For many dedicated Apple customers, enhanced security is one of the main reasons they prefer these systems over its competitors. However, the cybersecurity industry is full of cautionary tales about taking security for granted. And, this recent episode once again showcases the risk of relying solely on vendors to deliver bulletproof security measures.
Lately, there have been several high-profile incidents involving Apple systems that call their reputation for being a more secure platform into question.
Now, Apple’s very own security patching strategy is being called into question. Specifically, it seems as if Apple is releasing certain security patches only for newer systems, leaving users on older versions of its software exposed to 0-day and other vulnerabilities being actively exploited in the wild.
These latest flaws were brought into the spotlight by security researcher Joshua Long at the recent Objective by the Sea (OBTS) conference. A security event specifically aimed at all things related to the Apple ecosystem.
For some time, it has been an accepted fact that Apple only supports the latest three major versions of its macOS systems at any time. That means that users with macOS 11 (Big Sur), macOS 10.15 (Catalina), and macOS 10.14 (Mojave) are the only ones who can expect thorough coverage when it comes to official security patches from the vendor.
However, research by Joshua Long and some of his peers has shown that Apples’ patch support for specific bugs is sometimes even more limited. For example, bugs were found on Mojave systems, which have been acknowledged and patched for systems running Cataline and Big Slur. In other instances, bugs were fixed on certain combinations of systems but not on others.
In effect, this means only users running the absolute latest macOS setups can expect reliable security patching.
Apple has a notorious reputation for tightly guarding information regarding its systems. However, the fact that security researchers, and the public at large, were not enlightened about this apparent policy change represents a significant failing on the part of one of the world’s most valuable companies.
Google’s Threat Analysis Group (TAG) announced that it detected two macOS vulnerabilities that were being actively exploited in a watering hole campaign targeting pro-democracy protestors and journalists in Hong Kong. In their own words, the “watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.”
In the same campaign, the hackers also exploited another vulnerability, CVE-2021-1789, a Webkit remote code execution vulnerability.
Apple has since released a patch addressing these issues. However, in the case of CVE-2021-1789, the patch was only made available with releases of macOS Big Sur 11.2 and Safari 14.0.3. While no specific patch was released for users of Mojave or Catalina, the vulnerability would effectively be patched by upgrading to the latest version of Safari.
However, in the case of CVE-2021-30869, a patch was not released until seven months later for Catalina after it was released for Big Slur in February of 2021. And, this was only after it was pointed out to them by the Google TAG team.
References
Analyzing a watering hole campaign using macOS exploits
New Mac malware raises more questions about Apple’s security patching
