Apple skips security update for pre-Snow Leopard Macs
Apple will not provide a security update for the DigiNotar breach to people with systems running Mac OS X 10.5 or older.
Apple issued a fix for newer versions of the Mac platform on Friday to mitigate the potential threat of the DigiNotar break-in, which resulted in fraudulent certificates being issued for a number of domains, including Google.com.
Older versions of the operating system, such as Tiger and Leopard, have been left unpatched from the vulnerabilities that could potentially lead to a man-in-the-middle attack, whereby an intruder can intercept credentials or other sensitive data.
It is the first time that the company has not issued core security updates to the Leopard and Tiger versions of the OS, leaving a question mark over whether it will deliver other security updates for the platforms in the future.
ZDNet UK contacted Apple for clarification on the status of security updates, but the company had not responded at the time of writing.
The company's decision not to provide security updates for older devices leaves business and consumers with older hardware in a tough position, particularly considering the PCs are often still perfectly functional, according to Joshua Long, a computer security researcher.
"Those who purchased a pre-Intel Xserve in October 2006 have only owned them for 4 years and 11 months, and those who purchased a Power Macintosh G5 in July 2006 have only owned them for a little over 5 years," Long said. "Most of these machines are still running perfectly fine, but Apple has completely cut them off from being able to receive critical security updates ever again."
"This poses a problem for some businesses and consumers who were not expecting to have to spend thousands of dollars on new hardware this year; note that the Xserve and Power Macintosh G5 in particular were high-end hardware and the most expensive models," Long added.
The security expert also notes that while Apple often selectively updates certain pieces of software, such as Safari and QuickTime, it tends to only release updates for the most recent and the one preceding version of its Mac OS X platform.
"It should be clearly understood that security updates for Safari and QuickTime are not sufficient to make Leopard safe and secure. Since Apple is not releasing updates for the operating system itself, whenever new vulnerabilities are discovered that affect the core of Leopard, Apple will do nothing to help protect Leopard users from these vulnerabilities," Long said.
People using PowerPC machines with older versions of the operating system can reduce the risk of an attack by manually deleting the DigiNotar Root CA certificate from within Apple's Keychain Access app.