{"id":94870,"date":"2021-10-28T21:36:51","date_gmt":"2021-10-29T04:36:51","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=94870"},"modified":"2023-05-30T08:53:42","modified_gmt":"2023-05-30T15:53:42","slug":"apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/","title":{"rendered":"Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"aligncenter size-full wp-image-94528\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-600x300-1.jpg\" alt=\"NSO Group Pegasus Spyware on iPhone, iOS (phone by R. Fernandez, Pegasus by N. Raymond)\" width=\"600\" height=\"300\" \/><\/p>\n<p>Apple&#8217;s practices regarding security updates are frustrating and perplexing, to say the least\u2014and may endanger users.<\/p>\n<p>The company often delays patching vulnerabilities for many months after researchers report them.<\/p>\n<p>Apple frequently waits to disclose the fact that it patched a vulnerability for a month (or longer) before adding it to the list of issues resolved in a given update.<\/p>\n<p>The company almost never publicly states its policies about how long a given operating system will get security updates, or what types of security issues will continue to get patched.<\/p>\n<p>Apple also doesn&#8217;t explicitly state why it patches some vulnerabilities for some operating system versions but not others. Security-conscious users can only speculate:<\/p>\n<blockquote><p>\u201cPerhaps this vulnerability just didn&#8217;t affect that version of the OS?\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>\u201cMaybe Apple didn&#8217;t feel the need to mention that a new OS was inherently safe and didn&#8217;t need a patch?\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>\u201cCould it be that Apple actually did patch that vulnerability, but simply forgot to mention it?\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>\u201cOr did Apple patch that vulnerability and intentionally not mention it for some reason?\u201d<\/p><\/blockquote>\n<p>Apple&#8217;s lack of transparency can be particularly problematic in certain situations. I&#8217;ll get back to that shortly.<\/p>\n<h3>Confirmed: You need the latest macOS version<\/h3>\n<p>Last month, <a href=\"https:\/\/www.intego.com\/mac-security-blog\/integos-josh-long-speaking-at-obts-v4-0-mac-security-conference\/\" target=\"_blank\" rel=\"noopener\">I spoke at Objective by the Sea v4.0<\/a>, an Apple-focused security conference, about this very subject. Specifically, I focused on whether the two previous versions of macOS get the same treatment as the current macOS version when it comes to security updates.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/o5KUvgXHOFU?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation\"><\/iframe><\/span><\/p>\n<p>I recommend watching the full talk if you have 30 minutes. You should also sign up to be notified when our <a href=\"https:\/\/intego.ac-page.com\/whitepaper\" target=\"_blank\" rel=\"noopener\">upcoming white paper<\/a> gets published, which documents my intriguing discoveries in much greater detail.<\/p>\n<p>But the executive summary is this: being on the very latest version of macOS is mandatory to stay safe from every &#8220;actively exploited&#8221; (i.e. in the wild) vulnerability. Those are generally among the most problematic security issues, because bad guys are already using them against their targets.<\/p>\n<div id=\"attachment_94874\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-94874\" loading=\"lazy\" class=\"size-full wp-image-94874\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Big-Sur-era-actively-exploited-vulnerabilities-via-Josh-Long-OBTS-slides.jpg\" alt=\"\" width=\"600\" height=\"353\" \/><p id=\"caption-attachment-94874\" class=\"wp-caption-text\">Of the 15 Big Sur-era &#8220;actively exploited&#8221; vulnerabilities, only Big Sur received all 15.<\/p><\/div>\n<p>As mentioned in the talk and detailed in the upcoming white paper, <strong>macOS Mojave is\u2014and presumably always will be\u2014vulnerable to the &#8220;FORCEDENTRY&#8221; bug that has been actively exploited by the <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/pegasus\" target=\"_blank\" rel=\"noopener\">Pegasus spyware<\/a>.