He has made a habit of comparing the security content of different macOS patches and has found that there are many vulnerabilities that only get patched in the newest versions of macOS (and it looks like iOS 15 may be the same way, though iOS 14 is still being actively supported with security updates). Advertisementīut as Long points out on Twitter and on the Intego Mac Security Blog, that isn't always the case.
#Mac os mojave update install#
The normal supposition, and one that I factor in when making upgrade recommendations in our yearly macOS reviews, is that "supported" means "supported," and that you don't need to install a new OS and deal with new-OS bugs just to benefit from Apple's latest security fixes.
#Mac os mojave update mac os x#
This policy isn't spelled out anywhere, but the informal "N+2" software support timeline has been in place since the very early days of Mac OS X (as you can imagine, it felt much more generous when Apple went two or three years between macOS releases instead of one year). But for the benefit of people who don't want to install a new operating system on day one, or who can't install the new operating system because their Mac isn't on the supported hardware list, Apple provides security-only updates for older macOS versions for around two years after they're replaced.
Josh Long (the JoshMeister) November 11, 2021įor context: every year, Apple releases a new version of macOS. 🤯 randomly choosing which vulns you patch for 2 prior #macOS endangers customers. NOT mentioned: This was 🚨234 days‼️ after #Apple patched the same vuln for Big Sur. Mentioned in writeup ( ), this wasn’t patched for Catalina until Sept 23. That's a 234-day gap, despite the fact that Apple was and is still actively updating both versions of macOS. The problem, as noted by Intego chief security analyst Joshua Long, is that the exact same CVE was patched in macOS Big Sur version 11.2, released all the way back on February 1, 2021. Vulnerability is discovered in the wild, vulnerability is reported to the company that is responsible for the software, and vulnerability is patched, all in the space of about a month. On the surface, this incident is a relatively unremarkable example of security updates working as they ought to.
Both of those posts have more information on the implications of this exploit-it hasn't been confirmed, but it certainly appears to be yet another front in China's effort to crack down on civil liberties in Hong Kong-but for our purposes, let's focus on how Apple keeps its operating systems up to date, because that has even wider implications.
#Mac os mojave update update#
According to Google's Erye Hernandez, the vulnerability ( labeled CVE-2021-30869) was reported to Apple in late August of 2021 and patched in macOS Catalina security update 2021-006 on September 23.
News is making the rounds today, both via a write-up in Vice and a post from Google's Threat Analysis Group, of a privilege escalation bug in macOS Catalina that was being used by "a well-resourced" and "likely state-backed" group to target visitors to pro-democracy websites in Hong Kong.
0 kommentar(er)
