Apple still leaving critical vulnerabilities unpatched in macOS Sonoma
Posted on by Joshua Long
As we first noted in November 2023, macOS Sonoma contains some very outdated open-source software components. (Free/libre open-source software is commonly abbreviated as FOSS or FLOSS.) This outdated software puts Mac users at serious risk. We’ve reached out to Apple multiple times about this, and Apple still hasn’t responded. Here’s what we know.
How did Intego notice these outdated components?
In October 2023, there was a lot of buzz about CVE-2023-38545, a critical vulnerability in the open-source software curl. When checking which version was included with the latest macOS Sonoma update, we discovered that curl was indeed outdated. But it wasn’t just a single version behind; curl was actually six months out of date, and was missing other security patches as well.
The Terminal command to find out curl’s version also revealed something even worse: several of curl’s dependencies (other open-source software upon which curl relies) were also severely outdated. The most serious of these was LibreSSL, which is now nearly 29 months out of date.
A couple of components have been silently updated to newer versions since then. For example, in macOS Sonoma 14.5, without any mention in Apple’s official security release notes for the OS update, Apple upgraded curl from 8.4.0 to 8.6.0, and nghttp2 from 1.58.0 to 1.61.0. Oddly, curl 8.6.0 was, at the time, nearly two months behind on patches; it’s unclear why Apple chose not to upgrade to the latest available at the time, which was 8.7.1, given that 8.6.0 had known vulnerabilities.
In macOS Sonoma 14.6, Apple did note curl patches in its release notes. However, once again Apple upgraded curl from an old version (8.6.0) to another outdated and vulnerable version (8.7.1). Version 8.7.1 came out four months earlier and contained three vulnerabilities; one was “medium” severity. The fully patched version of curl at the time of Sonoma 14.6’s release was 8.9.0.
Which vulnerable components does the current macOS Sonoma release include?
Intego is aware of at least the following vulnerabilities in macOS Sonoma 14.6, the latest version:
- LibreSSL 3.3.6 is more than 2 years old and contains at least 4 known vulnerabilities, including two rated 9.8 CRITICAL on the CVSS scale; the latest stable release is 3.9.2, released on May 12, 2024.
- curl 8.7.1 contains at least 2 known vulnerabilities; the latest version is 8.9.1, released on July 31, 2024.
- zlib 1.2.12 contains at least one vulnerability with a CVE; the latest version is 1.3.1, released on January 22, 2024.
- nghttp2 1.61.0 contains at least one known vulnerability; the latest version is 1.62.1, released on May 19, 2024.
While not included by default in macOS Sonoma, running python3 from the command line prompts the user to install it. If the user proceeds, they will get a version 3.7.3 on an Intel Mac, or version 3.9.6 on an Apple silicon Mac. These versions are from March 25, 2019, and June 28, 2021, respectively. Both Python 3.7.3 and 3.9.6 contain many severe vulnerabilities.
It’s quite likely that there may be other outdated FOSS components with known vulnerabilities in the current macOS Sonoma release; we leave this as an exercise for other researchers to look into.
So far, the beta versions of macOS Sequoia look virtually as bad as Sonoma. All of the above vulnerabilities apply to the current Sequoia beta, except one: the vulnerability in nghttp2.
Has Apple implemented alternative mitigations for the unpatched vulnerabilities?
It’s unclear whether Apple might have other mitigations in place for some of the vulnerabilities that it seems to be leaving unpatched. Or, perhaps, in some cases Apple could hypothetically be backporting patches without updating the version numbers it uses.
Whatever the case may be, Apple has not responded to our multiple inquiries over the past nine months since we first tried to bring the issue to Apple’s attention.
Security researchers with a bit of time on their hands may wish to dive more deeply and test the exploitability of these and other publicly documented vulnerabilities in macOS Sonoma’s FOSS components.
Why is Apple negligent in patching open-source software?
Notably, the ongoing issues with macOS Sonoma aren’t the first time that Apple has neglected to patch open-source software quickly in its operating systems. One well-documented public example of this was Apple’s inclusion of Python 2.7 with macOS for nearly two years after its final update.
But the issue has been ongoing for at least a decade, if not longer; Rob Griffiths blogged about “OS X’s… aging collection of Unix tools” in September 2014. (Griffiths speculated that Apple’s opposition to the GPLv3 software license may have explained the company’s avoidance of software post-migration to GPLv3. Even so, it does not explain why Apple is slow to update other FOSS components.)
Such things rarely get media coverage, however. Outdated FOSS components in macOS typically go unnoticed, except amongst a small handful of researchers and engineers who pay attention to such things.
What can users do about this?
Unfortunately, when Apple chooses not to patch known vulnerabilities quickly, it leaves end users exposed. While there’s little that Mac users can do about it, there is one important thing. You can help put pressure on Apple by raising awareness of reports like this one.
We encourage responsible media outlets to report on issues of public concern like this, to encourage Apple to not take a lax approach to security issues.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: