Apple clarifies security update policy: Only the latest OSes are fully patched

  News
image_pdfimage_print
The default wallpaper for macOS 11 Big Sur.
Enlarge / The default wallpaper for macOS 11 Big Sur.

Earlier this week, Apple released a document clarifying its terminology and policies around software upgrades and updates. Most of the information in the document isn’t new, but the company did provide one clarification about its update policy that it hadn’t made explicit before: Despite providing security updates for multiple versions of macOS and iOS at any given time, Apple says that only devices running the most recent major operating system versions should expect to be fully protected.

Throughout the document, Apple uses “upgrade” to refer to major OS releases that can add big new features and user interface changes and “update” to refer to smaller but more frequently released patches that mostly fix bugs and address security problems (though these can occasionally enable minor feature additions or improvements as well). So updating from iOS 15 to iOS 16 or macOS 12 to macOS 13 is an upgrade. Updating from iOS 16.0 to 16.1 or macOS 12.5 to 12.6 or 12.6.1 is an update.

“Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13),” the document reads, “not all known security issues are addressed in previous versions (for example, macOS 12).”

In other words, while Apple will provide security-related updates for older versions of its operating systems, only the most recent upgrades will receive updates for every security problem Apple knows about. Apple currently provides security updates to macOS 11 Big Sur and macOS 12 Monterey alongside the newly released macOS Ventura, and in the past, it has released security updates for older iOS versions for devices that can’t install the latest upgrades.

This confirms something that independent security researchers have been aware of for a while but that Apple hasn’t publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly “supported”) versions, when they’re patched at all.

This is relevant for Mac users because Apple drops support for older Mac and iDevice models in most upgrades, something that has accelerated somewhat for older Intel Macs in recent years (most Macs still receive six or seven years of upgrades, plus another two years of updates). This means that every year, there’s a new batch of devices that are still getting some security updates but not all of them. Software like the OpenCore Legacy Patcher can be used to get the newest OS versions running on older hardware, but it’s not always a simple process, and it has its own limitations and caveats.

That said, this probably shouldn’t dramatically change your calculus for when to upgrade or stop using an older Mac. Most people running an up-to-date Big Sur or Monterey installation with an up-to-date Safari browser should be safe from most high-priority threats, especially if you also keep the other apps on your Mac updated. And Apple’s documentation doesn’t change anything about how it updates older software; it merely confirms something that had already been observed.

We’ve asked Apple to be more upfront about its security communication, and this is a step forward in that regard. But if you believe you’re being specifically targeted by attackers, you have another reason to make sure your software (and hardware) are fully updated and upgraded.

https://arstechnica.com/?p=1893235