Cruelty to cats: Apple’s new security support policy?

Smilodon skull

Is Apple hoping that their own big cats will soon go the way of Smilodon?

On Tuesday of last week, Apple proudly proclaimed the launch of their latest and greatest operating system, OS X 10.9 Mavericks. After over 12 years, they’ve finally run out of big cats and moved on to Californian placenames. What’s more, they’ve even removed one of the obstacles to upgrading by making the new release available free of charge. But, as a few others have noted, there appears to be a nasty sting in the tail if you look more closely.

Among the many security advisories released by Apple on Tuesday is a slight oddity: there’s one named OS X Mavericks v10.9, released for “Mac OS X v10.6.8 and later”. Listed are over 40 separate security fixes in OS X 10.9. Clearly these can’t be fixes for bugs in 10.9, since it’s just released; they are fixes for security problems in older versions of OS X. There are no security bundles or point releases which keep you on the old release; the message seems to be that everyone should upgrade to Mavericks. As far as Apple is concerned, those big cats are on the road to extinction.

Can we be sure? No. We have no inside view of what goes on among the corridors and conference rooms of Cupertino. But we can make an educated guess on the basis of the information available. Not least because this situation is strangely familiar. Compare the security advisory for OS X Mavericks v10.9 with that for iOS 7, or indeed earlier releases of iOS. The bugs may differ, but the overall structure is the same, and we know what the support position is with iOS: if you want security patches, you run the latest version. It’s free, so what’s stopping you? Your chosen device turns out not to be supported any more? Tough. The Apple Store is that way; go and be a good little capitalist consumer.

Apple’s policy on security support

Apple don’t appear ever to have issued any official public statement regarding security support for OS X. Nevertheless in recent years a pattern has been established, which could be extrapolated to predict the likely future position. Security fixes would appear for the current version of OS X and for the previous version, although some private comments suggested that support for the previous version was not guaranteed. Occasionally fixes might even appear for the previous-but-one release, especially since Flashback malware struck in early 2012. The past few months have seen a handful of updates for 10.6.8, including Java (a vulnerability in which led to the Flasback outbreak), Safari and Quicktime, though nothing in the underlying operating system.

So why not upgrade?

Are you ready to upgrade yet?

Are you ready to upgrade yet?

You may ask why anyone would not want to upgrade to Mavericks? After all, it’s free. In 2012 I paid £20.99 to upgrade a Snow Leopard system to Lion; back in 2005 it cost me nearly sixty pounds to go from Panther to Tiger. The financial barrier to updating no longer exists.

I can think of several reasons why one might not want to upgrade, at least not yet:

Mavericks doesn’t support your hardware

You can’t really escape this one. Apple publish a minimum hardware specification for Mavericks. It’s similar, but not identical to, the requirements for Mountain Lion. There are certainly quite a few systems around which cannot be upgraded from Lion to Mountain Lion, including several in my department, although some people were simply waiting for the release of the new MacBook Pros before buying new hardware.

You avoid “dot zero” releases

It’s common for any new major software version to come with a whole load of interesting new bugs. Many people in the past have tended to wait until at least 10.n.2 before upgrading, because they don’t wish to be the ones effectively completing Apple’s beta testing. The bugs aren’t necessarily trivial, for instance the LDAP authentication bug that came with 10.7.0 which allowed users to authenticate successfully regardless of the password entered. That was no mere “teething problem” but revealed a fundamental flaw in Apple’s quality assurance.

Your applications don’t run on Mavericks

The California surf isn't for everyone just yet

The California surf isn’t for everyone just yet

Not every software vendor is involved in Apple’s beta program and able to have updates available the moment a new release appears. Here in the university, three such applications are our network backup system (based on IBM’s Tivoli Storage Manager or TSM), Sophos Anti-Virus, and our whole disk encryption service.

In the past it has taken months for IBM to release an official TSM backup client for a new OS X release. A client for an older release might work correctly but there is a risk of unexpected problems, but won’t be officially supported by IBM. We can allow users to back up at their own risk but still need to conduct some local testing. It would be irresponsible for us to let users back up without having a reasonable degree of confidence that users will be able to successfully restore their data should the need arise. [Update, 4 November: the HFS team seem confident that there are no major problems, although there remains no official support from IBM]

Depending on the application, the failure mode may or may not be immediately apparent. We have heard of one University computer being rendered unusable following an attempt to upgrade in spite of advice not to upgrade until an application incompatibility can be resolved.

Before someone starts advocating Time Machine and Filevault, yes, they have their uses, especially for a home user, but are not necessarily appropriate in our environment.

A critical feature has been removed in Mavericks

Features come and go with each release. The ones that disappear aren’t necessarily well-publicised prior to release day. As an example, a friend has reasons to depend upon SyncServices and was somewhat disgruntled to find it gone in Mavericks. Finding an appropriate alternative takes time and effort.

