Apple

Apple still leaving critical vulnerabilities unpatched in macOS Sonoma

Posted on by

As we first noted in November 2023, macOS Sonoma contains some very outdated open-source software components. (Free/libre open-source software is commonly abbreviated as FOSS or FLOSS.) This outdated software puts Mac users at serious risk. We’ve reached out to Apple multiple times about this, and Apple still hasn’t responded. Here’s what we know.

How did Intego notice these outdated components?

In October 2023, there was a lot of buzz about CVE-2023-38545, a critical vulnerability in the open-source software curl. When checking which version was included with the latest macOS Sonoma update, we discovered that curl was indeed outdated. But it wasn’t just a single version behind; curl was actually six months out of date, and was missing other security patches as well.

The Terminal command to find out curl’s version also revealed something even worse: several of curl’s dependencies (other open-source software upon which curl relies) were also severely outdated. The most serious of these was LibreSSL, which is now nearly 27 months out of date.

A couple of components have been silently updated to newer versions since then. For example, in macOS Sonoma 14.5, without any mention in Apple’s official security release notes for the OS update, Apple upgraded curl from 8.4.0 to 8.6.0, and nghttp2 from 1.58.0 to 1.61.0. Oddly, curl 8.6.0 was, at the time, nearly two months behind on patches; it’s unclear why Apple chose not to upgrade to the latest available at the time, which was 8.7.1, given that 8.6.0 had known vulnerabilities.

Which vulnerable components does the current macOS Sonoma release include?

Intego is aware of at least the following vulnerabilities in macOS Sonoma 14.5, the latest version:

  • LibreSSL 3.3.6 is more than 2 years old and contains at least 4 known vulnerabilities, including two rated 9.8 CRITICAL on the CVSS scale; the latest stable release is 3.9.2, released on May 12, 2024.
  • curl 8.6.0 contains at least 4 known vulnerabilities; the latest version is 8.8.0, released on May 22, 2024.
  • zlib 1.2.12 contains at least one vulnerability with a CVE; the latest version is 1.3.1, released on January 22, 2024.
  • nghttp2 1.61.0 contains at least one known vulnerability; the latest version is 1.62.1, released on May 19, 2024.

It’s quite likely that there may be other outdated FOSS components with known vulnerabilities in the current macOS Sonoma release; we leave this as an exercise for other researchers to look into.

Has Apple implemented alternative mitigations for the unpatched vulnerabilities?

It’s unclear whether Apple might have other mitigations in place for some of the vulnerabilities that it seems to be leaving unpatched. Or, perhaps, in some cases Apple could hypothetically be backporting patches without updating the version numbers it uses.

Whatever the case may be, Apple has not responded to our multiple inquiries over the past seven months since we first tried to bring the issue to Apple’s attention.

Security researchers with a bit of time on their hands may wish to dive more deeply and test the exploitability of these and other publicly documented vulnerabilities in macOS Sonoma’s FOSS components.

Why is Apple negligent in patching open-source software?

Notably, the ongoing issues with macOS Sonoma aren’t the first time that Apple has neglected to patch open-source software quickly in its operating systems. One well-documented public example of this was Apple’s inclusion of Python 2.7 with macOS for nearly two years after its final update.

But the issue has been ongoing for at least a decade, if not longer; Rob Griffiths blogged about “OS X’s… aging collection of Unix tools” in September 2014. (Griffiths speculated that Apple’s opposition to the GPLv3 software license may have explained the company’s avoidance of software post-migration to GPLv3. Even so, it does not explain why Apple is slow to update other FOSS components.)

Such things rarely get media coverage, however. Outdated FOSS components in macOS typically go unnoticed, except amongst a small handful of researchers and engineers who pay attention to such things.

What can users do about this?

Unfortunately, when Apple chooses not to patch known vulnerabilities quickly, it leaves end users exposed. While there’s little that Mac users can do about it, there is one important thing. You can help put pressure on Apple by raising awareness of reports like this one.

We encourage responsible media outlets to report on issues of public concern like this, to encourage Apple to not take a lax approach to security issues.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →