Why it matters: As news of a cyberattack in Hong Kong circulated this week, its effectiveness revealed a discrepancy in how Apple pushes security updates for its different operating systems. It's not surprising that the latest OS versions get security patches first, but the immediately preceding versions, still in wide use, can face months-long delays for those same patches.
This week, Google researchers published a report detailing what they described as a watering hole hacking campaign originating in Hong Kong discovered in August. Hackers, whom Google thinks were state-backed, implanted malware in the websites of a Hong Kong pro-democracy group, which would install backdoors on visitors' devices.
The researchers discovered the macOS vulnerability the hackers targeted and reported it to Apple, but they couldn't completely profile it in iOS. Apple patched it on September 23 on macOS Catalina. However, security researcher Josh Long pointed out that Apple patched this same vulnerability in macOS Big Sur on February 1, over 200 days earlier. Big Sur is the version of macOS immediately following Catalina. Apple followed up Big Sur with Monterey, the latest version, last month.
Mentioned in @eryeh's writeup (https://t.co/ybglJnVwmi), this wasn't patched for Catalina until Sept 23. NOT mentioned: This was 🚨234 days‼️ after #Apple patched the same vuln for Big Sur. 🤯 @Apple, randomly choosing which vulns you patch for 2 prior #macOS endangers customers. https://t.co/rSA1hqewRa
--- Josh Long (the JoshMeister) (@theJoshMeister) November 11, 2021
In late October, Long also posted some charts on Twitter showing the times at which Apple released its security patches for each of the most recent versions of macOS, iPadOS, and iOS. They show Apple patching iOS 15, iPadOS 15, and macOS Monterey first, while earlier versions get patched later. Around that time, Long also wrote a piece on The Mac Security Blog criticizing this stepped process Apple seems to be taking to security patches.
Favoring the latest version of an operating system for updates is obvious, but everyone doesn't immediately upgrade to the latest OS as soon as it's released. Many users may be on older hardware that isn't compatible with the newest OS. Ideally, they should also get critical security updates as soon as possible, though, there may be differences in how vulnerabilities affect each OS version. There may be cases in which a vulnerability might need a different fix in one OS version versus the immediately preceding or succeeding one.