For patch administrators, it is important to know that Apple Inc. does not have a consistent patching schedule for when they release macOS security and feature updates. This is in contrast to Microsoft, who provides Patch Tuesday updates.
This can create a problem for macOS administrators, because this requires they consistently check their devices if a patch is available, and in some cases, they might get a patch later than their fleet.
Patch Notifications
There are two ways you can get notifications about new patches for macOS devices.
Apple has a public security notifications and announcements mailing list you can sign up for. This sends an automatically generated email any time that Apple releases a patch for macOS (this includes patches for iOS, tvOS, etc.).
You can sign up here; please make sure to review the document before subscribing to the mailing list.
Apple also posts all of its security updates and patches here. This page provides patch names, patch information, affected devices, and release dates.
This list includes updates and patches for macOS and app updates, such as Safari and Bootcamp.
Some of these updates also include CVEs in the patch notes, although the CVEs and Severity are not included in the metadata of these patches.
CVEs
As stated previously, Apple Inc. does not include CVEs in the metadata of patches they release. This can be a pain point for Mac administrators. Automox now includes severity data for native macOS packages. However, updates for applications that are included with macOS are updated as part of the OS update. For example, App Store would be updated when you install the macOS update. Third-party macOS packages are not included at this time. See also: Apps included on your Mac.
Question | Answer |
---|---|
What kind of severity data are we providing for macOS packages? | Severity data is shown for CVEs that are specifically fixed by the patch. CVEs fixed by prior versions are not shown. |
What if I have a macOS 13.2 installed, but the newest is 14.2? | The only severity score that will show for this package are CVEs relevant for all security flaws between versions 14.1 and 14.2. |
Are there any known limitations? | We use the National Vulnerability Database (NVD) for severity information. Because the NVD and the Apple security repositories are out of sync, there can be a lag in the list of CVEs that are mapped to packages. The true severity of a patch could be misrepresented. To see the full list of CVEs applicable to a macOS package, refer to Apple Security Releases. |
How can I remediate macOS vulnerabilities? | Use the By Severity policy to ensure you’re patching devices according to the severity you want to see patched. Alternatively, you can patch a specific package using the Patch Only policy. |
Comments
0 comments
Article is closed for comments.