Open gap in old systems: Apple’s patch strategy leaves users vulnerable

A flaw in an older version of macOS that was actively exploited for attacks has led to criticism of Apple’s patching strategy. Security researchers warn that the manufacturer is cradling users of older operating system versions with security updates that still ship in fake security because not all weak spots are by far eliminated.

Spread open for seven months

A vulnerability that was silently plugged in the latest version of macOS 11 Big Sur remained open in the previous version of macOS 10.15 Catalina for over seven months and was actively used for attacks during that time. Malware delivered via manipulated websites could install itself covertly in the browser when the site was visited and without user interaction, as AV company Malwarebytes explains – a “fairly fully equipped backdoor” was introduced smuggled into the victim’s Macs.

The malware apparently targeted activists in Hong Kong. Apple did not submit the patch for macOS 10.15 until after Google security researchers reported the malware campaign to the company.

A serious flaw in the XNU kernel and a vulnerability in the Safari browser substructure, WebKit, was used for this. Apple closed the WebKit gap with a browser update, but the XNU vulnerability was not addressed until February in the most recent version of macOS 11.2 (and iOS 14.4). A reference to the hole, which the Pangu jailbreak hacker team had apparently already reported to Apple earlier this year, was only added by Apple in September – alongside the patch for macOS 10.15 Catalina (and iOS 12) .

No Apple Update Promise

It remains to be seen why Apple fixed the bug so late in the older version of the operating system. macOS 10.14 Mojave had not received any security updates at this point, although the latest version of macOS 12 Monterey is still a few weeks away. It is not clear whether the vulnerability also exists in the XNU kernel of macOS 10.14.

There is no official statement from Apple as to how long OS versions should receive updates. Over the past decade, it has become established that the two versions of macOS preceding the current version will continue to receive security updates for an indefinite period of time. This year, Apple is also offering security updates for the iOS and iPadOS versions from last year for the first time. The “most comprehensive security updates” are only available with iOS 15, according to the manufacturer.

(lb)