersion.ProductVersion, '10.9') >= 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8.5') &lt; 0) {
    if (!hasOS || system.compareVersions(my.target.systemVersion.ProductVersion, '10.8.5') > 0) {

If you want to know if there is an update available, run software update with the list option and then read the plist back.

$ softwareupdate -l
$ defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist RecommendedUpdates

There is some talk on this in post Jamfnation #19323

If you want to know if updates are installed

$ grep "Security Update 2016-002" /Library/Receipts/InstallHistory.plist
        <string>Security Update 2016-002</string>

The final logic would be that if softwareupdate didn't return anything and it isn't in the install history, either you've forgotten to enable the update on your internal update server (if you have one) or the current OS does not think it requires the update based on Apple's logic.

elliotjordan
Contributor III

It does seem like a lot of work, doesn't it? Won't it be nice when we can do a simple "Operating System is less than 10.11.4"?