The latest Apple news is a tricky affair involving security lapses with profound implications. In a write-up by Vice and a post from Google’s Threat Analysis Group, we know there’s a privilege escalation bug in macOS Catalina used by a well-funded, likely state-backed hacker group to target visitors of pro-democracy sites in Hong Kong.
Google’s Erye Hernandez says the vulnerability (CVE-2021-30869) was reported to Apple in late August of this year and was patched in macOS Catalina security update 2021-006 on September 23.
Both posts have more information about what the flaw implies. However, it appears to be yet another weapon used by China to strip Hong Kong of its civil liberties.
A lapse in judgement
Let’s pivot to another part of this story with even broader implications- the way Apple updates its operating systems. Without going into detail, Apple’s updates system appears to be working as it should. If a vulnerability is found, it is reported and patched (often within a month). According to Joshua Long (Intego chief security analyst), the problem is that the same bug was patched in Big Sur v11.2, released on February 1, 2021. We have a 234-day gap here, even though Apple is still actively updating both operating systems.
A messy system
The details of how the patches work, how updates are provided, and what versions of macOS get them are not all that clear. Apple should spell out the update policies for older macOS versions like Microsoft does. It is not reasonable to expect the company to support all older versions of macOS forever. However, Macs in perfect working condition should not have to be left out in the cold, unpatched, just because Apple decided to drop them from that particular year’s support list.