Hong Kong cyberattack reveals that Apple favors latest OS versions for security updates

Daniel Sims

Posts: 666   +27
Why it matters: As news of a cyberattack in Hong Kong circulated this week, its effectiveness revealed a discrepancy in how Apple pushes security updates for its different operating systems. It's not surprising that the latest OS versions get security patches first, but the immediately preceding versions, still in wide use, can face months-long delays for those same patches.

This week, Google researchers published a report detailing what they described as a watering hole hacking campaign originating in Hong Kong discovered in August. Hackers, whom Google thinks were state-backed, implanted malware in the websites of a Hong Kong pro-democracy group, which would install backdoors on visitors' devices.

The researchers discovered the macOS vulnerability the hackers targeted and reported it to Apple, but they couldn't completely profile it in iOS. Apple patched it on September 23 on macOS Catalina. However, security researcher Josh Long pointed out that Apple patched this same vulnerability in macOS Big Sur on February 1, over 200 days earlier. Big Sur is the version of macOS immediately following Catalina. Apple followed up Big Sur with Monterey, the latest version, last month.

In late October, Long also posted some charts on Twitter showing the times at which Apple released its security patches for each of the most recent versions of macOS, iPadOS, and iOS. They show Apple patching iOS 15, iPadOS 15, and macOS Monterey first, while earlier versions get patched later. Around that time, Long also wrote a piece on The Mac Security Blog criticizing this stepped process Apple seems to be taking to security patches.

Favoring the latest version of an operating system for updates is obvious, but everyone doesn't immediately upgrade to the latest OS as soon as it's released. Many users may be on older hardware that isn't compatible with the newest OS. Ideally, they should also get critical security updates as soon as possible, though, there may be differences in how vulnerabilities affect each OS version. There may be cases in which a vulnerability might need a different fix in one OS version versus the immediately preceding or succeeding one.

Permalink to story.



Posts: 1,305   +952
If you have an intel Imac - expect to wait longer if evah - no timeframe will be given or expected by the users


Posts: 1,264   +1,985
TechSpot Elite
Bragging about beating Android in the longevity of security patch support is grand at all… Unless there is an eight month+ gap between security patching of any OS that isn’t your latest release.

/golfclap Apple....

Squid Surprise

Posts: 5,335   +4,982
Woah... newsflash... a company patched their most recent OS before older ones?

Since when does this qualify as news?

Obviously the most resources would be devoted to the OS that is being pushed out to those who’ve purchased the newest stuff... I’d be pretty p1ssed off if I bought a shiny new iPhone 13 just to find out that the iPhone X got updates first...


Posts: 696   +922
Wow. Apple is trying to make Microsoft look good in comparison. It's sad that our big OS companies have almost no concern about quality these days, in spite of all their PR.

Uncle Al

Posts: 9,311   +8,487
And I can still clearly remember when Apple came up with their first upgrade for the desktop computer ... the boast from Apple was "completely safe, no worrys about viruses, completely secure" .... they threw down the gauntlet and the market (of users) responded ......


Posts: 2,026   +841
Sounds strategic on all sides. Could be a few payoffs here in there as well.

Whatever is the most used OS or has the most market share, should probably be patched first. Even a message to the users about the priority of patches could at least inform a decision. Could have been done better IMO.


Posts: 548   +345
Microsoft moves Windows 10 feature updates to an annual cycle
Promises to support at least one version of Windows 10 through mid-October 2025