<\/strong> There are other vulnerabilities that presumably affect macOS Mojave\u2014and some, for now at least, that affect macOS Big Sur and Catalina\u2014but remain unpatched.<\/p>\n<p>You&#8217;d never know these facts based solely on Apple&#8217;s actions or statements. Most users assume that when they install security updates, Apple has fixed every known vulnerability, and their Mac is perfectly safe. But in reality, <strong>unless you&#8217;re running the very latest major version of macOS (now macOS Monterey), Apple&#8217;s updates provide only selective fixes along with a false sense of security.<\/strong><\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Quick update: <a href=\"https:\/\/twitter.com\/hashtag\/Safari?src=hash&amp;ref_src=twsrc%5Etfw\">#Safari<\/a> 15.1 was released for Big Sur &amp; Catalina yesterday, &amp; its release notes indicate that 5 of the 7 <a href=\"https:\/\/twitter.com\/hashtag\/WebKit?src=hash&amp;ref_src=twsrc%5Etfw\">#WebKit<\/a> vulnerabilities were fixed. Two appear to remain unpatched for 11.x and 10.15.x: CVEs 2021-30823 (Gullasch <a href=\"https:\/\/twitter.com\/0x41414141?ref_src=twsrc%5Etfw\">@0x41414141<\/a>) &amp; 2021-30861 (<a href=\"https:\/\/twitter.com\/_r3ggi?ref_src=twsrc%5Etfw\">@_r3ggi<\/a> &amp; Pickren).<\/p>\n<p>&mdash; Josh Long (the\u00a0JoshMeister) (@theJoshMeister) <a href=\"https:\/\/twitter.com\/theJoshMeister\/status\/1453841355176693760?ref_src=twsrc%5Etfw\">October 28, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The release of macOS Monterey this week unfortunately hasn&#8217;t brought about any improvements.<\/p>\n<h3>Are iOS and iPadOS similarly impacted?<\/h3>\n<p>Too little time has elapsed since Apple released iOS (and iPadOS) 15 to determine how similar the situation will be for iOS vulnerabilities. Before iOS 15&#8217;s September release, Apple only fully supported iOS 14, with occasional sparse updates for iOS 12. So far, it appears we can expect to see much of the same with iOS as with macOS.<\/p>\n<p>Today, Apple fully supports iOS 15, and also &#8220;important security updates&#8221; for iOS 14 by <a href=\"https:\/\/support.apple.com\/en-us\/HT204204\" target=\"_blank\" rel=\"noopener\">publicly stated policy<\/a>. The company seems to still occasionally release security updates for iOS 12, apparently limited to &#8220;actively exploited&#8221; vulnerabilities. (Apple has never actually made a public statement about its continued limited support of iOS 12.)<\/p>\n<p>It seems a bit strange that Apple has chosen to continue supporting iOS 14, intentionally fragmenting its installed base. Android has received criticism about its OS fragmentation for years, so this seems like an odd decision for Apple. Because iOS 15 supports exactly the same hardware as iOS 14, no one would have had to miss out on security updates if Apple had stopped supporting iOS 14. All iOS 14 users could have simply updated to iOS 15 to continue getting security updates.<\/p>\n<h4><strong>But now, as with macOS, there seems to be some disparity between what gets patched for iOS 15 versus iOS 14.<\/strong><\/h4>\n<p>Most notably, the iOS 15 (and 15.0.1, 15.0.2, and 15.1) release notes don&#8217;t mention two &#8220;actively exploited&#8221; vulnerabilities patched in iOS 14.8. One of those is CVE-2021-30860, aka FORCEDENTRY\u2014a vulnerability that the <a href=\"https:\/\/www.intego.com\/mac-security-blog\/topic\/pegasus\">Pegasus spyware<\/a> exploited.<\/p>\n<p>Apple never stated whether or not iOS 15.x fixes the vulnerability. Other vulnerabilities are listed in both iOS 14.8&#8217;s and iOS 15&#8217;s release notes, but the two &#8220;actively exploited&#8221; ones are only mentioned in iOS 14.8&#8217;s notes. Once again, this leaves the issue open to speculation.<\/p>\n<p>Apple has not responded to multiple requests for comment about this issue.<\/p>\n<p>I have reached out to other researchers in the community who are familiar with the FORCEDENTRY vulnerability. If anyone confirms whether or not iOS 15.1 is still vulnerable, I will update this article with their findings.