Apple's Patching Policies Potentially Endanger Users' Security and Privacy

Apple's Patching Policies Potentially Endanger Users' Security and Privacy(intego.com)

44 points by fahd777 4 years ago | 8 comments

webmobdev 4 years ago |

If Apple isn't fixing atleast security related bugs on old Oses, then they should just declare that particular macOS version has reached end-of-life and they are not supporting it. There is no middle path here - if you are not fixing all the known security bugs that can be patched, then the whole thing is just point-less and would seem to be more about PR than security.

my123 4 years ago | |

It's much more complex than that. Security bugs have different levels of severity, with different reactions to those.

Let's for example see the Microsoft ESU policy: https://docs.microsoft.com/en-us/lifecycle/faq/extended-secu...

For Windows 7, only Critical and Important security updates are shipped to those _paying_ customers. This leaves Moderate and Low as uncovered.

For Linux: http://www.kroah.com/log/blog/2018/08/24/what-stable-kernel-...

> Older LTS release

> There is one huge caveat when using a kernel like this. The number of security fixes that get backported are not as great as with the latest LTS release, because the traditional model of the devices that use these older LTS kernels is a much more reduced user model. These kernels are not to be used in any type of “general computing” model where you have untrusted users or virtual machines, as the ability to do some of the recent Spectre-type fixes for older releases is greatly reduced, if present at all in some branches

> So again, only use older LTS releases in a device that you fully control, or lock down with a very strong security model (like Android enforces using SELinux and application isolation). Never use these releases on a server with untrusted users, programs, or virtual machines.

webmobdev 4 years ago | | |

While I am aware about different levels of severity and the need for prioritising security bugs according to their severity, I wasn't aware about this kind of security model for LTS software where not all security bugs are fixed - seems quite illogical to me (unless, ofcourse, if you are making money of it as a service).

throwntoday 4 years ago |

Apple go above and beyond the competition with their security updates and hardware support. That said I'm not gonna judge them too harshly for not supporting more than one major os version. That they even support multiple is nice. In general I think the expectation of receiving support while being one major version behind is kind of absurd. You sort of accept the risks when you decide that potential unresolved bugs aren't worth the upgrade.

concinds 4 years ago | |

The problem here is that many assume that they get to remain on Catalina or Big Sur (and before, Mojave) and enjoy full security, while waiting out the bugs on the new version. It's seen as "responsible" to stay on Big Sur, for example, until macOS 13 is released next year, and only then install Monterey, to let the public beta test it for you. Unfortunately with Apple, that's not true.

That's fine; Apple's under no obligation to have perfect security updates for older versions, and I believe many Linux distros, including the main ones (Ubuntu and Debian comes to mind, though from a while ago) have similar issues with poor backporting of security patches.

I just think more tech people should be aware of this. Now, the "responsible" thing, apparently, is to wait a week or two to see if a major update is bricking devices, and install it if not; and to install minor updates immediately. That would come as a surprise to many people who see themselves as Mac experts, who are more likely to delay updates. Tons of companies also delay updates for many months.

Apple should communicate more on this; and they should consider changing their update schedule. Windows doesn't release a new version every year; you'll run into this issue less than twice a decade, compared to yearly for the Mac.

my123 4 years ago | | |

> Windows doesn't release a new version every year

Windows does nowadays (since Windows 10)... see the major (now yearly) updates.

The major Windows releases since the Win10 OG release: 1511, 1607 (available as LTSB for businesses, Server 2016), 1703, 1709 (first ARM64 release, for the desktop SKU), 1803, 1809 (available as LTSB for businesses, Server 2019), 1903, 2004, Iron (Server 2022, not shipped on desktop), 21H2 (Cobalt, corresponding to Windows 11 on desktop).

One aspect is that an older OS might have the headline vulnerabilities patched, but not architectural bugs or additional security hardening. Those aren't generally backported to older releases.

Someone 4 years ago | |

I read this article more as a complaint about what Apple communicates about what they will do on maintenance than as one about what they do in maintenance of their software.

With some other companies (typically more business oriented), you can know the moment you buy their software how long it will be supported. See for example https://docs.microsoft.com/en-us/lifecycle/faq/windows.

For Apple, there’s https://support.apple.com/en-us/HT201624, but it only lists how long hardware is supported (that list does go back a long time, though. It’s good to have official confirmation that the Macintosh 128K is obsolete)

For Mac OS, the best you get are educated guesses from third parties. For example, https://eclecticlight.co/2021/09/22/how-long-does-apple-supp... says

“As far as macOS goes, everyone will tell you that Apple supports the current version for about a year before it’s replaced by a new major release, then provides two years of security updates for it. The strange thing about that is Apple doesn’t seem to have committed that to writing, and I’ve searched long and hard for its official policy on many occasions”

curtain 4 years ago | |

Do you feel that way for Windows 10/11?