macOS Best Practices: Patch Notifications & CVEs

For patch A software security or stability update. administrators, be aware that Apple Inc. does not have a consistent patching schedule for when they release macOS security and feature updates. This is in contrast to Microsoft, who provides Patch Tuesday updates.

This can create a problem for macOS administrators, because this requires they consistently check their devices A subset of Assets, a general term denoting anything that runs the Automox Agent and is registered with the system. if a patch is available, and in some cases, they might get a patch later than their fleet.

Patch Notifications

There are two ways you can get notifications Configurable end user messaging sent by AXP. about new patches for macOS devices.

1. Apple has a public security notifications and announcements mailing list you can sign up for. This sends an automatically generated email any time that Apple releases a patch for macOS (this includes patches for iOS, tvOS, etc.).
   • You can sign up here; please make sure to review the document before subscribing to the mailing list.
2. Apple also posts all its security updates and patches here. This page provides patch names, patch information, affected devices, and release dates.
   • This list includes updates and patches for macOS and app updates, such as Safari and Bootcamp.
   • Some of these updates also include CVEs Represents a unique identifier for a vulnerability record as defined and cataloged by https://cve.mitre.org. in the patch notes, although the CVEs and Severity are not included in the metadata of these patches.

CVEs

As stated earlier, Apple Inc. does not include CVEs in the metadata of patches they release. This can be a pain point for Mac administrators. Automox now includes severity data for native macOS packages. However, updates for applications that are included with macOS are updated as part of the OS update. For example, App Store would be updated when you install the macOS update. Third-party macOS packages are not included at this time. See also: Apps included on your Mac.

Question	Answer
What kind of severity data are we providing for macOS packages?	Severity data is shown for CVEs that are specifically fixed by the patch. CVEs fixed by prior versions are not shown.
What if I have a macOS 13.2 installed, but the newest is 14.2?	The only severity score that shows for this package are CVEs relevant for all security flaws between versions 14.1 and 14.2.
Are there any known limitations?	Automox uses the National Vulnerability Database NIST source for CVE severity data. (NVD) for severity information. Because the NVD and the Apple security repositories are out of sync, there can be a lag in the list of CVEs that are mapped to packages. The true severity of a patch could be misrepresented. To see the full list of CVEs applicable to a macOS package, refer to Apple Security Releases.
How can I remediate macOS vulnerabilities?	Use the By Severity policy to ensure you’re patching devices according to the severity you want to see patched. Alternatively, you can patch a specific package using the Patch Only policy.

Related Topics

• Understanding Automox Severity Data
• Creating a Patch Policy