Installing Updates and Security Patches

After initial installation, it is important that the operating system be brought up-to-date with all current system version and security updates. If the computer is connected to the Internet, it will automatically connect to Apple and check for available updates.

Software Update also provides a convenient way to check for applicable updates and the order in which they should be applied. Software Update runs through an SSL-secured connection, which is generally sufficient to ensure that the updates have not been tampered with. One thing to be aware of is that some of the required updates may be prerequisites for others (security updates often require that the operating system first be updated to the latest version first). As a result, Software Update may not be able to perform all updates in a single pass. So run Software Update, install the relevant updates it recommends, and then run it again. Keep running it until no updates appear.

In very high-security environments Software Update's security measures may not be considered sufficient, or it may be unacceptable to have configuration information sent to Apple. In these cases, manually downloading, verifying, and installing updates is the preferred method. You can download updates from https://www.apple.com/support/downloads.

Note

This page is available over either HTTP or HTTPS. You are recommended to use the HTTPS URL to protect against spoofing and/or tampering.

Each available item will have a download link to the right and a description link to the left. Click the description link for detailed information on the update. This information will include system requirements to help you evaluate which updates are relevant to which configurations. For security-related updates, the information will also include an SHA1 hash that can be used to verify the integrity of the update after it is downloaded.

Download all relevant updates (usually in the form of disk images), and then verify each one by opening the Terminal utility and entering the command

/usr/bin/openssl sha1 /path/to/file.dmg

Tip

To save entering the path to the file, you can enter the part of the command before the path, then drag the file from the finder into the Terminal window. The full path will be filled in automatically.

The openssl sha1 command will calculate the SHA1 hash of the file and should return something like this:

SHA1(/Users/localadmin/MacOSXUpdateCombo10.4.2.dmg)= 5149defob79f030bdb2763283c376e4d87do85e9

Compare this SHA1 hash to the one listed on the update's webpage. If they match, the update is intact and can be used safely. If it does not match, something is wrong with the downloaded update and you should not use it.

The main difficulty of using the manual method is that it is hard to figure out which updates need to be applied, and in which order. One way around this is with a hybrid method. Consult Software Update to check for relevant updates and their order of installation, and then download, verify, and install them manually. This provides the additional security of the verification step, but it does expose configuration information to the update server.

Even this can be solved by setting up a private update server on Mac OS X Server and downloading updates from that server instead of the Apple update server. This requires setting up an Open Directory server and binding the client to that server. Setting this up is nontrivial and beyond the scope of this book. If you haven't set up an Open Directory server for other reasons, the manual method is probably simpler; but if you're using Open Directory's client management anyway, adding the update server capability is an easy step.