<\/p>\n<p><strong>Update:<\/strong> Researchers <a href=\"https:\/\/objective-see.com\/blog\/blog_0x67.html\" target=\"_blank\" rel=\"noopener nofollow\">Tom McGuire<\/a> and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html\" target=\"_blank\" rel=\"noopener nofollow\">Mickey Jin<\/a> both confirmed to me that the public (non-beta) releases of <strong>iOS 15.0 and later are not affected<\/strong> by the FORCEDENTRY vulnerability. (Jin and McGuire have also both confirmed that <strong>macOS Mojave remains affected<\/strong>.) It is mystifying that Apple would list 14 other vulnerabilities simultaneously in both iOS 14.8&#8217;s and iOS 15&#8217;s release notes, while a vulnerability that was fixed in both operating systems <em>and was &#8220;actively exploited&#8221;<\/em> was not listed in iOS 15&#8217;s release notes.<\/p>\n<div id=\"attachment_94903\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img aria-describedby=\"caption-attachment-94903\" loading=\"lazy\" class=\"size-full wp-image-94903\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/iOS-14.8-patches-addressed-in-iOS-15-updated-20211028.jpg\" alt=\"\" width=\"600\" height=\"643\" \/><p id=\"caption-attachment-94903\" class=\"wp-caption-text\">A list of iOS 14.8 patches. Apple&#8217;s release notes seemed to indicate that 14 of the 20 were also addressed in iOS 15. A 15th has been confirmed. But what about the remaining five?<\/p><\/div>\n<p>We still don&#8217;t know (and may never know) whether the anonymously reported, &#8220;actively exploited&#8221; CVE-2021-30858 WebKit vulnerability affects iOS 15. But one thing we can fairly confidently infer from Apple&#8217;s documentation is that iOS 15 is getting more patches than iOS 14 and iOS 12.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Here\u2019s a ridiculously tall chart showing everything <a href=\"https:\/\/twitter.com\/hashtag\/Apple?src=hash&amp;ref_src=twsrc%5Etfw\">#Apple<\/a>\u2019s said (so far) has been patched in <a href=\"https:\/\/twitter.com\/hashtag\/iOS?src=hash&amp;ref_src=twsrc%5Etfw\">#iOS<\/a>\/iPadOS since 14.8\u2019s release, for 15.x, 14.x, and 12.x. Seems evident that <a href=\"https:\/\/twitter.com\/hashtag\/iOS15?src=hash&amp;ref_src=twsrc%5Etfw\">#iOS15<\/a>, like <a href=\"https:\/\/twitter.com\/hashtag\/macOSMonterey?src=hash&amp;ref_src=twsrc%5Etfw\">#macOSMonterey<\/a>, is getting the most patches and is a safer choice than its predecessors. <a href=\"https:\/\/t.co\/VbeC3gGkCi\">pic.twitter.com\/VbeC3gGkCi<\/a><\/p>\n<p>&mdash; Josh Long (the\u00a0JoshMeister) (@theJoshMeister) <a href=\"https:\/\/twitter.com\/theJoshMeister\/status\/1454023794578706433?ref_src=twsrc%5Etfw\">October 29, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>What Apple can and should be doing better<\/h3>\n<p>It shouldn&#8217;t have to be this way. The public shouldn&#8217;t be left to wonder which Apple operating systems are actually safe to use and which ones have, shall we say, lackadaisical security.<\/p>\n<p>Following are several things that Apple can and should be doing better.<\/p>\n<h4><strong>1. Apple needs to be transparent about which issues it hasn&#8217;t and won&#8217;t fix, and why.<\/strong><\/h4>\n<p>People outside of Apple shouldn&#8217;t have to figure out what has been patched or not. Apple itself should clearly state the reasons for the lack of parity between OS patches. Nobody should ever be left wondering why certain vulnerabilities evidently aren&#8217;t patched for certain operating systems.<\/p>\n<p>Similarly, Apple should never give anyone a false sense of security. When older OS versions only get some patches and not others, Apple needs to make this extremely clear. This will encourage users to upgrade to the latest (and fully supported) major OS, which is generally a good thing for both Apple and users.<\/p>\n<h4><strong>2. Apple needs to state its security update and OS support policies publicly and clearly.<\/strong><\/h4>\n<p>Microsoft actually does a great job at this; its products have a clearly defined date on which they will no longer receive security updates. Apple could learn a thing or two from Microsoft in this regard.<\/p>\n<h4><strong>3. Apple needs to respond to researchers and journalists within 24 hours about security issues.<\/strong><\/h4>\n<p>The company should have a policy to respond within one business day (or less) to security reports and media inquiries. Apple should never leave security researchers or journalists feeling ignored.