Mac users with macOS 10.14 Mojave have been waiting in vain for a security update that is supposed to close a vulnerability exploited by the NSO spyware Pegasus. On Monday, Apple released an update for most of its operating systems that eliminates a 0-day gap in the Core Graphics framework – including updates for macOS 11 Big Sur and macOS 10.15 Catalina. According to the manufacturer, the bug made it possible to smuggle in malicious code with the help of a manipulated PDF file.
No explanation from Apple
According to reports, the manufacturer NSO Group used the bug in the framework to deliver the Pegasus monitoring tool via Apple’s iMessage communication service and to install it silently, the victim is not required to do this.
It remains unclear whether the bug in macOS 10.14 Mojave may not exist or whether the missing security update will be delivered. Apple has so far left a corresponding demand unanswered.
Apple usually adds functions to the latest version of the operating system and closes security loopholes. Comprehensive security patches are also provided for the two previous operating system versions in parallel. With the release of macOS 12 Monterey expected in October, macOS 10.14 Mojave would fall out of update coverage at the latest – if Apple does not change its previous approach.
Mojave is the last version of macOS that still runs 32-bit software, so a larger number of users are likely to stay on it.
Update for browser Safari
Additional confusion is caused by the fact that there is no security update 2021-005 for macOS 10.14 yet, but Apple has updated the WebKit substructure of the preinstalled Safari browser in the older operating system version as well: Safari 14.1.2 eliminates a vulnerability that allows malicious code to be executed simply by calling up manipulated web content. There is a report that the vulnerability may have been actively exploited for attacks, writes Apple.