PSA: Apple isn’t actually patching all the security holes in older versions of macOS

a write-up in Vice and a post from Google’s Threat Analysis Group, of a privilege escalation bug in macOS Catalina that was being used by “a well-resourced” and “likely state-backed” group to target visitors to pro-democracy websites in Hong Kong. According to Google’s Erye Hernandez, the vulnerability (labeled CVE-2021-30869) was reported to Apple in late August of 2021 and patched in macOS Catalina security update 2021-006 on September 23. Both of those posts have more information on the implications of this exploit—it hasn’t been confirmed, but it certainly appears to be yet another front in China’s effort to crack down on civil liberties in Hong Kong—but for our purposes, let’s focus on how Apple keeps its operating systems up to date, because that has even wider implications.

On the surface, this incident is a relatively unremarkable example of security updates working as they ought to. Vulnerability is discovered in the wild, vulnerability is reported to the company that is responsible for the software, and vulnerability is patched, all in the space of about a month. The problem, as noted by Intego chief security analyst Joshua Long, is that the exact same CVE was patched in macOS Big Sur version 11.2, released all the way back on February 1, 2021. That’s a 234-day gap, despite the fact that Apple was and is still actively updating both versions of macOS.

For context: every year, Apple releases a new version of macOS. But for the benefit of people who don’t want to install a new operating system on day one, or who can’t install the new operating system because their Mac isn’t on the supported hardware list, Apple provides security-only updates for older macOS versions for around two years after they’re replaced.