Along with any brand-new operating system from Apple comes a variety of new security and privacy features and improvements. Inevitably, these updates also bundle many vulnerability patches that Apple will never backport to earlier OS versions.
Let’s briefly explore what’s new in that regard for macOS Sequoia, iOS 18, and the other operating systems Apple released on Monday.
And just as importantly, let’s also explore what Apple notably didn’t patch in this week’s major new OS updates.
In this article:
We’ve previously shared our top 5 list of security and privacy features in macOS Sequoia, iOS 18, and iPadOS 18.
One big change is that Apple now has a Passwords app—an improvement over saved passwords being buried deep within Settings. Another cross-OS improvement that Apple hasn’t implemented yet is Private Cloud Compute, a key component of Apple Intelligence; it ensures that off-device AI processing maintains users’ privacy.
Most of the other changes are iOS and iPadOS specific. One is locking and hiding apps. Apple has also added the ability to manually select specific contacts to share with an app.
Apple patched a slew of security vulnerabilities in its latest operating systems; following is an overview:
“CVEs” is short for Common Vulnerabilities and Exposures; more specifically, I’m using the term to refer to the numbers assigned to individual vulnerabilities that Apple patched. Apple sometimes withholds revealing some CVEs until a later date.
“Additional recognitions” refers to when Apple only thanks researchers for their assistance, but doesn’t assign CVE numbers. Because Apple lists operating system components along with a list of researchers, it can be difficult to tell which researchers collaborated or not, and how many issues were reported per component.
Apple did not disclose any “exploited” vulnerabilities (i.e. ones previously used in real-world attacks) in this patch cycle.
Apple also issued some patches for some older operating systems as well as Xcode:
Note that there are significant differences between the number of vulnerabilities Apple patched for the current versus previous OS versions. For reasons that Apple has never fully explained, only the current OS versions are fully patched; older OSes get a subset of applicable patches.
Apple did not release a watchOS 10 security update. This leaves the Apple Watch Series 4, Series 5, and SE (1st gen)—all of which can’t run watchOS 11—without any new security updates.
Apple continues to leave open-source software components in macOS Sequoia critically outdated and highly vulnerable. For example, Sequoia still includes LibreSSL 3.3.6, which is more than 2.5 years old and contains at least four known vulnerabilities, including two rated “9.8 CRITICAL” on the CVSS scale; the latest stable release is 3.9.2, released on May 12, 2024.
Additionally, Apple has once again neglected to patch a Safari bug that the company has known about for more than 5.5 years. The bug makes it easy to spread misinformation via fake news headlines that appears to come from credible sources.
We’ve reached out to Apple about both of these issues. Apple has not responded to our requests for comment.
Meanwhile, macOS Sequoia 15.0 has introduced a new network-related bug that has impacted many users. Due to this Apple bug, some apps may have difficulty accessing the Internet; this seems to be especially common for VPN users. Apple is aware of the bug and will likely release a 15.0.1 update within the next week or so to address it.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
