Apple Only Commits to Patching Latest OS Version

People have suspected this for a while, but Apple has made it official. It only commits to fully patching the latest version of its OS, even though it claims to support older versions.

From ArsTechnica:

In other words, while Apple will provide security-related updates for older versions of its operating systems, only the most recent upgrades will receive updates for every security problem Apple knows about. Apple currently provides security updates to macOS 11 Big Sur and macOS 12 Monterey alongside the newly released macOS Ventura, and in the past, it has released security updates for older iOS versions for devices that can’t install the latest upgrades.

This confirms something that independent security researchers have been aware of for a while but that Apple hasn’t publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly “supported”) versions, when they’re patched at all.

Posted on October 31, 2022 at 6:29 AM29 Comments

Comments

tfb October 31, 2022 7:17 AM

This means, of course, that you need to upgrade macOS yearly. For me, that doubles that part of the cost of owning a mac (which, since I am unwilling to just trust the upgrade process, is already far from zero), and means that when HW goes out of support I have to buy a new machine a year sooner.

So that’s good news.

Boris October 31, 2022 7:57 AM

It also makes me wonder who will be providing software & security updates for the current crop of EVs in 15-20 years time?

They are basically 2-ton computers on wheels, capable of inflicting huge damage if/when they are hacked.

Who will be responsible?

EH October 31, 2022 10:02 AM

“…who will be providing software & security updates for the current crop of EVs in 15-20 years time?”…

Not only EVs, pure internal combustion vehicles too. An early “theoretical” example was a Jeep steeting and motor remotely hacked (search ‘jeep steering hack’).

It will be curious if once a vehicle becomes that old and unsupported and at risk if it can be air-gaped via 3rd parties, clever DYI’ers, or maybe the manufacture themselves. Maybe, maybe not, depends on how tethered to the mother ship manufactures insist these stay. e.

Russ October 31, 2022 10:20 AM

My 2016 iPhone SE cannot upgrade to IOS 16; however it just received an update to IOS 15.7.1 so they’re still paying some attention to older phones.

John Tillotson October 31, 2022 10:46 AM

That’s a bad idea. Mac users who aren’t willing to upgrade more often because their hardware is “still OK” and/or they can’t afford it, will wind up being vulnerable to attack.

That is poor customer service.

Wayne October 31, 2022 12:22 PM

My two main computers are a 2015 iMac (27″ 5K display) running Monterey and a ’15 MacBook Pro running 10.12 Sierra. The laptop will never be upgraded as I would lose apps that are needed. The iMac can no longer be upgraded because of changes to the OS.

This kind of nonsense is so annoying. I can appreciate that they can’t support an OS forever, but their hardware is high-end as is their manufacturing that helps to keep them going for so long. I don’t have the income to replace my kit every five years like Apple would like, especially with retirement staring me in the face, I’ll run these until they fall over dead and then figure out my next step. (pun intended)

It seems like Apple used to be “Yes, we’re expensive, but you’re getting a superior product” to just “Yes, we’re expensive”. To me, the company’s attitude and direction is still wavering post-Steve.

Unknown October 31, 2022 1:00 PM

Considering the high prices Apple products this is annoying.

I got Adobe software products that I thought I would be able to use for a lifetime. When I tried to reinstall then I found out Adobe no longer provide the software activation service needed to install the software.

The software companies can pull the plug on software breaking promises made at sale of software and leave users with no alternative but to pay up for expensive subscription plans to use the current software.

KeithB October 31, 2022 2:19 PM

“the company’s attitude and direction is still wavering post-Steve.”
Except, of course, this policy sounds very Steve-like. 8^)

lurker October 31, 2022 2:58 PM

Once upon a time the Apple Security Update server, on request, conversed with the client updater app to download only those updates needed for that machine. Then they changed it so everybody got one large omnibus update, which was not welcomed by users on bandwidth or volume limited connections.

Their current info seems to indicate corporate sized users can manage their own update service and components, but if Apple don’t release an update for an “old” OS version, then the user is forced to roll their own, or take other measures.

I still think the fastest, cleanest desktop Mac was the pizza-box LC3 running MacOS 7.1

Front Dirt Drunky October 31, 2022 7:29 PM

Damned if I do, Damned if I don’t

I used to be in tech, used to be “Apple faithful”, now I’m a luser enduser. Apple’s not getting any more of my money. Bear with me here….

The only lesson I’ve learned is that in the Tim Cook era, every Apple device needs to come with a PiHole or AdGuard Home, because–

  • My old, reliable, cost effective Intel Kit on Catalina won’t be updated anymore except for toothless “MRT” files that haven’t caught anything.
  • The newer kit is perpetual buggy UX amateur hour, it’s like Apple laid off all their good UX folks & the new mac kit is just a glorified iPad with keyboard, mouse, and mismatched UI.

