Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Community Blog

Mac Users, Upgrading to OS X 10.6.8? You Want to Read This First...

Created: 24 Jun 2011 • Updated: 13 Jul 2011 • 16 comments
Kelvin_Kwan's picture
+1 1 Vote
Login to vote

 

We are once again writing to follow-up on our early post related to a similar issue from January.  This time, it’s for Mac OS X upgrades to Apple’s just released 10.6.8 update and PGP Whole Disk Encryption for Macs. 

Much like the previous post, Apple’s automated Mac OS X 10.6.8 Software Update mechanism bypasses the protections of PGP Corporation had put around a critical file needed for normal system startup.  This time however, users who are running 10.1.1-Build 10 and newer had no problems with the Apple 10.6.8 update as expected.  Users running older versions, however, ran into problems.

As communicated previously, the PGP Engineering team discovered that the Apple automated Software Update mechanism bypassed the protections PGP built-in to protect the boot.efi file.  This bypass allows the Mac OS X update to overwrite a critical file needed by PGP Whole Disk Encryption when the machine boots, thus rendering the system non-bootable after installation of the update. 

Users of PGP Desktop 10.1.1-Build 18 (or higher) did not run into any issues because PGP was able to properly protect the boot.efi file.  Users that were running an older version than PGP Desktop 10.1.1-Build 10 ran into problems because the new mechanism to protect the boot.efi file does not exist in those versions. While build 10 is not affected by some of the Mac update issues, it wasn't until Build 18 that we fixed the issue with a comoo updater for Mac as well.

We recommend that you please upgrade to PGP Desktop at least 10.1.1-Build 18 or higher prior to upgrading Mac OS X to 10.6.8.  This will prevent boot issues from this OS X upgrade. 

 

Latest Knowledge Base article pertaining to upgrading to OS X 10.6.8: http://www.symantec.com/business/support/index?page=content&id=TECH163224

 

For more information on how to obtain the latest version of PGP Desktop, please visit: 

http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/163000/TECH163224/en_US/Obtain%20PGP%20Desktop.pdf

 

UPDATE:  If you are running SEE FDE for the Mac OS X platform, you must be on version 8.0.1 or higher.  If you upgrade to OS X 10.6.8 on SEE FDE 8.0.0, you will render your Mac non-bootable.

Comments 16 CommentsJump to latest comment

PGP_Ben's picture

I appreciate your hard work and dilligence on making sure that the word gets to the customers. Let's hope customers don't feel so left in the dark in the future. I

think that it's important to note that the current versions of PGP Desktop in the 10.x release cycle don't allow a manual update from the client anymore. this feature is completely disabled. This is why customers need to download the update from our portal or else update their PGP Universal Server and then control the client policy for updates from the Universal Server. Otherwise, they are not protected from Apple's software update utility overwriting the PGPboot.efi file causing the system not to be able to boot.

I hope this clears things up for customers

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote
cryptBit's picture

Thanks for the post Kelvin. Can you provide some help for people hanging in the boot sequence because they updated OS X prior PGP? When a certain file has been deleted, what can be done? Thanks in advance!

PS: I learned the lesson... never update OS X without updating PGP first (and read some posts about it).

0
Login to vote
mrmiketheman's picture

I have the same problem as cryptBit, I've already updated and now my system won't boot. What is required to recover?

 

Thanks.

0
Login to vote
Kelvin_Kwan's picture

Hi Guys,
I just realized I had mis-labeled the 2 links at the bottom of my blog.  I just fixed it.

If you've already upgrade to 10.6.8 while running an older version of PGP DeskTop, please take a look at the KB article I referenced in the blog posting above.  (http://www.symantec.com/business/support/index?pag...)  

There's a section in the KB article that says "If you have already installed 10.6.8, and are affected by this issue...." that explains how to boot the system.

IMPORTANT:  Just because you recover the system to boot, you still need to upgrade PGP DeskTop to the latest version.  Failing to do so will give you the same boot issue the next time OS X has a security update.

Regards,
-kelvin

0
Login to vote
cryptBit's picture

Hi Kelvin

Thanks for the update. Unfortunately I already tried to decrypt the disk. 1% took about 5 hours (1 TB) disk. So I decided to start from scratch and reinstall the whole Mac as it turns out, that this is the fastest way.

The KB article says, that version prior 10.1.1-Build 18 must upgrade. Nice. And how can I download a newer Version? Fileconnect gives me the old one, search finds nothing at all, lots of 404, the navigation is a mess...

