0-day or N-day? It depends. —

PSA: Apple isn’t actually patching all the security holes in older versions of macOS

Big Sur got a fix 234 days before Catalina did, although both are supported.

The default wallpaper for macOS Catalina.
Enlarge / The default wallpaper for macOS Catalina.
Apple

News is making the rounds today, both via a write-up in Vice and a post from Google's Threat Analysis Group, of a privilege escalation bug in macOS Catalina that was being used by "a well-resourced" and "likely state-backed" group to target visitors to pro-democracy websites in Hong Kong. According to Google's Erye Hernandez, the vulnerability (labeled CVE-2021-30869) was reported to Apple in late August of 2021 and patched in macOS Catalina security update 2021-006 on September 23. Both of those posts have more information on the implications of this exploit—it hasn't been confirmed, but it certainly appears to be yet another front in China's effort to crack down on civil liberties in Hong Kong—but for our purposes, let's focus on how Apple keeps its operating systems up to date, because that has even wider implications.

On the surface, this incident is a relatively unremarkable example of security updates working as they ought to. Vulnerability is discovered in the wild, vulnerability is reported to the company that is responsible for the software, and vulnerability is patched, all in the space of about a month. The problem, as noted by Intego chief security analyst Joshua Long, is that the exact same CVE was patched in macOS Big Sur version 11.2, released all the way back on February 1, 2021. That's a 234-day gap, despite the fact that Apple was and is still actively updating both versions of macOS.

For context: every year, Apple releases a new version of macOS. But for the benefit of people who don't want to install a new operating system on day one, or who can't install the new operating system because their Mac isn't on the supported hardware list, Apple provides security-only updates for older macOS versions for around two years after they're replaced.

This policy isn't spelled out anywhere, but the informal "N+2" software support timeline has been in place since the very early days of Mac OS X (as you can imagine, it felt much more generous when Apple went two or three years between macOS releases instead of one year). The normal supposition, and one that I factor in when making upgrade recommendations in our yearly macOS reviews, is that "supported" means "supported," and that you don't need to install a new OS and deal with new-OS bugs just to benefit from Apple's latest security fixes.

But as Long points out on Twitter and on the Intego Mac Security Blog, that isn't always the case. He has made a habit of comparing the security content of different macOS patches and has found that there are many vulnerabilities that only get patched in the newest versions of macOS (and it looks like iOS 15 may be the same way, though iOS 14 is still being actively supported with security updates). You can explain away some of this disparity—many (though not all!) of the WebKit vulnerabilities in that list were patched in a separate Safari update, and some bugs may affect newer features that aren't actually present in older versions of the operating system. According to Hernandez, the vulnerability at issue here didn't seem to affect macOS Mojave, despite its lack of a patch. But in the case of this privilege escalation bug, we have an example of an actively exploited vulnerability that was present in multiple versions of the operating system but for months had only actually been patched in one of them.

The simple solution for this problem is that Apple should actually provide all of the security updates for all of the operating systems that it is actively updating. But it's also time for better communication on this subject. Apple should spell out its update policies for older versions of macOS, as Microsoft does, rather than relying on its current hand-wavy release timing—macOS Mojave's last security update was back in July, for example, meaning that even though it was still officially-unofficially supported until Monterey was released in October, it missed out on a bunch of security patches released for Big Sur and Catalina in September. People shouldn't have to guess whether their software is still being updated.

As Apple leaves more and more Intel Macs behind, it should also consider extending those timelines, if only for Mac hardware that is literally incapable of upgrading to newer macOS releases (there is precedent for this, as iOS 12 continued to receive security updates for two years after being replaced, but only on hardware that couldn't upgrade to iOS 13 or newer). It's not reasonable to expect Apple to support old macOS versions in perpetuity, but perfectly functional Macs shouldn't be in a situation where they're two years (or less) from being totally unpatched if Apple decides to drop them from that year's support list.

Channel Ars Technica