The anti-malware software maker Malwarebytes has criticized Apple for using an “inconsistent” patching process. The security company wrote in a blog post that the iPhone maker’s “behaviour” is leading to bad security consequences.
The blog post written by the director of Mac and mobile at Malwarebytes, Thomas Reed, details Hong Kong’s watering hole campaign. Several people in Hong Kong were affected by macOS exploits that specifically targeted the visitors of media outlets and pro-democracy political organizations.
A single exploit chain found by Google’s TAG
It was Google’s Threat Analysis Group (TAG) that first reported the watering hole attacks that targeted Hong Kong residents. The vulnerabilities in macOS are reportedly found to be a single exploit chain. One of the attacks was based on the flaw in Webkit – remote code execution (CVE-2021-1789) – and the other – an XNU privilege escalation vulnerability.
According to Reed, Trojan was used to attack the specific set of people of Hong Kong. He also added that both attacks have been around since 2019 without having been detected.
“The same bug apparently existed in Catalina, which remained unpatched seven months after Apple released the patch for Big Sur, and more than five months after the details had been released at Zer0con,” Reed wrote in the blog post published by Malwarebytes. “This allowed attackers to target individuals running Catalina and Safari 13 without detection.”
While Aple has been releasing patches for its macOS versions. The company has not been doing so in an inconsistent manner – taking months to release the patch for the older versions of desktop operating system.
“To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group,” reads the blog post published by Google’s TAG. “The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.”