PSA: Apple doesn’t patch all security holes in older versions of macOS
Enlarge / The default wallpaper for macOS Catalina.
News is circulating today, both through a report in Vice and a post from Google’s Threat Analysis Group about a privilege escalation bug in macOS Catalina used by “a well-resourced” and “likely government sponsored” one. Group to target visitors to pro-democracy websites in Hong Kong. According to Google’s Erye Hernandez, the vulnerability (named CVE-2021-30869) was reported to Apple in late August 2021 and patched in the macOS Catalina security update 2021-006 on September 23. Both posts provide more information on the ramifications of this exploit – it has not been confirmed, but it certainly seems to be another front in China’s efforts to crack down on civil liberties in Hong Kong – but for our purposes, we’ll focus on how Apple does its Keeps operating systems up to date. because that has even more far-reaching effects.
On the surface, this incident is a relatively unremarkable example of security updates working the way they should. Vulnerabilities are discovered in the wild, vulnerabilities are reported to the company responsible for the software, and vulnerabilities are patched, all within about a month. The problem, as noted Joshua Long, Intego’s chief security analyst, is that the exact same CVE has been patched into macOS Big Sur version 11.2 that was released on February 1, 2021. That’s a 234 day gap, despite the fact that Apple has and is actively updating both versions of macOS.
In context, Apple releases a new version of macOS every year. But for the benefit of people who do not want to install a new operating system on the first day or who cannot install the new operating system because their Mac is not on the list of supported hardware, Apple offers security-only updates for older macOS versions for about two years after they were replaced.
This policy is nowhere described, but the informal “N + 2” software support timeline has been around since the early days of Mac OS X (as you can imagine, it felt a lot more generous when Apple went two or three Years between macOS releases instead of a year). The normal assumption I make in the upgrade recommendations in our annual macOS reviews is that “supported” means “supported” and that you don’t have to install a new operating system and just deal with new operating system bugs in order to get the latest security updates from Apple to benefit.
But as Long points out on Twitter and the Intego Mac Security Blog, this isn’t always the case. He’s made a habit of comparing the security content of different macOS patches and has found that there are many vulnerabilities that are only patched in the latest versions of macOS (and it looks like iOS 15 could be the same although iOS 14 is still actively supported with security updates). You can explain away some of these differences – many (if not all!) Of the WebKit vulnerabilities on this list have been patched in a separate Safari update, and some bugs may affect newer features not present in older versions of the system. According to Hernandez, the vulnerability in question did not seem to affect macOS Mojave despite the lack of a patch. But in the case of this error in the rights escalation, we have an example of an actively exploited vulnerability that was present in several versions of the operating system, but was only actually patched in one of them for months.
The simple solution to this problem is that Apple should actually be deploying all security updates for all operating systems that it is actively updating. But it is also time for better communication on the matter. Apple should spell its update guidelines for older versions of macOS like Microsoft does, rather than relying on the current, hand-waved release timing – for example, macOS Mojave’s last security update was in July, which means it was still official – Unofficially supported until Monterey was released in October, it missed a number of security patches released for Big Sur and Catalina in September. People shouldn’t have to guess if their software is still being updated.
As Apple is leaving more and more Intel Macs behind, it should also consider extending these schedules, if only for Mac hardware that literally isn’t able to upgrade to newer macOS versions (there are set a precedent as iOS 12 continued to receive security updates for two years after the replacement, but only on hardware that could not be updated to iOS 13 or later). It’s not reasonable to expect Apple to support old macOS versions forever, but perfectly functioning Macs shouldn’t be in a situation where they’re two years (or less) away from being completely unpatched if Apple decides to remove them from this year’s support list.