OS X Mountain Lion users: No more security updates?

Summary:Have you not yet updated to OS X Mavericks? You better get on the ball because it appears, counter to prior practice, Apple won't be providing security updates to earlier versions anymore.

[UPDATE: An Apple spokesperson told ZDNet the company has not changed its update policy but said some older OS X versions go unpatched for architectural reasons. Apple declined to respond to a request for more details about their security update policy or for when the most recently disclosed vulnerabilities would be patched in Mountain Lion.]

Has Apple changed their policy on security updates for versions of OS X older than the current one? Apple has no documented policy on supplying such updates, but they do have a history and it seems that their actions since the release of OS X Mavericks indicate a change.

The history shows that Apple provides security updates for the prior version of OS X, and sometimes even for the version before that. They release these updates and disclose the vulnerabilities at the same time they do so for the current version. It needs to be this way because once you disclose the vulnerabilities for the current version, some large number of them will also apply to the prior version. Without an update for the prior version, its users will have unpatched vulnerabilities.

Apple has released OS X 10.9 (Mavericks) and disclosed the vulnerabilities from prior versions that are fixed in it. That disclosure makes no mention of OS X 10.8 (Mountain Lion) and the web page where security updates for prior versions of OS X are normally found has no updates for 10.8.

I have asked Apple for information on this apparent change. I have not heard from them, but if they respond I will include their response here.

Below are all OS X security updates going back to the beginning of 2012. The first one (03 Oct 2013) is anomalous; it’s a single vulnerability for a feature that may not have affected OS X 10.7 (Lion). Or perhaps it did and was a sign of things to come.

Date

Update

Affected Products

03 Oct 2013

OS X v10.8.5 Supplemental Update

OS X Mountain Lion v10.8 to v10.8.5

12 Sept 2013

OS X Mountain Lion v10.8.5 and Security Update 2013-004

Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.4

02 July 2013

Security Update 2013-003

Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8.4

04 June 2013

OS X Mountain Lion v10.8.4 and Security Update 2013-002

Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3

14 Mar 2013

OS X Mountain Lion v10.8.3 and Security Update 2013-001

Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.2

19 Sept 2012

OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004

Mac OS X 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1

14 May 2012

Leopard Security Update 2012-003

Mac OS X v10.5 to 10.5.8 (Intel)

09 May 2012

OS X Lion v10.7.4 and Security Update 2012-002

Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

01 Feb 2012

OS X Lion v10.7.3 and Security Update 2012-001

Mac OS X v10.6.8, OS X Lion v10.7 to v10.7.2

Every time since the beginning of 2012 (and before that, although I haven't included that information — see the Apple Security Updates page for the full log), every time Apple has disclosed vulnerabilities and released updates for the current version of OS X they do so, at the same time, for the prior version, except for the 03 Oct 2012 update and an odd update on 14 May, 2012, affecting only Intel versions of OS X 10.5 (Leopard). This last update disables out-of-date versions of the Adobe Flash Player; it looks like a special case and, in any case, affects the version 2 generations back.

Assuming this is a sign of a change in policy, why would Apple stop supporting older OS X versions? Any OS company would want to do this, as it means they only have to keep one version current. This also allows them to drive hardware and software purchases more effectively, as all currently supported users are running the same version.

This is also the same policy that Apple has with iOS. Whenever a new version of iOS comes out, Apple stops updating the old one. If you want support, you need to update, which also means that hardware which can't run the new hardware is, by implication, unsupported.

The downside is that users who don't upgrade are necessarily running an operating system with many disclosed, but unpatched vulnerabilities. This opens them to attack.

A policy change like this may have played a role in Apple's decision to make Mavericks free (just as iOS upgrades are free). If they are, in effect, forcing users to upgrade in order to obtain security updates, charging for the upgrade would likely engender a great deal of ill will.

Even for free, it all works out well for Apple. Contrast this apparent new policy with Microsoft's policy of supporting an OS version for 10 years (12 in the case of Windows XP). Microsoft's policy creates a huge support burden for the company and impedes their ability to move customers forward with new technologies.

Bottom line: If you were planning to take your time upgrading to Mavericks, think again. Staying on Mountain Lion just got risky.

Topics: Security, Apple

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.