<\/p>\n<p>If the lack of quick responses is due to staffing issues, Apple should spend some of its <a href=\"https:\/\/www.thestreet.com\/apple\/news\/live-blog-follow-apples-fiscal-q4-earnings-in-real-time\" target=\"_blank\" rel=\"noopener\">billions of dollars in cash on hand<\/a> to hire more people.<\/p>\n<h4><strong>4. Apple needs to resolve security issues within 90 days.<\/strong><\/h4>\n<p>Resolution within 90 days is the industry standard. Google Project Zero and other groups give companies 90 days to patch before disclosing security issues to the public. When researchers work directly with Apple, they sometimes find that Apple takes much longer than this to patch a vulnerability.<\/p>\n<p>Again, if the lack of quick patching is due to staffing issues, Apple can afford to hire more people.<\/p>\n<h4><strong>5. Apple needs to improve its bug bounty program.<\/strong><\/h4>\n<p>There is room for improvement in terms of both the scope (the types of issues for which Apple will pay bounties) and the payout amounts of Apple&#8217;s <a href=\"https:\/\/developer.apple.com\/security-bounty\/\" target=\"_blank\" rel=\"noopener\">bug bounty program<\/a>. Many researchers who have responsibly disclosed valuable security vulnerabilities directly to Apple have found the process and the results frustrating.<\/p>\n<p>Apple should be rewarding responsible security researchers much better than it currently does. There are many better bug bounty programs than Apple&#8217;s. The company needs to get feedback from researchers and bug bounty program experts and then implement improvements.<\/p>\n<h3>How can I learn more?<\/h3>\n<p>For more discussion of Apple&#8217;s patching disparities, <a href=\"https:\/\/www.intego.com\/mac-security-blog\/integos-josh-long-speaking-at-obts-v4-0-mac-security-conference\/\">watch my 30-minute conference talk<\/a>, sign up to <a href=\"https:\/\/intego.ac-page.com\/whitepaper\" target=\"_blank\" rel=\"noopener\">get notified about the upcoming white paper<\/a>, and follow our weekly <a href=\"https:\/\/podcast.intego.com\/\" target=\"_blank\" rel=\"noopener\">Intego Mac Podcast<\/a> where we&#8217;ve been discussing this topic in recent weeks.<\/p>\n<p>Each week on the podcast, we discuss the latest Apple news, security and privacy stories, and more. Be sure to <a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" rel=\"noopener\"><strong>follow the podcast<\/strong><\/a> in Apple Podcasts (or <a href=\"https:\/\/podcast.intego.com\/\">wherever else you listen<\/a>) to make sure you don\u2019t miss any episodes.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/player.fireside.fm\/v2\/GegHgcrH+i1D10oq3?theme=dark\" width=\"740\" height=\"200\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n<p>You can also subscribe to our <a href=\"https:\/\/www.intego.com\/mac-security-blog\/mac-security-newsletter\/\"><strong>e-mail newsletter<\/strong><\/a> and keep an eye here on <a href=\"https:\/\/www.intego.com\/mac-security-blog\"><strong>The Mac Security Blog<\/strong><\/a> for the latest Apple security and privacy news. And don&#8217;t forget to follow Intego on your favorite social media channels: <a href=\"https:\/\/twitter.com\/IntegoSecurity\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Twitter\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Twitter-logo-icon-64.png\" alt=\"Follow Intego on Twitter\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.facebook.com\/Intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Facebook\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Facebook-logo-icon-64.png\" alt=\"Follow Intego on Facebook\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.youtube.com\/user\/IntegoVideo?sub_confirmation=1\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on YouTube\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/YouTube-logo-icon-64.png\" alt=\"Follow Intego on YouTube\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.pinterest.com\/intego\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(0, 0, 0, 0.2); border-radius: 8px;\" title=\"Follow Intego on Pinterest\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Pinterest-logo-icon-64.png\" alt=\"Follow Intego on Pinterest\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/intego\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on