Sorry, I have enough iPads, I want a mac I can use as a reliable server. Can’t do that easily with Brick Sur and above. IDGAF about “neural engines” and tech gobblygook.

  • Craig Federighi promised that users and admins could “opt out” of ocsp snooping on every launch of every app and AFAIK that’s still a promise broken. Broken and now they insert ads on paid kit. My AdgH Nope.

So I’m one of those “stay behinds” and my old macs are now being regarded by Apple as “hackintoshes”.

This is fine. As long as I keep the the machines updated with everything NOT Apple (python, zsh, etc) & with security tools like Little Snitch, AdGuard & BlockBlock… and occasionally look at the logs.

And again, LAN must be running AdGuard Home or PiHole. Tim Cook wants to own my computers? All my computers are in AdGuard Home jail. And I have zero desire to develop or buy more Apple kit. Thanks Tim Cook.

JonKnowsNothing November 1, 2022 1:05 AM

@Ted, All

re: Is six years a good shelf life?

It depends on one’s point of view and disposable income level.

For those who are social climbing, being the latest on the hip set, working towards being “un vaniteux”, then 1 month shelf life maybe too long. Hip is NOW and old is 5min later. If it isn’t instant then it’s not of interest.

But for self life consider:

Cars (gasoline engines) can last 20yrs. 50+ years if maintained or restored.

Houses (USA) last 40=50 years. Housing in EU and elsewhere 100yrs-1,000yrs+

Dry Food (kept dry and clean) can last many years

Canned Food (not punctured) can last 10yrs-20yrs

Olive Oil lasts longer than your life span

Honey much longer than most modern countries have been in existence. 3,000+ yrs.

Water lasts a long time. It’s recycled naturally. You are drinking Cleo’s bathwater. Water stored in tanks requires periodic treatments and can last years as potable water.

Dogs and Cats have 5-15-20 year life spans

Parrots can live 60yrs+

Giant Tortoises live 100-150yrs.

Ants may not live a long time individually but collectively they out live most mammals.

Cast iron Dutch Ovens last longer, are more useful, rarely change design and work as intended.

So, why does a tiny piece of not very much material, with a format designed to maximize human eye response, with a minimum of required utility and a lot of bloatware, often fails to work or work within diminishing standards, have such a poor shelf life?

Jurgen November 1, 2022 5:08 AM

@JohnKnowsNothing:
Already decades ago, worked at an stock options trading exchange. Traders: “Short term is before lunch” — “What’s long term, then?” — “After lunch”.

Isn’t there this thing called ‘EU’ that ordered all manufacturers to keep the equipment they sold in proper order as long as one could reasonably assume it should funtion under ‘normal use’? Or was it just the Dutch, crazy as they are (been there, doing that). Anyway, there have been court cases where manufacturers were ordered to maintain old stuff — yes electronics, too.

I’d guess 5 years is normal life for a phone (remember, Old People (over 29) can easily do without all the latest frills). Or Nokia might provide their 2¢. Courts will decide.
During that time, any bugs or features that could damage the normal use readiness, must be repaired.

Let alone that this new EU regulation (like, this: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) has much more detailed continued-support and security requirements for IoT — phones being among those! Not yet enforceable, but (relatively) soon will be. Is some iFoon-manufacturer just trying to bully the EU, or trying to get the last drop/€cent out of the market before it closes?

ingrid November 1, 2022 1:04 PM

Houses (USA) last 40=50 years. Housing in EU and elsewhere 100yrs-1,000yrs+

I’d say that’s an unreasonably low estimate of American house lifetime. Who’s tearing down houses when they reach 40-50 years? Lots of people live in older houses/apartments (100+ years), and the term “forever home” isn’t particularly rare. People are much more likely to renovate, or even build extensions, than to bulldoze a house altogether.

6 years for a phone is way too short. The battery may need a few replacements in that time; otherwise, if screens are replaced when cracked and people aren’t running out of storage space, they’re still about as capable as current phones. A bit slower; but if manufacturers had reason to care, they’d be as fast as when they were new. It’s not hard to get 10-20 years of basic home/office use from a desktop computer these days (or wasn’t, till Windows 11 declared a lot of perfectly good PCs obsolete).

cls November 2, 2022 1:34 AM

ok… score one for Microsoft. A few days ago I powered up an old Win 7 Pro system for the first time in many years. After a few minutes, a little dialog appeared, saying “Last check for updates was 2864 days ago. Would you like to update now?”

Took a few hours for the update-calculate, download, install, reboot, wash rinse repeat cycles, but it did it! not a hitch. running great. Thanks for the support, definitely got my $100 worth from Win 7.

