PSA: Apple isn’t actually patching all the security holes in older versions of macOS

Enlarge / The default wallpaper for macOS Catalina. (credit: Apple)

News is making the rounds today, both via a write-up in Vice and a post from Google’s Threat Analysis Group , of a privilege escalation bug in macOS Catalina that was being used by “a well-resourced” and “likely state-backed” group to target visitors to pro-democracy websites in Hong Kong. According to Google’s Erye Hernandez, the vulnerability ( labeled CVE-2021-30869 ) was reported to Apple in late August associated with 2021 and patched in macOS Catalina security update 2021-006 on September 23. Both of those posts have more information on the implications of this exploit—it hasn’t been confirmed, but it certainly appears to be yet another front within China’s effort to crack down on civil liberties in Hong Kong —but for our purposes, let’s focus on how Apple keeps its operating systems up to date, because that has even wider implications.

On the surface, this incident is a relatively unremarkable example of security updates working as they ought to. Vulnerability is discovered in the wild, vulnerability is reported to the company that will is responsible for the software, and vulnerability is patched, all in the space of about a month. The problem, as noted by Intego chief security analyst Joshua Long , is that the exact same CVE was patched in macOS Big Sur version 11. 2 , released all the way back on February 1, 2021. That’s a 234-day gap, despite the particular fact that Apple was and is still actively updating both variations of macOS.

For context: every year, Apple releases the new version of macOS. But for the benefit of people who don’t want to install a new operating system on day one, or who can’t install the brand new operating system because their Mac isn’t on the supported hardware list, Apple provides security-only updates for older macOS versions regarding around two years after they’re replaced.