Security Updates

[mac_in_tosh]

I've heard that while Apple provides security updates to an OS it is still supporting, e.g. Big Sur, there are some known vulnerabilities that are only addressed in the latest OS, e.g. Monterey. What kind of vulnerabilities are these? Something one would encounter in typical use of Mac OS?

 

[bogdanw]

Unfortunately, some are quite serious. My old post #17

From 31 March 2022 to 16 May 2022, Big Sur users, like myself, were left with an “actively exploited” vulnerability.
CVE-2022-22675 fixed in iOS 15.4.1 and iPadOS 15.4.1 https://support.apple.com/kb/HT213219 and Monterey 12.3.1 https://support.apple.com/kb/HT213220

The Mac Security Blog - Apple Neglects to Patch Two Zero-Day, Wild Vulnerabilities for macOS Big Sur, Catalina
https://www.intego.com/mac-security...d-vulnerabilities-for-macos-big-sur-catalina/

 

[mac_in_tosh]

Unfortunately, some are quite serious. My old post #17

In non-technical terms if possible, how would these vulnerabilities impact an average user?

 

[Madhatter32]

Unfortunately, some are quite serious. My old post #17

The Mac Security Blog - Apple Neglects to Patch Two Zero-Day, Wild Vulnerabilities for macOS Big Sur, Catalina
https://www.intego.com/mac-security...d-vulnerabilities-for-macos-big-sur-catalina/

Apple not supporting a two year old OS is beyond neglect -- it's negligence. If something bad were to happen, I think Apple opens itself up to significant liability -- especially since Apple touts itself as being the most secure OS. But, given the small probablities, Apple again chooses not to do the right thing, which is to protect its customer base, in order to save a few dollars.

 

[chrfr]

In non-technical terms if possible, how would these vulnerabilities impact an average user?

There's no one answer to this because this isn't a one-time thing that Apple did with these particular updates. Apple did eventually patch the vulnerabilities covered in the linked article, at least.

 

[bogdanw]

In non-technical terms if possible, how would these vulnerabilities impact an average user?

I’ll try to be the devil’s advocate and justify Apple’s decision.
The vast majority of attacks against Apple users fall into two categories: targeted attacks and opportunistic ones.

Due to Apple's claims of security, its products are used by people who look for protection because they are targeted, like journalists, executives, diplomats and others. If you are targeted, you will be hacked. Jeff Bezos was hacked by opening a video file on his iPhone. https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking_incident

The second category of attacks are the ones that use known vulnerabilities or social engineering to install mostly adware on regular users. Mac users still install fake Adobe Flash Players and Apple is usually slow to react and can’t do much about it.
OSX/Adload: Mac Malware Apple Missed for Many Months https://www.intego.com/mac-security-blog/osx-adload-mac-malware-apple-missed-for-many-months/
“Shlayer Trojan attacks one in ten macOS users” https://securelist.com/shlayer-for-macos/95724/
IT threat evolution in Q1 2022. Non-mobile statistics https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/
Malware authors bypassing XProtect with two spaces in the script

The first category of attacks usually targets users with the most updated version of macOS/iOS. The second one is just fishing for anyone in order to make a few dollars (ransomware attacks on macOS are not in the top 20, as per Attacks on macOS in Q1 2022 above).

So, were Big Sur users vulnerable because Apple did not provide the necessary updates? Most certainly were.
But Apple probably considered the risk low because they were most likely not in the first category and the second category of bad people usually doesn’t bother to adapt their malware/adware with the latest vulnerability, if the old ones still work.

A presentation about Apple’s approach to macOS updates and upgrades: Joshua Long, Chief Security Analyst at Intego, "n-1 and n-2: Should we really trust in you?"