Interestingly, the release notes for the 2015-004 patch that includes the fix specifically mention it is also available for Mavericks and Mountain Lion.
> Impact: A process may gain admin privileges without properly authenticating
Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking.
I see, so a security update with the same version number does not contain the same patches on all OS X versions it rolls out on, that's... peculiar.
I can't really believe Apple will actually leave this unpatched, as opposed to just saying it won't at this time. The impact of this exploit and the number of affected systems is way too big, they really can't let this sit in OS X versions that were brand new only one or two years ago, that would be insane. With all the resources they have a statement like 'the impact of the changes would be too large' is quite ridiculous.
My guess is that they will patch it in a later update, but haven't finished it yet. Maybe they are even hoping for a few more people to upgrade to Yosemite before they release it. I would be willing to bet that they don't leave a gaping hole like this sitting indefinitely.
I agree with this assessment. The initial fix of the exploit may be easy, but I would bet that the compatibility testing and fixes associated with things that will break because of the patch is what is holding it up.
It would be an interesting exercise to try to figure out what made it easier to patch in 10.10. Is it because it is an active code base, or because something was refactored between 10.8/10.9 and 10.10 that eliminated the need to take advantage of this undocumented capability--for instance, something in the System Preferences getting refactored?
https://support.apple.com/en-us/HT201222