Firefox and Thunderbird updated themselves perfectly, also.

gord November 2, 2022 6:29 AM

@cls This says nothing about Microsoft’s Windows 7 support status however. Congratulations, you have a fully patched PC as of 2020. 🙂

SpaceLifeForm November 3, 2022 1:40 AM

@ cls, gord

re: Win 7 updates

This was a laptop which I partitioned immediately and installed Debian and never rebooted into Windows, but I left it as dual boot setup.

I used Windows IE to download FireFox, to download Imgburn and Debian ISO.

The timestamp on Imgburn was just over 10 years ago, so that is how long it had been since I booted into 7.

So, I go to check for Windows updates. It fails immediately with error 80072EFE. I pull up Firefox to search, and can not connect. Why? FF was version 26.0 and I try to do auto-update. It only climbed to 31.0 version.

So, on another computer, I download latest FF to USB key, and sneakernet it over to this laptop. Version 106.0.3 currently.

You can see that I neglected this OS environment. Note that using FF does not rely upon Root Certs installed by the OS.

Then searching on the 80072EFE error, I find KB3138612.

Install that, and then Windows Update starts working.

After a while, I see:

108 Important Updates are available (over 1GB worth)
59 Optional Updates are available
Updates were installed: Never

So, over 3650 days, never updated.

It is still updating now.

The good thing about 7 pro is that security updates still arrive these days. Post 2020 EOL.

There is a reason for that. Hint: US Government.

‘https://www.ghacks.net/2022/07/15/it-looks-as-if-microsoft-could-extend-windows-7-support-by-three-years/

Clive Robinson November 3, 2022 5:11 AM

@ SpaceLifeForm,

Re : MS Security updates.

“There is a reason for that. Hint: US Government.”

That is the lipstick not the pig.

Do you remember WinXP EOL and the mess that created? With that vulnerability that hit amoungst others the UK NHS so hard even the likes of the Rupert “the bare faced lier” Murdoch news outlets were encouraging the incensed UK citizens to in effect “string people up”…

Well the news leaked out that the core of MS Windos OS hardly ever changes and was in effect the NT kernel with bug fixes and security updates common to all versions of MS Windows.

Basically MS later OS’s are effectively bells and whistles UI changes pushed on top, like a bright new coloured lipstick. All used as a sales driver to keep cash coming through the door by locking MS apps and the OS in an update cycle you can not avoid as a user[1]. It’s also the reason we hear about some lower layer vulnerabilities having been around for decades.

Microsoft don’t want those who pay them vast amounts to just follow the neo-con mantra’s of “not leaving cash on the floor” but put it into other business development to drive the bubble, becsuse MS survives on the sweeping up of that floor via their “locked in rent scheme”.

Not that MS are the only ones playing the game, most of the ICT industry is playing “follow the leader” in this respect.

Oh and a side effect of the money carousel is there is no time to do things in sensible ways so we have the very high number of vulnarabilities found each day…

It’s also why traditional manufacturers of vehicles etc are desperate to force software into their products, so they can lock you into the same sort of “Money Mill Carousel”… Oh and don’t think the medical electronics used as implants are not greedily eying up the same “Money Mill Carousel” they are and it will bring new meaning to that old Highway Man cry of,

“Your money or your life!”

[1] It’s the same sort of scam landlords that owned a large number of properties in a small area used to do to get around “rent control”. That is in places where individual rents could only be lifted once a year and that was capped at a maximum based on the average for the area. So each week or month they put up a near neighbours rent the accumlative result being the landlords could keep the average rent in the area higher than it could have been if all the rents went up at the same time of year end.

NextStep November 4, 2022 2:00 AM

“Apple only commits to patching the latest OS version…”

…and breaking the current one, natch! 😉

https://www.malwarebytes.com/blog/news/2022/11/macos-ventura-bug-disables-security-software

Ah, the dangers of swimming with the whale… 🐳💥 –oh well, just waiting for Intel to match the performance of Apple silicon (and Fuchsia to arrive on the desktop!)

https://blog.codemagic.io/fuchsia-os-preview/
https://dahliaos.io/

…but I guess in the meantime, there’s always Asahi to play with…
https://asahilinux.org/

&ers November 4, 2022 5:20 PM

@SpaceLifeForm

I have a different story for you.

\W7 has been up for: 393 day(s), 11 hour(s), 3 minute(s), 53 second(s)

Updates are disabled. Updates bring uncertainty and mess with stability.
FF is also old, but not THAT old – it’s pre-Quantum.

No, this is not a museum exemplar behind the glass – this W7 is a real workhouse used every day.

