Today, through an article by Vice and an article by the Google Threat Analysis Team, news is spreading about a privilege escalation vulnerability in macOS Catalina that is being used by people with “resources” and “may have state support” Target visitors to the Hong Kong Democracy website. According to Google’s Erye Hernandez, the vulnerability (labeled CVE-2021-30869) was reported to Apple in late August 2021 and was patched in macOS Catalina security update 2021-006 on September 23. Both articles provide more information about this loophole-it has not been confirmed, but it is certainly another front in China’s fight against civil liberties in Hong Kong-but for our purposes, let’s focus on how Apple makes its operating system Keep it up to date, because this has a wider impact.
On the face of it, this incident is a relatively unremarkable example of the normal working of security updates. The vulnerabilities were discovered in the wild, the vulnerabilities were reported to the company responsible for the software, and the vulnerabilities were patched, all in about a month. problem, As pointed out by Intego Chief Security Analyst Joshua Long, The exact same CVE was patched in macOS Big Sur version 11.2, which dates back to February 1, 2021. This is a 234-day gap, although Apple has been and is still actively updating these two versions of macOS.
For context: Every year, Apple releases a new version of macOS.But for the benefit of those who don’t want to install a new operating system on the first day, or who can not Install the new operating system, because their Mac is not in the supported hardware list, Apple will provide security-only updates for the old version of macOS within about two years after replacing the old version of macOS.
The policy is not elaborated anywhere, but the informal “N+2” software support schedule has been in place since the early days of Mac OS X (it can be imagined that when Apple launches two or three, it feels more generous with the macOS version The interval between is several years instead of one year). When making upgrade recommendations in our annual macOS review, the usual assumption is that “support” means “support”, and you don’t need to install a new operating system and deal with new operating system errors to benefit from Apple’s latest security fixes.
But as Long pointed out on Twitter and the Intego Mac security blog, this is not always the case.He has developed the habit of comparing the security content of different macOS patches and found that there are many vulnerabilities Patch only in the latest version of macOS (And it looks like It may be the same with iOS 15, Although iOS 14 is still actively supported by security updates).You can explain some of the differences-many (though not all!) WebKit vulnerabilities in this list are Patched in a separate Safari update, And some bugs may affect newer features that don’t actually exist in older operating systems. Hernandez said that although there is no patch for macOS Mojave, the vulnerability does not seem to affect it. But in this example of a privilege escalation vulnerability, we have an example of a vulnerability that is actively exploited. The vulnerability exists in multiple versions of the operating system, but it has actually been patched in only one version in the past few months.
The simple solution to this problem is that Apple should actually provide all Security updates all It is actively updating the operating system. But now is also the time for better communication on this subject. Apple should specify its update policy for older versions of macOS as Microsoft did, rather than relying on its current manual release time-for example, the last security update for macOS Mojave was in July, which means that even if it is still official -Monterey received unofficial support before its October release, and it missed a series of security patches released in September for Big Sur and Catalina.People shouldn’t guess Whether their software is still being updated.
As Apple leaves more and more Intel Macs behind, it should also consider extending these timelines, if only for Mac hardware that cannot actually be upgraded to a newer version of macOS (this is a precedent, as iOS 12 continues Received two security updates) years later, but only for hardware that cannot be upgraded to iOS 13 or later). It is unreasonable to expect Apple to permanently support the old macOS versions, but if Apple decides to remove them from the support list of the year, then a fully functional Mac should not be completely unpatched for two years (or less).
go to see more here in tech news