SecUpd2015-002 for Mavericks un-hides mach_kernel

Number:rdar://20120320 Date Originated:11-Mar-2015
Status:Open Resolved:
Product:OS X Product Version:10.9.5
Classification:UI/Usability Reproducible:Always
The 2015-002 Security Update for Mavericks, when applied, leaves an unhidden mach_kernel in the root of the system volume. Normally this file is expected to have the "hidden" Finder flag, but after applying this update the file is un-hidden, exposing it to users who may attempt to trash the file, not knowing what it is.

If these users have administrative rights they will be able to delete the file once they are prompted by the Finder to enter their credentials.

Steps to Reproduce:
1. Install the latest Security Update 2015-002 on a 10.9.5 system.
2. Verify the update has been installed by checking for software updates in the Mac App Store, and verifying the updated OS X build of 13F1066.

Expected Results:
The mach_kernel file at / would remain hidden.

Actual Results:
The mach_kernel file appears visible in the finder at the root of the system volume.

10.9.5, 13F1066

This has been seen before with system updates to 10.8.

If I compare the installer packages for SecUpd 2015-001 and 2015-002, I notice that one of 001's scripts in the postinstall_actions directory is "hideFiles," which simply calls the included SetFile tool to hide /mach_kernel.

The installer package for 002 has no pre/postinstall_actions at all.

I'm aware that there's a KB article for this at However it still seems odd that the SecUpd2015-002 update has no pre/postinstall actions.

Tested on two systems, each with the previous 2015-001 security update having been applied:

iMac 2013, 10.9.5
VMware Fusion VM, 10.9.5


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!