I found the Release notes of 10.1.2 (here: http://www.symantec.com/business/support/index?pag...) and the Recovery Disk Images (here: http://www.symantec.com/business/support/index?pag...) but not the SOFTWARE itself.

Licenising Portal says: Call customer support. WTF?

I would really appreciate if Symantec had a working customer site where all purchased versions can be selected. Just login, see your versions (and updates), download, install, enter serial key. Done. Take the Mac App Store... it took me less time to install 20+ updated Apps from the Mac Store than finding the needed Version of PGP Desktop.... :-(

So if someone from Symantec is reading this: Do your customers a favor and make your site frendlier., it's really a pain in the neck.THANKS! :-)

0
Login to vote
Kelvin_Kwan's picture

Hi cryptBit,

Take a look at this link here for more information on how to obtain the latest versions. 

http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/163000/TECH163224/en_US/Obtain%20PGP%20Desktop.pdf

Regards,
-kelvin

0
Login to vote
mssym's picture

I am using SEE 8.0.0 (Symantec Endpoint Encryption 8.0.0). what version of SEE has PGP fix was built in?

0
Login to vote
mssym's picture

Symantec support team,

Looked like this issue also impacted SEE 8.0.0 users, Would you please update us what version of SEE containing the PGP fix?

If there is no fix added to SEE product yet, what is best recommended method for us to recover the system? can I use the recover utility come with the SEE install binary?

And in the future, how will you communicate to your customers regarding the critical issues? blog is not best option as not everyone visits millions of blogs for the products updates.

Thanks

0
Login to vote
PGP_Ben's picture

This was the response from our QA team:

Yes. This bug was fixed and verified in SEE FD 8.0.1. and SEE 8.0.1 is already released.

 

It looks like you probably just need to upgrade your version. If you are going to use the recover utility, make sure that you use the version of the recovery utility that matches the version that you encrypted the drive with.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote
zmstr's picture

If I don't know what version of PGP WDE I have installed, will I do irreparable harm by using the wrong version of the recovery disk? Thanks.

0
Login to vote
PGP_Ben's picture

Yes, it can definetely cause problems from using the wrong version of the Recover CD. It shouldn't harm it to use the latest recovery CD to boot the operating system off the CD though. I would do that first, that will get you back into the OS. Then you can see what version of PGP Desktop that you have there. But at that point, you could decrypt in the OS anyways. I actually wouldn't recommend decrypting from the CD unless it's your only option (IE you cannot get the recovery CD to boot the OS for some reason).

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote
alexcp's picture

Sorry for repeating this again and again, but how do I update PGP after I booted the system from the Recovery CD? https://fileconnect.symantec.com requires a serial number. I purchased the product with the Bronze maintenance option back in 2009 and renewed the maintenance every year since then. All I have is the old PGP order number and license number, neither of which works for Symantec now. My last maintenance is valid until 7/30/11, yet I cannot download event a basic update... 

0
Login to vote
CC99234's picture

The whole customer service approach is a complete joke. I have to login to 5 different URLs to find out that I can't even submit a support request because I need a Technical contact id or magical code. What year is Symantec living in? Having to call an Internet company in order to request a basic upgrade? Give me a break. How about just providing a link to a version that will work with the 10.6.8 upgrade?

0
Login to vote
PGP_Ben's picture

Here is your link:

https://fileconnect.symantec.com

All you need is a serial number or license authorization code from when you purchased the software .This is due to the export restrictions and legal requirements. We cannot make our software publicly available for people to download. It's against the law in many areas of the world since our software contains crypto.

If you have problems downloading the software. Call customer service at (800) 721-3934. It should be that straight forward.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

0
Login to vote
desertrat's picture

I accidentally installed the OS X update 10.6.8 over my PGP version 10.1.1 Build 10.  I am able to boot into my system using the PGP recovery disc.  I also have downloaded PGP Desktop 10.1.2.  Now, how do I install PGP Desktop 10.1.2?  Do I just install it normally, on top of 10.1.1?  Or do I have to o something else to install?  After I install the new version, I am all good to go?

0
Login to vote
BlackBrent's picture

Own Macbook Pro and have all of a sudden encountered strange condition wherein PGP WDE drop-down menu items are "active," but only for a split second before they scroll away from where they appeared.  Further, while trying to decrypt a file got msg "Error. The file could not be decrypted/verified."

Cannot open any of the icons within the main desktop gui, frame basics are inactive; can't use minimize, quit or increase buttons at all, screen is just dead with no interface capabiities...

Clues, ideas?