OS X Mountain Lion: Still unsupported and vulnerable

Summary:One month after the release of OS X Mavericks and the disclosure of 48 vulnerabilities in Mountain Lion, Apple has not released any updates to fix these or any other problems in Mountain Lion.

One month ago today, Apple killed off OS X 10.8, a.k.a. Mountain Lion.

It wasn't a big, or even small news story at the time. There was no mournful funeral procession, no clamor to find out whodunnit. In fact, based on the reaction I received when I first  suggested that Apple had killed Mountain Lion , many refused to believe it was dead. To this day, I think I'm the only one to write about it.  Even Wikipedia, that ultimate repository of the truth, still lists OS X Mountain Lion as 'Supported'.

How did the killing of a prominent operating system go unnoticed? Death came to Mountain Lion in a passive way:  On October 22, 2013 Apple released OS X 10.9, a.k.a. Mavericks . In the past, at least for the past few versions, whenever Apple released security updates for a version of OS X, and those vulnerabilities affected prior supported major versions of OS X, they would release the updates for all supported versions at the same time. There's a clear logic for this practice: Once the vulnerabilities are disclosed and the updates are released, users of any versions for which there are no updates are vulnerable to attack.

This is the situation in which users of Moutain Lion (and Lion and any other prior version) find themselves. On October 22, as they released Mavericks, Apple disclosed 48 vulnerabilities in Mountain Lion that were fixed in Mavericks. They did not release an update for Mavericks to patch these vulnerabilities, as they have done in the past for prior, supported versions.

Many readers and outside observers told me they were skeptical, and that of course Apple could still release the updates. Of course they could. The problem is that it's a month now and there's no reason to believe they will. Indeed, without saying anything specific about any specific versions, Apple told me that they have not changed their policies about updating operating systems. If this is true, and if their past practices are indicative of their policy, then they have stopped supporting Mountain Lion.

I'd like to wait to see the next set of NetMarketShare numbers on it, but clearly there are still a lot of people running Mountain Lion. I know of one person who  upgraded to Mavericks and then downgraded back to Mountain Lion . You have to be pretty desparate to go this route, as  reverting a system backwards from Mavericks is no picnic .

I know of no actual attacks on Macs using these vulnerabilities, but if I were writing malware I would see them as a big fat invitation to attack. All those users on Moutain Lion (and Lion) are vulnerable and there's nothing they can do but upgrade.

Why would Apple do this? I stand by my earlier theory: Much was made of Apple's decision to make Mavericks free. The significance I attach to it is that they are bringing their OS X and iOS upgrade and pricing policies in line: Now both are free and only one version is supported at a time. All users must upgrade to the next version in order to receive support, including security updates.

Complaints about bugs in Mavericks are common; my colleague David Gewirtz thinks Apple should call Mavericks beta . Of course they would never do this anyway, but doing so now would mean that there would be no shipping, supported version of OS X. Even so there would still be a hardcore of fanboys who will take whatever abuse Apple heaps on them and beg for more.

Topics: Security, Apple, iOS

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.