LinkedIn\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/LinkedIn-logo-icon-64.png\" alt=\"Follow Intego on LinkedIn\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/www.instagram.com\/intego_security\/\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow Intego on Instagram\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/10\/Instagram-logo-icon-64.png\" alt=\"Follow Intego on Instagram\" width=\"16\" \/><\/a>\u00a0<a href=\"https:\/\/podcasts.apple.com\/us\/podcast\/intego-mac-podcast\/id1293834627\" target=\"_blank\" rel=\"noopener\"><img style=\"border-width: 1px; border-style: solid; border-color: rgba(255, 255, 255, 0.2); border-radius: 8px;\" title=\"Follow the Intego Mac Podcast on Apple Podcasts\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2017\/10\/ios9-podcasts-app-tile.png\" alt=\"Follow the Intego Mac Podcast on Apple Podcasts\" width=\"16\" \/><\/a><\/p>\n<p><span style=\"font-size: x-small;\">Image credits: iPhone by <a href=\"https:\/\/commons.wikimedia.org\/wiki\/File:IPhone_X_vector.svg\" target=\"_blank\" rel=\"noopener\">Rafael Fernandez<\/a> (<a href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/deed.en\" target=\"_blank\" rel=\"noopener\">CC BY-SA 4.0<\/a>); Pegasus by <a href=\"https:\/\/www.flickr.com\/photos\/80497449@N04\/8679257947\" target=\"_blank\" rel=\"noopener\">Nicolas Raymond<\/a> (<a href=\"https:\/\/creativecommons.org\/licenses\/by\/2.0\/\" target=\"_blank\" rel=\"noopener\">CC BY 2.0<\/a>); composition by Joshua Long, Intego (CC BY-SA 4.0).\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apple&#8217;s practices regarding security updates are frustrating and perplexing, and may endanger users.<\/p>\n","protected":false},"author":14,"featured_media":94527,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[151,13],"tags":[4627,4618,3070],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Apple&#039;s practices regarding security updates are frustrating and perplexing, and may endanger users.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apple&#039;s Poor Patching Policies Potentially Make Users&#039; Security and Privacy Precarious - The Mac Security Blog\" \/>\n<meta property=\"og:description\" content=\"Apple&#039;s practices regarding security updates are frustrating and perplexing, and may endanger users.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/JoshLong\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-29T04:36:51+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-30T15:53:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"400\" \/>\n\t<meta property=\"og:image:height\" content=\"260\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@theJoshMeister\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Joshua Long\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg\",\"width\":400,\"height\":260,\"caption\":\"NSO Group Pegasus Spyware on iPhone, iOS (phone by R. Fernandez, Pegasus by N. Raymond)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\",\"name\":\"Apple's Poor Patching Policies Potentially Make Users' Security and Privacy Precarious - The Mac Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage\"},\"datePublished\":\"2021-10-29T04:36:51+00:00\",\"dateModified\":\"2023-05-30T15:53:42+00:00\",\"description\":\"Apple's practices regarding security updates are frustrating and perplexing, and may endanger users.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\"},\"headline\":\"Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious\",\"datePublished\":\"2021-10-29T04:36:51+00:00\",\"dateModified\":\"2023-05-30T15:53:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage\"},\"wordCount\":1599,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg\",\"keywords\":[\"iOS 15\",\"macOS Monterey\",\"Pegasus\"],\"articleSection\":[\"Recommended\",\"Security &amp; Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1\",\"name\":\"Joshua Long\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g\",\"caption\":\"Joshua Long\"},\"description\":\"Joshua Long (@theJoshMeister), formerly Intego\\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \\u2014\",\"sameAs\":[\"https:\/\/security.thejoshmeister.com\",\"https:\/\/www.facebook.com\/JoshLong\",\"https:\/\/www.instagram.com\/thejoshmeister\/\",\"https:\/\/www.linkedin.com\/in\/thejoshmeister\",\"https:\/\/www.pinterest.com\/thejoshmeister\/\",\"https:\/\/twitter.com\/theJoshMeister\",\"https:\/\/www.youtube.com\/@theJoshMeister\"],\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Apple's practices regarding security updates are frustrating and perplexing, and may endanger users.