Apple neglects to patch multiple critical vulnerabilities in macOS
Posted on
by
Joshua Long
A little over two weeks ago, on October 25, Apple released macOS Sonoma 14.1, which included security updates.
This week, on November 7, Apple released macOS Sonoma 14.1.1, a minor update with no listed security patches.
Oddly, both of these updates are apparently missing a patch for a critical vulnerability that made headlines one month ago. A popular command-line utility, curl, and its associated library, libcurl, had two newly discovered vulnerabilities. One of them (CVE-2023-38545) had a CVSS “9.8 CRITICAL” score out of a maximum 10. The curl project maintainers patched both vulnerabilities on October 11.
curl in macOS Sonoma 14.1.1 appears vulnerable
I verified by running the curl --version command that, indeed, macOS Sonoma 14.1.1 still appears to have a vulnerable version of curl:
% curl --version curl 8.1.2 (x86_64-apple-darwin23.0) libcurl/8.1.2 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.55.1 Release-Date: 2023-05-30
The current version of curl is 8.4.0, but the version included with macOS Sonoma 14.1.1 is 8.1.2. That curl version is from May 30, 2023 (as noted in the “Release-Date:” portion of the command output above). In the five months since then, curl updates have included patches for a total of three vulnerabilities:
- CVE-2023-38039: (CVSS 3.1: 7.5 HIGH) HTTP headers eat all memory
- CVE-2023-38545: (CVSS 3.1: 9.8 CRITICAL) SOCKS5 heap buffer overflow
- CVE-2023-38546: (CVSS 3.1: 3.7 LOW) cookie injection with none file
Apple makes no mention of these vulnerabilities on its site. There is also no mention of curl in macOS Sonoma 14.1’s security release notes; meanwhile, Apple did not even issue security release notes for macOS Sonoma 14.1.1, instead stating that “This update has no published CVE entries.”
But that’s not the end of the story.
More outdated and vulnerable libraries in macOS Sonoma 14.1.1
If we take a closer look at the command output above, we can see curl’s dependencies. Aside from curl’s own libcurl, the app relies upon other open-source software: LibreSSL, zlib, and nghttp2.
None of those libraries is up to date. In fact, nearly all of them may be vulnerable, as I’ll detail below.
LibreSSL is outdated and vulnerable
The current version of LibreSSL is 3.8.2, released November 2, 2023. The version included with macOS Sonoma is 3.3.6, released March 15, 2022—nearly 20 months ago.
% openssl version LibreSSL 3.3.6
According to NIST’s National Vulnerability Database, this version of LibreSSL contains at least four known vulnerabilities:
- CVE-2021-41581: (CVSS 3.1: 5.5 MEDIUM) stack-based buffer over-read
- CVE-2022-48437: (CVSS 3.1: 5.3 MEDIUM) continue upon detecting invalid certificate
- CVE-2021-46880: (CVSS 3.1: 9.8 CRITICAL) authentication bypass
- CVE-2023-35784: (CVSS 3.1: 9.8 CRITICAL) double free or use after free could occur
Apple makes no mention of these vulnerabilities on its site.
zlib is outdated and may be vulnerable
The current version of zlib is 1.3, released August 18. The version included with macOS Sonoma is 1.2.12, released March 27, 2022—again, nearly 20 months ago:
% python3 -c "import zlib; print(zlib.ZLIB_RUNTIME_VERSION)" 1.2.12
Since then, a zlib update included a patch for a critical “9.8 out of 10” severity vulnerability:
- CVE-2022-37434: (CVSS 3.1: 9.8 CRITICAL) bug when getting gzip header extra field
Interestingly, Apple says that it addressed this vulnerability “with improved checks” in the first release of macOS Ventura 13, a little over a year ago. If true, it’s strange that Apple would apparently leave the old version in place; newer versions contain other bug fixes, too, not just the security fix.
nghttp2 is outdated and vulnerable
The current version of nghttp2 is 1.58.0, released October 27, 2023. The version included with curl in macOS Sonoma 14.1.1 is 1.55.1, released July 14, 2023. Since then, an nghttp2 update included a patch for a “7.5 out of 10” high-severity vulnerability that has been actively exploited in the wild:
- CVE-2023-44487: (CVSS 3.1: 7.5 HIGH) request cancellation can reset many streams quickly
Apple makes no mention of this vulnerability on its site.
Why is Apple negligent in patching open-source software?
Notably, this isn’t the first time that Apple has neglected to patch open-source software quickly in its operating systems.
One well-documented public example of this was Apple’s inclusion of Python 2.7 with macOS for nearly two years after its final update. But Apple doesn’t always get media coverage for such occurrences. Rather, outdated open-source software in macOS often goes unnoticed, except amongst the handful of security researchers who pay close attention to such things.
We reached out to Apple for comment. Apple has not responded to our inquiry.
What can users do about this?
Unfortunately, when Apple chooses not to patch known vulnerabilities quickly, it leaves end users exposed.
There is little that Mac users can do—other than to put pressure on Apple by raising awareness of reports like this one.
We encourage responsible media outlets to report on issues of public concern like this, to encourage Apple to not take a lax approach to security issues.
How can I learn more?
We first discussed the missing curl patch on the October 12 episode of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
