PSA: Apple has not actually patched all the security vulnerabilities in the old version of macOS

Read Time:4 Minute, 2 Second


The default wallpaper of macOS Catalina.
enlarge / The default wallpaper of macOS Catalina.

Apple

Today, through an article by Vice and an article by the Google Threat Analysis Team, news is spreading about a privilege escalation vulnerability in macOS Catalina that is being used by people with “resources” and “may have state support” Target visitors to the Hong Kong Democracy website. According to Google’s Erye Hernandez, the vulnerability (labeled CVE-2021-30869) was reported to Apple in late August 2021 and was patched in macOS Catalina security update 2021-006 on September 23. Both articles provide more information about this loophole-it has not been confirmed, but it is certainly another front in China’s fight against civil liberties in Hong Kong-but for our purposes, let’s focus on how Apple makes its operating system Keep it up to date, because this has a wider impact.

On the face of it, this incident is a relatively unremarkable example of the normal working of security updates. The vulnerabilities were discovered in the wild, the vulnerabilities were reported to the company responsible for the software, and the vulnerabilities were patched, all in about a month. problem, As pointed out by Intego Chief Security Analyst Joshua Long, The exact same CVE was patched in macOS Big Sur version 11.2, which dates back to February 1, 2021. This is a 234-day gap, although Apple has been and is still actively updating these two versions of macOS.

For context: Every year, Apple releases a new version of macOS.But for the benefit of those who don’t want to install a new operating system on the first day, or who can not Install the new operating system, because their Mac is not in the supported hardware list, Apple will provide security-only updates for the old version of macOS within about two years after replacing the old version of macOS.

The policy is not elaborated anywhere, but the informal “N+2” software support schedule has been in place since the early days of Mac OS X (it can be imagined that when Apple launches two or three, it feels more generous with the macOS version The interval between is several years instead of one year). When making upgrade recommendations in our annual macOS review, the usual assumption is that “support” means “support”, and you don’t need to install a new operating system and deal with new operating system errors to benefit from Apple’s latest security fixes.

But as Long pointed out on Twitter and the Intego Mac security blog, this is not always the case.He has developed the habit of comparing the security content of different macOS patches and found that there are many vulnerabilities Patch only in the latest version of macOS (And it looks like It may be the same with iOS 15, Although iOS 14 is still actively supported by security updates).You can explain some of the differences-many (though not all!) WebKit vulnerabilities in this list are Patched in a separate Safari update, And some bugs may affect newer features that don’t actually exist in older operating systems. Hernandez said that although there is no patch for macOS Mojave, the vulnerability does not seem to affect it. But in this example of a privilege escalation vulnerability, we have an example of a vulnerability that is actively exploited. The vulnerability exists in multiple versions of the operating system, but it has actually been patched in only one version in the past few months.

The simple solution to this problem is that Apple should actually provide all Security updates all It is actively updating the operating system. But now is also the time for better communication on this subject. Apple should specify its update policy for older versions of macOS as Microsoft did, rather than relying on its current manual release time-for example, the last security update for macOS Mojave was in July, which means that even if it is still official -Monterey received unofficial support before its October release, and it missed a series of security patches released in September for Big Sur and Catalina.People shouldn’t guess Whether their software is still being updated.

As Apple leaves more and more Intel Macs behind, it should also consider extending these timelines, if only for Mac hardware that cannot actually be upgraded to a newer version of macOS (this is a precedent, as iOS 12 continues Received two security updates) years later, but only for hardware that cannot be upgraded to iOS 13 or later). It is unreasonable to expect Apple to permanently support the old macOS versions, but if Apple decides to remove them from the support list of the year, then a fully functional Mac should not be completely unpatched for two years (or less).




go to see more here in tech news

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. View more
Cookies settings
Accept
Decline
Privacy & Cookie policy
Privacy & Cookies policy
Cookie name Active

Who we are

Suggested text: Our website address is: https://updatednews24.com.

Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select "Remember Me", your login will persist for two weeks. If you log out of your account, the login cookies will be removed. If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue. For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Suggested text: Visitor comments may be checked through an automated spam detection service.
Save settings
Cookies settings