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/","og_locale":"en_US","og_type":"article","og_title":"Apple's Poor Patching Policies Potentially Make Users' Security and Privacy Precarious - The Mac Security Blog","og_description":"Apple's practices regarding security updates are frustrating and perplexing, and may endanger users.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/","og_site_name":"The Mac Security Blog","article_author":"https:\/\/www.facebook.com\/JoshLong","article_published_time":"2021-10-29T04:36:51+00:00","article_modified_time":"2023-05-30T15:53:42+00:00","og_image":[{"width":400,"height":260,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_creator":"@theJoshMeister","twitter_misc":{"Written by":"Joshua Long","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg","width":400,"height":260,"caption":"NSO Group Pegasus Spyware on iPhone, iOS (phone by R. Fernandez, Pegasus by N. Raymond)"},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/","name":"Apple's Poor Patching Policies Potentially Make Users' Security and Privacy Precarious - The Mac Security Blog","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage"},"datePublished":"2021-10-29T04:36:51+00:00","dateModified":"2023-05-30T15:53:42+00:00","description":"Apple's practices regarding security updates are frustrating and perplexing, and may endanger users.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1"},"headline":"Apple&#8217;s Poor Patching Policies Potentially Make Users&#8217; Security and Privacy Precarious","datePublished":"2021-10-29T04:36:51+00:00","dateModified":"2023-05-30T15:53:42+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#webpage"},"wordCount":1599,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg","keywords":["iOS 15","macOS Monterey","Pegasus"],"articleSection":["Recommended","Security &amp; Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/apples-poor-patching-policies-potentially-make-users-security-and-privacy-precarious\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/dcf592275ba6edde8d20f1e60029c6b1","name":"Joshua Long","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5ad29f4111ce14911abaa98cbbcdea42?s=96&d=mm&r=g","caption":"Joshua Long"},"description":"Joshua Long (@theJoshMeister), formerly Intego\u2019s Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master\u2019s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple\u00a0ID authentication vulnerability. Josh has conducted cybersecurity research for well over 25 years, which is often featured by major news outlets worldwide. Keep up with Josh via X\/Twitter, LinkedIn, Facebook, Instagram, YouTube, Patreon, Mastodon, the JoshMeister on Security, and more. \u2014","sameAs":["https:\/\/security.thejoshmeister.com","https:\/\/www.facebook.com\/JoshLong","https:\/\/www.instagram.com\/thejoshmeister\/","https:\/\/www.linkedin.com\/in\/thejoshmeister","https:\/\/www.pinterest.com\/thejoshmeister\/","https:\/\/twitter.com\/theJoshMeister","https:\/\/www.youtube.com\/@theJoshMeister"],"url":"https:\/\/www.intego.com\/mac-security-blog\/author\/joshlong\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/09\/Pegasus-Spyware-on-iPhone-iOS-NSO-Group-RFernandezPhone-NRaymondPeg-400x260-1.jpg","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-oGa","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/94870"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=94870"}],"version-history":[{"count":30,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/94870\/revisions"}],"predecessor-version":[{"id":98097,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/94870\/revisions\/98097"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/94527"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=94870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=94870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=94870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}