Malwarebytes slams Apple for inconsistent patching

Malwarebytes criticized Apple for an inconsistent patching process in a blog post published Tuesday, arguing the tech giant's behavior has already led to security consequences.

The post, written by Malwarebytes director of Mac and mobile Thomas Reed, centers around a watering hole campaign in Hong Kong against macOS users that targeted the visitors to a pro-democracy political organization and a media outlet. The attacks were first reported by Google's Threat Analysis Group (TAG).

Two macOS vulnerabilities were used as a single exploit chain in the attacks; one was a remote code execution flaw in WebKit (CVE-2021-1789), while the other (CVE-2021-30869) was an XNU privilege escalation vulnerability. Reed said the Trojan used in the attacks has been in the wild since 2019 -- largely undetected.

Both vulnerabilities were patched in macOS Big Sur 11.2 on Feb. 1; Big Sur was the latest major macOS release at the time. For macOS Catalina and Mojave users, however, it was a different story.

For CVE-2021-1789, Catalina 10.15 and Mojave 10.14 would have been addressed if users had upgraded to Safari 14.0.3. However, CVE-2021-30869 wasn't fixed for Catalina until Sept. 23, months after Big Sur's patch.

"The same bug apparently existed in Catalina, which remained unpatched seven months after Apple released the patch for Big Sur, and more than five months after the details had been released at Zer0con," Reed wrote in the Malwarebytes post. "This allowed attackers to target individuals running Catalina and Safari 13 without detection."

According to Google, the number of exploit attempts using the chain was "in the 200s" by the time they obtained it.

Reed wrote that he found it "highly suspicious" that the Feb. 1 patching of CVE-2021-30869 was left out of the release notes and was "then added at the end at the same time the bug was fixed in Catalina."

"That would seem to suggest that it's something that Apple already knew should have been fixed, or very quickly identified as being the same as the Big Sur bug," he said.

Reed said that the late patching of Catalina illustrates "quite plainly" that "Apple can only be relied on to patch the absolute latest version of macOS, which is currently macOS Monterey (12). If you are using an older system, you do so at your own risk."

Apple did not respond to SearchSecurity's request for comment.

This is not the first time in recent months that Apple's security practices have come under fire. Last month, SearchSecurity spoke with a number of frustrated bug bounty researchers who criticized Apple with claims of poor communication and not properly recognizing researchers.

Alexander Culafi is a writer, journalist and podcaster based in Boston.