FF is especially downgraded to pre-Quantum era – newer FF caused mystic crashes and lockups, W7 just crashed. After downgrade – it’s rock-solid stable.
(and yes, this post is submitted from that W7)

JonKnowsNothing November 4, 2022 6:16 PM

@ &ers, @SpaceLifeForm, All

re: W7 Uptime

For a good portion of my coding career, Win-anything was required along with a Linux-Unix-Solaris box. There are, or were, a lot of items that ran on Win-Anything that do not run on Linux-Fruits.

While my experience was singular among my colleagues, I rarely ever crashed my Win-anything box. I cannot say never, but if it did crash it was a rare event.

My work fellows all spent hours of their working days reinstalling and reinstalling and reinstalling Win-Anything.

The primary reason for the difference in crashing? The desire and insistence of installing every piece of soft-crud downloadable from the 2-Moos (1) sites and other ancillary sites to do: junk-no-work.

They didn’t do much reinstalling on Linux-Fruits, as those systems were totally locked down.

It isn’t too hard to keep a Win-Anything box up, if you do not load too much extra bloat-ware beyond the stuff that comes with the box.

Load the Dev Environment. Load the Compilers and Linkers. Load the Build and Repository links. Load FavEditor. Load NECESSARY components. DO WORK.

It’s the ones who play with stock market tickers and pricing push-notices and a dozen off-limits applications and the never ending NewZergGames all while running under Admin.

I’m not sure whether I was unusually lucky in reducing the reinstall cycle , and I’m not saying the M$ is anything other than BloatWare+ZergWare, just that it is possible to do so.

There are many discussions about air-gap machines and if you air-gap your Junk+Ware onto a separate machine then your work machine can do work specifically because the items needing update are limited and therefor the updates are limited too.

WinX+XI are a different sort of bloatz and there isn’t anything you can really do except not run under Admin and keep the amount of ZergStuff to a minimum.

It’s a telemetry device and if M$$ wants their telemetry they have a self-interest in not crashing your machine.

  • System Down == Telemetry Down == M$$ Down

===

1) There were verified safe sites from which downloads were recommended. It wasn’t like now and the safety may have been somewhat vague. There was one named after a barn yard animal that was considered OK.

SpaceLifeForm November 4, 2022 6:27 PM

@ &ers, Clive

re: Older FF on Win7

32 bit or 64 bit?

There has been and still remains a lot of pressure to no longer support 32 bit code. Bad idea in my opinion. It is the treadwheel problem, where TPTB want everyone to upgrade to a 64 bit machine, where the new and improved Silicon Turtles reside.

Posting this with 32-bit FF and 32 bit Debian on a 64 bit machine. Checking version. I am purposely running 32 bit code on a 64 bit cpu, for reasons.

While checking the version, it just crashed. The 32 bit seems to have become more unstable in recent months, ever though it is current 104.2.0esr on Debian. I see this every day now. I can pretty well tell when it is about to crash.

&ers November 4, 2022 6:47 PM

@SpaceLifeForm @Clive

Both W7 & FF are 64 bit.
I’m exactly half of your FF : 52.0.2 (64-bit) 😉
They play nice together, at best times it had survived
over ~200 open tabs (true, Javascript disabled via NoScript).

But modern web & webapps and browsers are something from hell.
Today i logged into my internet bank from separate W7 & FF
under VBOX. This was absolutely fresh install and internet
bank web app triggered blue screen crash in W7. This is actually
First Time EVER i did saw BSOD on W7.
But FF there is a lot more modern too because my bank don’t
support older FF any more (even login page is not rendered and thus
not visible. Sigh.).

JonKnowsNothing November 4, 2022 6:51 PM

@ SpaceLifeForm , @ &ers, Clive

A common occurring problem in MMORPG games is with the 32bit x 64bit graphics drivers for DX9, DX10, DX11.

There’s some underlying Win code that may need an update. It’s a bit of chase your tail because you have to have certain updates and then other updates crack the previous ones and you have to redo newer updates.

I wouldn’t think that this is your issue but it can cause some funky stuff to happen. Crashing to the desktop is one of them.

&ers November 5, 2022 3:59 PM

@Clive @SpaceLifeForm @JonKnowsNothing @ALL

For using older browsers i link those solutions to you.

hxxps://github.com/tenox7/wrp
hxxps://github.com/ttalvitie/browservice

Not only it allows to use older browsers on older trusted OS,
but also creates security zone with user defined data
diodes so that the malicious code never reaches to end browser.

SpaceLifeForm November 6, 2022 9:52 PM

@ NextStep

re: macos ventura bug

Sure smells like the Endpoint Security framework is security theatre.

That this bug grants permissions to software that never requested it, is a tell.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.