On the surface, this incident is a relatively unremarkable example of security updates working as they ought to. Vulnerability is discovered in the wild, vulnerability is reported to the company that is responsible for the software, and vulnerability is patched, all in the space of about a month. The problem, as noted by Intego chief security analyst Joshua Long, is that the exact same CVE was patched in macOS Big Sur version 11.2, released all the way back on February 1, 2021. That’s a 234-day gap, despite the fact that Apple was and is still actively updating both versions of macOS.
Mentioned in @eryeh’s writeup (https://t.co/ybglJnVwmi), this wasn’t patched for Catalina until Sept 23. NOT mentioned: This was 234 days after #Apple patched the same vuln for Big Sur. @Apple, randomly choosing which vulns you patch for 2 prior #macOS endangers customers. https://t.co/rSA1hqewRa
— Josh Long (the JoshMeister) (@theJoshMeister) November 11, 2021
For context: every year, Apple releases a new version of macOS. But for the benefit of people who don’t want to install a new operating system on day one, or who can’t install the new operating system because their Mac isn’t on the supported hardware list, Apple provides security-only updates for older macOS versions for around two years after they’re replaced.
Read 4 remaining paragraphs | Comments