You don’t have the connectivity to upgrade yet

Mavericks is a 5.29GB download. 5GB is a lot larger than a typical security update, even with some of the large updates Apple have pushed out in the past. Some people are on slow or metered connections. In many rural areas, at least in the UK, the download might take several hours, during which the network may be effectively unusable for any other purpose. For people travelling, it may be several times larger than their monthly cellular data allowance or what can be downloaded over a hotel wifi connection overnight. In my case I can purchase extra allowance for my 3G stick but it would cost me £75 to do so even if everything worked perfectly. And as a major research university we have people doing fieldwork in areas of the world that can only dream of such good connectivity.

You don’t have the time to upgrade yet

Again, a big one for a university. For a typical home user, it’s fairly straightforward to set the download running, and perhaps spend a few hours sorting out a few niggles of the new release. Great for them, but it doesn’t necessarily scale. It takes significant time and effort to upgrade a classroom full of systems. If you weren’t expecting to have to upgrade them until OS X 10.10 appears on the horizon (next summer?) then the necessary resources are devoted elsewhere. Upgrading might disrupt teaching, experiments, even examinations. Months of work may need to go into the set up and testing of a new release before it can be deployed.

Now, you may say that Apple aren’t much interested in the enterprise market, and I wouldn’t disagree with you. Nevertheless they have, historically, had a huge customer base within the educational sector. It wasn’t so long ago that support for the AppleTalk networking protocol was a key requirement of the university’s backbone network.

I can’t upgrade yet; what should I do to protect my computer?

As usual it’s all about risk. Do what you reasonably can in order to protect your computer, your information, and yourself. There is no such thing as “completely safe”, but you can take measures to reduce the probability of bad things happening. We cannot predict what the next major attack against OS X will be, but the more possible risks that are addressed, the less likely it is to hit you.

Applications and plugins

Mountain Lion

How do you stay safe with a Mountain Lion?

Bear in mind that a high proportion of attacks target vulnerabilities in applications, not the underlying operating system. For instance, Flashback, the most widespread malware seen for Macs in recent years, targetted a vulnerability in Java. At the time, Java was supplied through Apple, and updates frequently appeared many weeks after their release by Oracle; this has subsequently changed. Many applications will continue to receive updates, possibly for a few years yet, but some will not and is is important to understand where the risks lie.

The most vulnerable applications are those which can receive information directly from arbitrary places in the outside world. Generally those will be your web browser and email client, together with plugins and helper applications used to handle certain kinds of content: Java, Flash, Quicktime, PDFs, Office documents.
Without a clear statement from Apple as to which they will still support on older releases, we must make an educated guess based on the evidence currently available.

Apple released updates for Safari (and the underlying Webkit library used by other applications handling web-based input) for OS X 10.7 and 10.8 last week, so there are reasonable chances that this won’t immediately be a problem.

However, it is possible that Apple Mail is only now supported on 10.9, given the inclusion of several mail-related vulnerabilities on the list of updates in 10.9. Unless you’re particularly keen on Apple Mail you may wish to consider a different email client such as Thunderbird, or simply using webmail, until you upgrade to Mavericks.

Flash is not shipped by Apple so will likely remain supported by Adobe for the time being. Despite their change in policy after Flashback, Apple have still been distributing Java updates as soon as they are released by Oracle; given the negative publicity about Flashback it is likely they will continue doing so for the time being. The situation with Quicktime is less certain.

PDF handling is by default done through Preview.app; as part of the core operating system it is likely that this may not receive further updates on 10.7 or 10.8; perhaps there is some value in considering a switch to using Adobe’s PDF reader on these platforms. For Office files, consider Microsoft Office (available at preferential rates for many University members), or the free (in multiple senses of the word) LibreOffice. If you are switching to third-party applications for particular filetypes, ensure they are configured as the default.

Follow good practice

A lot comes down to the good practice that we advocate all the time. Install antivirus software – it doesn’t guarantee 100% protection but is a lot better than nothing, and Sophos is available for free for members of the university. Ensure that all software is checking for updates on a regular basis, at least once a week (and much more frequently in the case of antivirus). Make sure any available updates get installed promptly. Consider using a firewall. OS X includes a basic software firewall: ensure it is enabled. A hardware firewall may offer better protection; many University colleges and departments have a firewall in place, and standard domestic broadband routers generally include at least a basic firewall capability. Exercise caution in opening email attachments, even if they appear to come from someone you know, or in downloading software from untrusted sources.

Plan on upgrading eventually

Finally, bear in mind that despite these measures, you still lack security support for the core operating system. Following the above advice is a stopgap measure that will prevent some (and possibly most) possible attacks, and buys you some time, but not infinite time – consider it as advice to tide you over for perhaps a few months, but certainly not years. You still need to plan to upgrade at some point, but at a time that better suits you and your work, not Apple’s marketting department.

If you have hardware that can’t run Mavericks, and can’t afford Apple’s latest hardware offerings any time soon, remember that alternate operating systems do exist. There is a software company based in Redmond who will gladly sell you an operating system for any Mac released in the last seven years, though avoid Windows XP otherwise yourself in a similar situation next April. If you are more adventurous, free alternatives exist.

Take care and stay safe.

Posted in Apple, General Security | 1 Comment

One Response to “Cruelty to cats: Apple’s new security support policy?”

  1. HenrykG says:

    Thanks Robin. An insightful and helpful article, though do I detect a whiff of apostasy?