PSA: Apple isn’t actually fixing all the security holes in older versions of macOS

The default wallpaper for macOS Catalina.
Enlarge / The default wallpaper for macOS Catalina.


The news circulates today, both through an article in Vice and a post from the Google Threat Analysis Group, from a privilege escalation bug in macOS Catalina that was being used by “a well-resourced group” and “probably state-backed” to direct visitors to pro-democracy websites in Hong Kong. According to Google’s Erye Hernandez, the vulnerability (labeling CVE-2021-30869) was reported to Apple in late August 2021 and patched in MacOS Catalina Security Update 2021-006 The 23th of September. Both posts have more information on the implications of this exploit; has not been confirmed, but it certainly appears to be yet another front in China’s effort to crack down on civil liberties in Hong Kong, but for our purposes, let’s focus on how Apple keeps its operating systems up-to-date, because that has implications yet. more spacious.

On the surface, this incident is a relatively common example of security updates working as they should. The vulnerability is discovered in the wild, the vulnerability is reported to the company responsible for the software, and the vulnerability is repaired, all in the space of approximately one month. The problem, As Intego Chief Security Analyst Joshua Long pointed out, is that exactly the same CVE was patched in macOS Big Sur version 11.2, released since February 1, 2021. That’s a 234-day gap, even though Apple was and continues to actively update both versions of macOS.

For context: every year, Apple releases a new version of macOS. But for the benefit of people who don’t want to install a new operating system on the first day, or who hypocrisy install the new operating system because your Mac is not on the list of supported hardware, Apple provides security-only updates for older versions of macOS for about two years after they are replaced.

This policy is nowhere detailed, but the informal “N + 2” software support timeline has been in place since the early days of Mac OS X (as you can imagine, it felt much more generous when Apple spent two or three years between macOS releases instead of one year). The normal assumption, and one I keep in mind when making upgrade recommendations in our annual macOS reviews, is that “compatible” means “compatible” and that you don’t need to install a new operating system and deal with bugs in the new operating system. just to benefit from the latest security fixes from Apple.

But as Long points out on Twitter and on the Intego Mac Security Blog, that is not always the case. You have become used to comparing the security content of different macOS patches and have found that there are many vulnerabilities that they are only patched on the latest versions of macOS (and it seems iOS 15 can be the same way, although iOS 14 is still actively supported with security updates). You may explain some of this disparity: many (but not all!) Of the WebKit vulnerabilities on that list were patched in a separate Safari update, and some bugs may affect newer features that are not actually present in older versions of the operating system. According to Hernández, the vulnerability in question here did not appear to affect macOS Mojave, despite the lack of a patch. But in the case of this privilege escalation error, we have an example of an actively exploited vulnerability that was present in several versions of the operating system, but only one of them had been patched for months.

The simple solution to this problem is that Apple should provide everybody of security updates for everybody of the operating systems that you are actively updating. But it is also time for better communication on this topic. Apple should detail its update policies for older versions of macOS, as Microsoft doesInstead of relying on its current release time, the latest macOS Mojave security update was in Julyfor example, which means that even though it still had official and unofficial support until Monterey was released in October, it missed a bunch of security patches released for Big South and Katherine in September. People shouldn’t have to guess if your software is still updating.

As Apple leaves more and more Intel Macs behind, it should also consider extending those schedules, if only for Mac hardware that is literally unable to upgrade to the latest versions of macOS (there is a precedent for this, as iOS 12 continued to receive security updates for two years after being replaced, but only on hardware that could not be updated to iOS 13 or newer). It’s unreasonable to expect Apple to support older versions of macOS in perpetuity, but perfectly functional Macs shouldn’t be in a situation where they are two years (or less) from being totally unpatched if Apple decides to remove them from the support list. of that year. .

Leave a Reply

Your email address will not be published. Required fields are marked *