Apple and security support

In a companion article I discuss Mac malware, and how this has recently become much more of a problem than has previously been the case. As well as Apple’s apparently slow response to a recent vulnerability, and general air of secrecy, one of the problems that the attacks have highlighted is Apple’s product support lifecycles, which are much shorter than in the Windows world. Many users are unaware of the issues and will not realise that their systems may be insecure as a result.

Software support

Mountain Lion

Mountain Lion is released this summer...

Let’s look first at software. To the best of our knowledge, Apple do not officially state their software support policy anywhere, but from what we can gather, only support the two most recent versions of OS X. Currently that is 10.6 (Snow Leopard) and 10.7 (Lion). 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support. That’s for a system purchased under three years ago. Granted, users can upgrade – but at a cost. Users don’t like being told that they have to spend money. Moreover, 10.8 is due out sometime this summer – based on past experience, we can expect 10.6 systems to lose security support once that happens.

Snow Leopard

...but where will that leave security support for Snow Leopard?

Compare that to the situation in the Windows world. Windows XP was released in summer 2001, and will receive security support until April 2014 – twelve and a half years since it released, over seven since it ceased to be the “current” Windows version, and even for those who refused to touch Vista, nearly five years after the release of Windows 7. During that time functionality has been improved considerably by the release of three service packs, available at no charge. Windows Vista and 7 are both scheduled to get over ten years of security support. With around two years between OS X releases, Apple have been struggling to reach four years, and unless their support policy changes as they move to an iOS-style annual release cycle, that could come down to two years.

Now, granted, users can upgrade to a newer OS X release than their system came with. Plenty of users are unlikely to bother unless forced – their system seems perfectly adequate, why spend money and risk breaking it? One college has reported almost 50 systems known to their student registration system running OS X 10.5 or earlier.

Hardware support

But there comes a point at which a system can be upgraded no further. With Apple hardware, that can happen surprisingly rapidly. 10.6 does not support PowerPC-based hardware (last sold new during 2006); 10.7 does not support 32-bit Intel systems – most were superseded in late 2006, but in the case of the Mac Mini, not until August 2007. 10.8 is expected to release this summer and will drop support for even more recent systems, including any MacBook made before late 2008, although 10.7 should continue to be supported.

Thus in little over five years, it’s not just that the latest version of OS X may not run on your hardware, but that no currently-supported version of OS X will. If you want security support, buy a new system. Or change operating system. For old PowerPC systems, that limits you to certain distributions of open-source operating systems (e.g. OpenBSD or Debian GNU/Linux) – in all reality probably not something the average user is willing to consider. If 10.6 loses security support this summer, the best option for owners of early Intel Macs will most likely be to install Windows, heretical as it may sound to many Mac users. Vista’s probably good until 2017, and if the hardware’s up to Windows 7, they’ve got until 2020.

Five years is not a long time to retain a computer, especially in these cash-strapped times. In many departments, it will be their typical hardware replacement cycle, while others don’t even have one. Privately-owned systems may well remain in use until the hardware gives up. For the environmentally-conscious, throwing away perfectly functional machines is hugely wasteful (Apple have made considerable efforts to improve their green credentials in recent years), and the secondhand market relies on people not knowing or caring about the lack of security support, or being willing to run alternate operating systems.

In the PC world, many machines made last century can still make a decent stab at running Windows XP. It would be good to see Apple commit to their hardware being able to run a supported operating system for longer, with a minimum perhaps in the range seven to ten years. The supported operating system needn’t be what the machine shipped with for all that time, nor the current version, nor need all the whizzy new features of newer versions be available (just as Windows Vista would run better on old machines with Aero disabled). The important thing is that the hardware is still fit for use rather than the scrapheap.

The cost

Now, improving support lifetimes is going to cost money, and may deter a few customers from upgrading to newer Apple systems. But equally, customers are going to be less keen to stick with Apple if they learn that Apple are not looking after them. Apple may not have much a place in the enterprise market, but they do in the educational market, and people like us exist to ensure that people do care about security. And let’s face it, these days Apple are most definitely not short of cash.

Now, please don’t get me wrong: there is much about Apple that I like, and I use Apple products daily. I appreciate that Apple are also out there to make money. But they have been complacent in terms of their attitude to security and support, especially when compared to their chief competitor. Microsoft have learned a huge amount from past mistakes, support their products for many years, and these days I feel do an excellent job. By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result

So in summary, I’d like to see from Apple the following:

  • Timely security updates
  • Greater openness regarding security issues
  • Minimum hardware and software support lifetimes stated clearly up-front
  • Longer operating system security support lifetimes: at least five years
  • Hardware that runs a supported operating system version for longer: minimum of seven years perhaps?

Whether anything will change any time soon remains to be seen, but as the threats towards Macs increase, surely Apple cannot afford to stand still.

Posted in Apple, General Security | 13 Comments

13 Responses to “Apple and security support”

  1. [...] There is however a nasty catch with operating system updates, of which many users will be unaware: Apple security support lifetimes are much shorter than in the Windows world. This is an issue which we discuss further in a second post. [...]

  2. [...] Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last [...]

  3. [...] Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last [...]

  4. [...] Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last [...]

  5. [...] Robin Stevens, partial of a University of Oxford’s network confidence team, in a blog post final month. Stevens wanted Apple to dedicate to a support lifetime of during slightest 5 [...]

  6. [...] Robin Stevens, partial of a University of Oxford’s network confidence team, pronounced in a blog post final [...]

  7. [...] Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last [...]

  8. [...] Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last [...]

  9. [...] usuarios. Robin Stevens, del Centro de Servicios de Computación de la Universidad de Oxford, dijo en su blog que Apple es “complaciente en términos de su actitud hacia la seguridad y el soporte, [...]

  10. [...] usuarios. Robin Stevens, del Centro de Servicios de Computación de la Universidad de Oxford, dijo en su blog que Apple es “complaciente en términos de su actitud hacia la seguridad y el soporte, [...]

  11. [...] usuarios. Robin Stevens, del Centro de Servicios de Computación de la Universidad de Oxford, dijo en su blog que Apple es “complaciente en términos de su actitud hacia la seguridad y el soporte, [...]

  12. [...] questions go beyond Adobe. Robin Stevens, a member of Oxford University’s network team recently claimed that Apple will be forced to engage in similar practices now that it’s moving to a yearly [...]

  13. [...] questions go beyond Adobe. Robin Stevens, a member of Oxford University’s network teamrecently claimed that Apple will be forced to engage in similar practices now that it’s moving to ayearly [...]