Without Mavericks, Mac Users May Lose Security Updates
Apple's new desktop operating system, OS X 10.9 Mavericks, is a free download for Mac users — but it may leave those who prefer older versions of OS X more vulnerable to hackers than ever before.
While Mavericks, which was released on Oct. 22, fixes more than 40 security flaws found in OS X 10.8 Mountain Lion, Apple has not released any patches for those flaws in Mountain Lion or its predecessors, OS X 10.7 Lion and Mac OS X 10.6 Snow Leopard.
Even worse, Apple detailed every single flaw that Mavericks fixes, right down to the flaws' reference numbers, which can easily be looked up. That's handing malicious hackers a gold mine of information to exploit on machines not yet running Mavericks — which, at the moment, includes the majority of Macs.
It seems that Apple is pushing all the OS X users who don't want to upgrade — or can't, since Mavericks won't run on most Macs manufactured before 2008 — out into the cold, and telling the wolves that there's good eatin' to be had.
MORE: Top Mac Anti-Virus Suites Tested and Rated
Other operating systems support previous editions for years after they've been surpassed. Microsoft's Windows XP, released in 2001, will continue to receive security patches until April 2014. Windows Vista, released in 2007, will be supported until 2017. Even Ubuntu Linux, which is free, has a five-year support policy for its "long term support" releases.
Apple's policy regarding OS X security patches has been inconsistent. For several years, the company would support only the current OS and the one immediately before it, so users would have to upgrade after a couple of years, no matter what they were running. (Until Mavericks was released, upgrades generally cost $30.)
When Mountain Lion came out in July 2012, it quickly became clear that many users were refusing to upgrade from Snow Leopard, two steps back. So Apple decided, informally, to keep supporting Snow Leopard as well.
That meant that for more than a year, Apple security updates went out to three versions of OS X — Snow Leopard, Lion and Mountain Lion — at the same time.
The last major update bundle for all three was on Sept. 12. Smaller updates patching Java and Safari have followed, the latter released the same day as Mavericks.
But users of Lion or Mountain Lion will not be able to upgrade to Safari 7, which includes many structural security enhancements.
Apple told ZDNet that the company had not changed its update policy and that some older OS X versions go unpatched for architectural reasons. When Tom's Guide reached out to Apple, the company had no additional information to share.
Does simpler mean stronger?
It's certainly easier for Apple to support only one version of its desktop operating system.
"Having less platforms means having to spend less resources on testing," said Roel Schouwenberg, a security researcher with Kaspersky Lab. "Actively supporting only one platform will also serve as a major driver to get people to update to the latest, and normally most secure, release."
Furthermore, Apple already supports only one version of its other operating system, iOS. Just as many elements of Apple's mobile user experience, such as the App Store, iMessage and design touches, have been ported to the desktop, so might the company be porting the entire mobile update-and-upgrade model as well.
"Let's not forget, they made this OS update free," said independent security researcher Graham Cluley, "perhaps in an attempt to mimic the success they have had getting iOS users to run the latest version of the mobile operating system."
That makes sense, especially if you consider Mavericks to be THE security patch for Snow Leopard, Lion and Mountain Lion.
Users of all three can upgrade to Mavericks for free, and, according to online ad network Chitika, nearly 12 percent did within five days' of Mavericks' release.
(Users of Mac OS X 10.5 Leopard on Intel-based Macs must either first buy Snow Leopard for $20, or get a Snow Leopard installation disk from a friend.)
Not everyone can upgrade right away
But what if you can't upgrade just yet? A photographer who works with Tom's Guide uses capture software that's not yet supported in Mavericks, for example. Should he be rendered vulnerable to hackers just because the makers of that software haven't updated their software?
Along similar lines, Western Digital last week advised users of its external hard drives to delay updating to Mavericks after many reports of data loss.
"I think, at the very least, there should be a reasonable period of overlap where older OS versions continue to be supported, and customers can evaluate what impact upgrading would have on them," Cluley said. "It shouldn't be a 'here today, gone tomorrow' approach which just leaves you feeling like you've been mugged."
Savvy personal-computer users know to wait a month or two after the release of a new OS for any bugs to be worked out. Most corporate IT departments wait much longer than that.
"People, both end-users and software makers, need time for testing," Schouwenberg said. "Supporting the two latest releases should be the absolute minimum. But that won't be enough for a lot of businesses."
"All operating systems should have a clear life cycle, properly communicated," Cluley said. "How else are consumers and corporate users supposed to plan for the future?"
For students and administrators at Mac-heavy colleges and universities, the situation was less than ideal even before Mavericks.
Last year, a blog posting by an IT administrator at the University of Oxford accused Apple of "making minimal effort" and being "complacent in terms of [its] attitude to security and support."
"From that post, it became kind of clear that most Mac OS's only get about three years' worth of support," said Sean Sullivan, a researcher with F-Secure. "A student can’t even make it through university with full support on the same OS."
Responsible disclosure
The experts Tom's Guide spoke to believe Apple users deserve more than they're getting with the Mavericks upgrade.
"If Apple is indeed no longer supporting OSes prior to Mavericks, then [the company] must be vocal about it," Schouwenberg said. "If they've indeed made this policy change without giving their customers ample time to respond, then that's simply unacceptable."
"I don't know how they can justify it," Cluley said. "I think it's a terrible decision, if true. I'm still seeing plenty of reports of users struggling to get Mavericks to work properly with their applications."
"I don't think this is something more software makers should be doing," Sullivan said.
But, he added, "I think this is something that fits Apple’s niche. I think it is okay for Apple to do it, because people are free to vote with their wallets."
Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
Even though Microsoft will stop XP support next year, you can easily upgrade a 2007 or 2008 laptop (probably even older if the driver support is there) to Windows 7 or 8
(Disclaimer for those who doesn't know: I'm a hardcore Apple hater.) You know what? This totally makes sense. It's ANNOYING to provide updates for hell knows how many versions of the software on different versions of the same OS. I have a co-worker who has a 2008 or so MBP 17'' and he upgraded to Mavericks for free, which obviously gets him all the new updates etc. I don't see what's here to complain about!
The last few paragraphs delineate exactly why this approach is wrong. There is a lot to complain about (even though maybe I should say it serves them well for buying an Apple thingy in the first place, LOL).
Mavericks is what, 12 days old?
Macs that have the old Core Duo/Solo chips simply CANNOT upgrade to Mavericks---it requires an x64 processor.
But in terms of software/OS longevity of support, I am if anything pleased that Apple are quite firm about not supporting ancient operating systems for years on end. I am not at all sympathetic to stubborn users/companies, or those who rely on 3rd-party software or hardware from manufacturers who appear to be unreliable. I can't see how either of those circumstances are Apple's responsibility.
It is not that long ago you could buy a Mac with a Core2Duo processor. 3-4 years is a way too short expected lifetime. Especially considering the premium price you are asked to pay for that PC if it is a Mac. This is really horrible customer service.
"Buy our stuff every year at the price we tell you to and shut the hell up".
If I was told that, I would advice them to go somewhere and do unspeakable things to themselves.
Its worth noting that all Core 2 Duos were x64. I'm referring to the original Yonah Core Duo/Solos.
- Ending support for 32-bit CPUs... Totally fine. To my knowledge it was only the very first Intel Macs used 32-bit CPUs, everything after that used 64-bit CPUs.
- Ditching support for ALL previous versions, 2 weeks after latest release. Bad move, give people some time to transition.
- Putting out a detailed list of UNFIXED security flaws in their previous operating system. Ok, reallly bad move...
Its not only the 32bit cpu models, as per Apple's site, these are the only macs that can upgrade to Mavericks:
iMac (Mid-2007 or later)
MacBook (13-inch Aluminum, Late 2008), (13-inch, Early 2009 or later)
MacBook Pro (13-inch, Mid-2009 or later),
MacBook Pro (15-inch or 17-inch, Mid/Late 2007 or later)
MacBook Air (Late 2008 or later)
Mac Mini (Early 2009 or later)
Mac Pro (Early 2008 or later)
Xserve (Early 2009)
For example, there is a generation of Mac Pros (2006-2007 models with Xeon 64 bit cpus) that cannot upgrade apparently.
This makes me more convinced that Apple should have just skipped 32-bit x86 CPUs altogether and jumped straight to x86-64.
I'll take that one further---I wish they hadn't gone to x86 at all. There was always something special about a Mac back in the day, having the Motorola/IBM CPU was something exotic, but nowadays, its just a PC running a *nix variant.