Apple neglects to patch multiple critical vulnerabilities in macOS
Posted on
by
Joshua Long
On October 25, 2023, Apple released macOS Sonoma 14.1, which included security updates.
About two weeks later, on November 7, Apple released macOS Sonoma 14.1.1, a minor update with no listed security patches.
Oddly, both of these updates were apparently missing a patch for a critical vulnerability that made headlines one month ago. A popular command-line utility, curl, and its associated library, libcurl, had two newly discovered vulnerabilities. One of them (CVE-2023-38545) had a CVSS “9.8 CRITICAL” score out of a maximum 10. The curl project maintainers patched both vulnerabilities on October 11.
Upon further investigation, we found that macOS Sonoma appears to contain several other vulnerabilities. In this article, we’ll take a look at several known vulnerabilities that apparently remain unpatched in the latest version, macOS Sonoma 14.4.
Update: Apple still has not addressed the critical LibreSSL vulnerabilities as of macOS Sonoma 14.4. We originally published this article on November 10, after Apple released macOS Sonoma 14.1.1. On December 14, we updated this article to note that Apple silently included curl 8.4.0 in the macOS Sonoma 14.2 update, and to note that the rest of the vulnerabilities apparently remain unpatched. On January 26, we updated this article again to note that macOS Sonoma 14.3 finally includes a version of nghttp2 that patches the known vulnerability. And on March 8, we noted that macOS Sonoma 14.4 still hasn’t patched LibreSSL.
In this article:
- curl in macOS Sonoma 14.1.1 was vulnerable (patched in 14.2)
- More outdated and vulnerable libraries in macOS Sonoma 14.4
- Why is Apple negligent in patching open-source software?
- What can users do about this?
- How can I learn more?
curl in macOS Sonoma 14.1.1 was vulnerable (patched in 14.2)
I verified by running the curl --version command that, indeed, macOS Sonoma 14.1.1 still appears to have a vulnerable version of curl:
% curl --version curl 8.1.2 (x86_64-apple-darwin23.0) libcurl/8.1.2 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.12 nghttp2/1.55.1 Release-Date: 2023-05-30
The current version of curl is 8.4.0, but the version included with macOS Sonoma 14.1.1 is 8.1.2. That curl version is from May 30, 2023 (as noted in the “Release-Date:” portion of the command output above). In the six months since then, curl updates have included patches for a total of three vulnerabilities with CVEs:
- CVE-2023-38039: (CVSS 3.1: 7.5 HIGH) HTTP headers eat all memory
- CVE-2023-38545: (CVSS 3.1: 9.8 CRITICAL) SOCKS5 heap buffer overflow
- CVE-2023-38546: (CVSS 3.1: 3.7 LOW) cookie injection with none file
Apple makes no mention of these vulnerabilities on its site. There is also no mention of curl in macOS Sonoma 14.1’s security release notes; meanwhile, Apple did not even issue security release notes for macOS Sonoma 14.1.1, instead stating that “This update has no published CVE entries.”
Update: Apple silently addressed the curl vulnerabilities in macOS Sonoma 14.2. Specifically, Apple now includes curl 8.4.0 with the OS as of the December 11 update. (For some reason, Apple didn’t upgrade to curl 8.5.0, released on December 6. Version 8.5.0 does not address any CVEs, but includes several SSL-related patches.) Apple did not mention its move to curl 8.4.0 anywhere on its site. Likewise, Apple did not mention the CVEs in the update’s security release notes.
But that’s not the end of the story.
More outdated and vulnerable libraries in macOS Sonoma 14.4
If we take a closer look at the command output above, we can see curl’s dependencies. Aside from curl’s own libcurl, the app relies upon other open-source software: LibreSSL, zlib, and nghttp2.
None of those libraries is up to date. In fact, nearly all of them may be vulnerable, as I’ll detail below.
LibreSSL remains outdated and vulnerable
The current version of LibreSSL is 3.8.2, released November 2, 2023. The version included with macOS Sonoma is 3.3.6, released March 15, 2022—about two years ago.
% openssl version LibreSSL 3.3.6
According to NIST’s National Vulnerability Database, this version of LibreSSL contains at least four known vulnerabilities:
- CVE-2021-41581: (CVSS 3.1: 5.5 MEDIUM) stack-based buffer over-read
- CVE-2022-48437: (CVSS 3.1: 5.3 MEDIUM) continue upon detecting invalid certificate
- CVE-2021-46880: (CVSS 3.1: 9.8 CRITICAL) authentication bypass
- CVE-2023-35784: (CVSS 3.1: 9.8 CRITICAL) double free or use after free could occur
Apple makes no mention of these vulnerabilities on its site.
zlib remains outdated and may be vulnerable
The current version of zlib is 1.3, released August 18. The zlib version included with macOS Sonoma is 1.2.12, released March 27, 2022—again, about two years ago:
% python3 -c "import zlib; print(zlib.ZLIB_RUNTIME_VERSION)" 1.2.12
Since then, a zlib update included a patch for a critical “9.8 out of 10” severity vulnerability:
- CVE-2022-37434: (CVSS 3.1: 9.8 CRITICAL) bug when getting gzip header extra field
Interestingly, Apple says that it addressed this vulnerability “with improved checks” in the first release of macOS Ventura 13, a little over a year ago. If true, it’s strange that Apple would apparently leave the old version in place; newer versions contain other bug fixes, too, not just the security fix.
nghttp2 was outdated and vulnerable (patched in 14.3)
The current version of nghttp2 is 1.59.0, released January 21, 2024. The version included with curl in macOS Sonoma 14.2 is 1.55.1, released July 14, 2023. Since then, an nghttp2 update patched a “7.5 out of 10” high-severity vulnerability that has been actively exploited in the wild:
- CVE-2023-44487: (CVSS 3.1: 7.5 HIGH) request cancellation can reset many streams quickly
Apple makes no mention of this vulnerability on its site.
Update: Apple silently addressed the nghttp2 vulnerability in macOS Sonoma 14.3 on January 22, 2024, by upgrading to 1.58.0. Although it’s not actually the latest version, it does at least fix the known vulnerability. Apple did not mention its move to nghttp2 1.58.0 anywhere on its site. Likewise, Apple did not mention the CVE in the update’s security release notes.
Why is Apple negligent in patching open-source software?
Notably, this isn’t the first time that Apple has neglected to patch open-source software quickly in its operating systems.
One well-documented public example of this was Apple’s inclusion of Python 2.7 with macOS for nearly two years after its final update. But Apple doesn’t always get media coverage for such occurrences. Rather, outdated open-source software in macOS often goes unnoticed, except amongst the handful of security researchers who pay close attention to such things.
We reached out to Apple for comment. Apple has not responded to our inquiry.
What can users do about this?
Unfortunately, when Apple chooses not to patch known vulnerabilities quickly, it leaves end users exposed.
Although there is little that Mac users can do, there is one important thing. You can help put pressure on Apple by raising awareness of reports like this one.
We encourage responsible media outlets to report on issues of public concern like this, to encourage Apple to not take a lax approach to security issues.
How can I learn more?
We first discussed the missing curl patch on the October 12 episode of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
