Skip to main content

Without Mavericks, Mac Users May Lose Security Updates

Apple's new desktop operating system, OS X 10.9 Mavericks, is a free download for Mac users — but it may leave those who prefer older versions of OS X more vulnerable to hackers than ever before.

While Mavericks, which was released on Oct. 22, fixes more than 40 security flaws found in OS X 10.8 Mountain Lion, Apple has not released any patches for those flaws in Mountain Lion or its predecessors, OS X 10.7 Lion and Mac OS X 10.6 Snow Leopard.

Even worse, Apple detailed every single flaw that Mavericks fixes, right down to the flaws' reference numbers, which can easily be looked up. That's handing malicious hackers a gold mine of information to exploit on machines not yet running Mavericks — which, at the moment, includes the majority of Macs.

It seems that Apple is pushing all the OS X users who don't want to upgrade — or can't, since Mavericks won't run on most Macs manufactured before 2008 — out into the cold, and telling the wolves that there's good eatin' to be had.

MORE: Top Mac Anti-Virus Suites Tested and Rated

Other operating systems support previous editions for years after they've been surpassed. Microsoft's Windows XP, released in 2001, will continue to receive security patches until April 2014. Windows Vista, released in 2007, will be supported until 2017. Even Ubuntu Linux, which is free, has a five-year support policy for its "long term support" releases.

Apple's policy regarding OS X security patches has been inconsistent. For several years, the company would support only the current OS and the one immediately before it, so users would have to upgrade after a couple of years, no matter what they were running. (Until Mavericks was released, upgrades generally cost $30.)

When Mountain Lion came out in July 2012, it quickly became clear that many users were refusing to upgrade from Snow Leopard, two steps back. So Apple decided, informally, to keep supporting Snow Leopard as well. 

That meant that for more than a year, Apple security updates went out to three versions of OS X — Snow Leopard, Lion and Mountain Lion — at the same time.

The last major update bundle for all three was on Sept. 12. Smaller updates patching Java and Safari have followed, the latter released the same day as Mavericks.

But users of Lion or Mountain Lion will not be able to upgrade to Safari 7, which includes many structural security enhancements.

Apple told ZDNet that the company had not changed its update policy and that some older OS X versions go unpatched for architectural reasons. When Tom's Guide reached out to Apple, the company had no additional information to share.

Does simpler mean stronger?

It's certainly easier for Apple to support only one version of its desktop operating system.

"Having less platforms means having to spend less resources on testing," said Roel Schouwenberg, a security researcher with Kaspersky Lab. "Actively supporting only one platform will also serve as a major driver to get people to update to the latest, and normally most secure, release."

Furthermore, Apple already supports only one version of its other operating system, iOS. Just as many elements of Apple's mobile user experience, such as the App Store, iMessage and design touches, have been ported to the desktop, so might the company be porting the entire mobile update-and-upgrade model as well.

"Let's not forget, they made this OS update free," said independent security researcher Graham Cluley, "perhaps in an attempt to mimic the success they have had getting iOS users to run the latest version of the mobile operating system."

That makes sense, especially if you consider Mavericks to be THE security patch for Snow Leopard, Lion and Mountain Lion.

Users of all three can upgrade to Mavericks for free, and, according to online ad network Chitika, nearly 12 percent did within five days' of Mavericks' release.

(Users of Mac OS X 10.5 Leopard on Intel-based Macs must either first buy Snow Leopard for $20, or get a Snow Leopard installation disk from a friend.)

Not everyone can upgrade right away

But what if you can't upgrade just yet? A photographer who works with Tom's Guide uses capture software that's not yet supported in Mavericks, for example. Should he be rendered vulnerable to hackers just because the makers of that software haven't updated their software?

Along similar lines, Western Digital last week advised users of its external hard drives to delay updating to Mavericks after many reports of data loss.  

"I think, at the very least, there should be a reasonable period of overlap where older OS versions continue to be supported, and customers can evaluate what impact upgrading would have on them," Cluley said. "It shouldn't be a 'here today, gone tomorrow' approach which just leaves you feeling like you've been mugged."

Savvy personal-computer users know to wait a month or two after the release of a new OS for any bugs to be worked out. Most corporate IT departments wait much longer than that.

"People, both end-users and software makers, need time for testing," Schouwenberg said. "Supporting the two latest releases should be the absolute minimum. But that won't be enough for a lot of businesses."

"All operating systems should have a clear life cycle, properly communicated," Cluley said. "How else are consumers and corporate users supposed to plan for the future?"

For students and administrators at Mac-heavy colleges and universities, the situation was less than ideal even before Mavericks.

Last year, a blog posting by an IT administrator at the University of Oxford accused Apple of "making minimal effort" and being "complacent in terms of [its] attitude to security and support."

"From that post, it became kind of clear that most Mac OS's only get about three years' worth of support," said Sean Sullivan, a researcher with F-Secure. "A student can’t even make it through university with full support on the same OS."

Responsible disclosure

The experts Tom's Guide spoke to believe Apple users deserve more than they're getting with the Mavericks upgrade.

"If Apple is indeed no longer supporting OSes prior to Mavericks, then [the company] must be vocal about it," Schouwenberg said. "If they've indeed made this policy change without giving their customers ample time to respond, then that's simply unacceptable."

"I don't know how they can justify it," Cluley said. "I think it's a terrible decision, if true. I'm still seeing plenty of reports of users struggling to get Mavericks to work properly with their applications."

"I don't think this is something more software makers should be doing," Sullivan said.

But, he added, "I think this is something that fits Apple’s niche. I think it is okay for Apple to do it, because people are free to vote with their wallets."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.