Security & Privacy

macOS Sequoia and iOS 18: What Apple patched—and what they didn’t

Posted on by

Along with any brand-new operating system from Apple comes a variety of new security and privacy features and improvements. Inevitably, these updates also bundle many vulnerability patches that Apple will never backport to earlier OS versions.

Let’s briefly explore what’s new in that regard for macOS Sequoia, iOS 18, and the other operating systems Apple released on Monday.

And just as importantly, let’s also explore what Apple notably didn’t patch in this week’s major new OS updates.

In this article:

  • New security and privacy features
  • Vulnerabilities patched in the new operating systems
  • Vulnerabilities patched in other software
  • What Apple has (once again) left unpatched
  • How can I learn more?

New security and privacy features

We’ve previously shared our top 5 list of security and privacy features in macOS Sequoia, iOS 18, and iPadOS 18.

One big change is that Apple now has a Passwords app—an improvement over saved passwords being buried deep within Settings. Another cross-OS improvement that Apple hasn’t implemented yet is Private Cloud Compute, a key component of Apple Intelligence; it ensures that off-device AI processing maintains users’ privacy.

Most of the other changes are iOS and iPadOS specific. One is locking and hiding apps. Apple has also added the ability to manually select specific contacts to share with an app.

Vulnerabilities patched in the new operating systems

Apple patched a slew of security vulnerabilities in its latest operating systems; following is an overview:

  • macOS Sequoia 15.0 — 49+ CVEs, 35+ additional recognitions
  • iOS 18.0 and iPadOS 18 — 33+ CVEs, 20+ additional recognitions
  • watchOS 11.0 — 11+ CVEs, 6+ additional recognitions
  • visionOS 2.0 — 15+ CVEs, 5+ additional recognitions
  • tvOS 18.0 — 11+ CVEs, 3+ additional recognitions

“CVEs” is short for Common Vulnerabilities and Exposures; more specifically, I’m using the term to refer to the numbers assigned to individual vulnerabilities that Apple patched. Apple sometimes withholds revealing some CVEs until a later date.

“Additional recognitions” refers to when Apple only thanks researchers for their assistance, but doesn’t assign CVE numbers. Because Apple lists operating system components along with a list of researchers, it can be difficult to tell which researchers collaborated or not, and how many issues were reported per component.

Apple did not disclose any “exploited” vulnerabilities (i.e. ones previously used in real-world attacks) in this patch cycle.

Vulnerabilities patched in other software

Apple also issued some patches for some older operating systems as well as Xcode:

  • macOS Sonoma 14.7 — 37+ CVEs, 1 additional recognition
  • macOS Ventura 13.7 — 30+ CVEs, 1 additional recognition
  • Safari 18 for Sonoma and Ventura — 3+ CVEs, 1+ additional recognitions
  • iOS 17.7 and iPadOS 17.7 — 16+ CVEs, 0 additional recognitions
  • Xcode 16 — 3+ CVEs, 2+ additional recognitions

Note that there are significant differences between the number of vulnerabilities Apple patched for the current versus previous OS versions. For reasons that Apple has never fully explained, only the current OS versions are fully patched; older OSes get a subset of applicable patches.

Apple did not release a watchOS 10 security update. This leaves the Apple Watch Series 4, Series 5, and SE (1st gen)—all of which can’t run watchOS 11—without any new security updates.

What Apple has (once again) left unpatched

Apple continues to leave open-source software components in macOS Sequoia critically outdated and highly vulnerable. For example, Sequoia still includes LibreSSL 3.3.6, which is more than 2.5 years old and contains at least four known vulnerabilities, including two rated “9.8 CRITICAL” on the CVSS scale; the latest stable release is 3.9.2, released on May 12, 2024.

Additionally, Apple has once again neglected to patch a Safari bug that the company has known about for more than 5.5 years. The bug makes it easy to spread misinformation via fake news headlines that appears to come from credible sources.

We’ve reached out to Apple about both of these issues. Apple has not responded to our requests for comment.

Meanwhile, macOS Sequoia 15.0 has introduced a new network-related bug that has impacted many users. Due to this Apple bug, some apps may have difficulty accessing the Internet; this seems to be especially common for VPN users. Apple is aware of the bug and will likely release a 15.0.1 update within the next week or so to address it.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on X/Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →