OS X Mountain Lion users: No more security updates?

OS X Mountain Lion users: No more security updates?

Summary: Have you not yet updated to OS X Mavericks? You better get on the ball because it appears, counter to prior practice, Apple won't be providing security updates to earlier versions anymore.

TOPICS: Security, Apple

[UPDATE: An Apple spokesperson told ZDNet the company has not changed its update policy but said some older OS X versions go unpatched for architectural reasons. Apple declined to respond to a request for more details about their security update policy or for when the most recently disclosed vulnerabilities would be patched in Mountain Lion.]

Has Apple changed their policy on security updates for versions of OS X older than the current one? Apple has no documented policy on supplying such updates, but they do have a history and it seems that their actions since the release of OS X Mavericks indicate a change.

The history shows that Apple provides security updates for the prior version of OS X, and sometimes even for the version before that. They release these updates and disclose the vulnerabilities at the same time they do so for the current version. It needs to be this way because once you disclose the vulnerabilities for the current version, some large number of them will also apply to the prior version. Without an update for the prior version, its users will have unpatched vulnerabilities.

Apple has released OS X 10.9 (Mavericks) and disclosed the vulnerabilities from prior versions that are fixed in it. That disclosure makes no mention of OS X 10.8 (Mountain Lion) and the web page where security updates for prior versions of OS X are normally found has no updates for 10.8.

I have asked Apple for information on this apparent change. I have not heard from them, but if they respond I will include their response here.

Below are all OS X security updates going back to the beginning of 2012. The first one (03 Oct 2013) is anomalous; it’s a single vulnerability for a feature that may not have affected OS X 10.7 (Lion). Or perhaps it did and was a sign of things to come.



Affected Products

03 Oct 2013

OS X v10.8.5 Supplemental Update

OS X Mountain Lion v10.8 to v10.8.5

12 Sept 2013

OS X Mountain Lion v10.8.5 and Security Update 2013-004

Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.4

02 July 2013

Security Update 2013-003

Mac OS X v10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8.4

04 June 2013

OS X Mountain Lion v10.8.4 and Security Update 2013-002

Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.3

14 Mar 2013

OS X Mountain Lion v10.8.3 and Security Update 2013-001

Mac OS X 10.6.8, OS X Lion v10.7.5, OS X Mountain Lion v10.8 and v10.8.2

19 Sept 2012

OS X Mountain Lion v10.8.2, OS X Lion v10.7.5 and Security Update 2012-004

Mac OS X 10.6.8, OS X Lion v10.7 to v10.7.4, OS X Mountain Lion v10.8 and v10.8.1

14 May 2012

Leopard Security Update 2012-003

Mac OS X v10.5 to 10.5.8 (Intel)

09 May 2012

OS X Lion v10.7.4 and Security Update 2012-002

Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3

01 Feb 2012

OS X Lion v10.7.3 and Security Update 2012-001

Mac OS X v10.6.8, OS X Lion v10.7 to v10.7.2

Every time since the beginning of 2012 (and before that, although I haven't included that information — see the Apple Security Updates page for the full log), every time Apple has disclosed vulnerabilities and released updates for the current version of OS X they do so, at the same time, for the prior version, except for the 03 Oct 2012 update and an odd update on 14 May, 2012, affecting only Intel versions of OS X 10.5 (Leopard). This last update disables out-of-date versions of the Adobe Flash Player; it looks like a special case and, in any case, affects the version 2 generations back.

Assuming this is a sign of a change in policy, why would Apple stop supporting older OS X versions? Any OS company would want to do this, as it means they only have to keep one version current. This also allows them to drive hardware and software purchases more effectively, as all currently supported users are running the same version.

This is also the same policy that Apple has with iOS. Whenever a new version of iOS comes out, Apple stops updating the old one. If you want support, you need to update, which also means that hardware which can't run the new hardware is, by implication, unsupported.

The downside is that users who don't upgrade are necessarily running an operating system with many disclosed, but unpatched vulnerabilities. This opens them to attack.

A policy change like this may have played a role in Apple's decision to make Mavericks free (just as iOS upgrades are free). If they are, in effect, forcing users to upgrade in order to obtain security updates, charging for the upgrade would likely engender a great deal of ill will.

Even for free, it all works out well for Apple. Contrast this apparent new policy with Microsoft's policy of supporting an OS version for 10 years (12 in the case of Windows XP). Microsoft's policy creates a huge support burden for the company and impedes their ability to move customers forward with new technologies.

Bottom line: If you were planning to take your time upgrading to Mavericks, think again. Staying on Mountain Lion just got risky.

Topics: Security, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So We are Not getting Mavericks for free Afterall....

    Security Updates coming to an end for Mountain Lion is a high price to pay indeed for those not wanting to upgrade to Mavericks.

    I am both surprised and disappointed that Apple have taken this decision.
    • Free Mavericks

      Mavericks is not free for everyone, for example if you run OS-X Leopard you need first buy update do Snow Leopard, check this out:
      • Upgrade from Leopard

        Yep, that would cost you the whooping $20.

        Thing is, Leopard does not support the App Store, and there is no way you can technically get Maverick from Leopard. You could just run the Maverick installer from removable media (copy it off Applications after downloading on a post-Snow Leopard system). It might actually work.
        • Just like with the Hackintosh hobby,

          there are apps that take an App Store installer (Lion, Mountain Lion, and now Mavericks) and turn them into bootable flash drives. Apple themselves have even released an app for this, though I don't think it supports offline installation the way some of the 3rd party apps do.
      • Staged upgrade

        Oh, you mean they would have to do an intermediary upgrade and pay for it just like users of Windows 7, Vista or XP will have to do to get to 8.1? Only instead of paying $199 for the intermediary OS, Apple users will have to pay the full price of $20? I am not so certain that sounds like a rip-off.

        Microsoft is ending support for XP on April 8th, 2014. Should Apple continue to support updates for all of its prior versions? I think not when they are pretty much giving away the current version for free to those who performed standard maintenance and kept their machines up-to-date.
        • But what about the Enterprise

          Just "keeping your machine up to date", might work fine as a strategy for home users. But what about IT departments that were dopey enough to start using Macs as corporate machines. When you upgrade an O/S in that environment, you raise all kinds of compatibility issues with applications the business needs to run.
        • XP is 12 years old.

          Windows XP will have been supported for 13 years when Microsoft finally pulls the plug next year.

          Has Apple supported any of its software for that long? Didn't think so.

          Apple can afford to virtually give away its operating system, it makes money from hardware, itunes etc. That said, I think Microsoft would benefit from making 8.1 freely available, or at least cheap.
    • So far, this is speculation, so no need to pass judgement

      on Apple yet.
      • Not entirely

        It's not speculation, it's inference based on Apple's actions and their history. Like I said in the article, I asked them for a comment. They still haven't got back to me and I doubt they will. Under such circumstances you can never prove they have stopped updating Mountain Lion because they always might in the future.
        • Speaking of history

          Given they just released a security update for 10.6.8 last month, don't you think it's more likely than not that they'll continue to release critical security updates for a while for at least 10.8 if not older versions as well, as long as they have a significant percentage of users on those OS versions? I mean 10.6 first came out over 3 years ago and is still supported. It's worth noting that the 10.6.8 update came out AFTER 10.7 was released to the public. I would just as easily speculate based on "their history" that they could even still release a 10.8.6 update at any time to address major security holes.
          • It really doesn't make sense

            Remember, the disclosed bugs fixed in Mavericks were bugs in Mountain Lion. They are currently unpatched in ML. That's why they have always (see the table above) released the updates for different versions at the same time.

            And I think your timeline is wrong. According to the security updates page (http://support.apple.com/kb/HT1222) 10.6.8 was released on June 23, 2011. Lion was released July 20 of that year (http://www.apple.com/pr/library/2011/07/20Mac-OS-X-Lion-Available-Today-From-the-Mac-App-Store.html). Note that there are no vulnerability disclosures for the 10.7 release. That's because they were already disclosed the prior month in the 10.6.8 release.
        • ...and more recently

          10.8 was released on July 25, 2012. Guess when 10.7.5 came out? The last build of that was released October 4, 2012.
          • Sorry, you're mistaken

            10.8 and 10.8.1 were released before 10.7.5 because they had no security updates in them. 10.7.5 was release simultaneously with 10.8.2 (and an update for 10.6.8). (http://support.apple.com/kb/HT5501)
    • when did Apple

      say they aren't doing security updates for Mountain Lion? I didn't hear them say that at the announcement.
      • beside the point

        They never announce that they are no longer providing updates for products, and yet they do that all the time. Unlike some other companies, Apple provides no information on product lifecycles. You have to infer whether they are from circumstances. I explain in this article why circumstances indicate that they will no longer be updating OS X versions prior to Mavericks
        • Tiger

          ISTR that they announced that Tiger would not be supported any more. They also announced the end of support for PowerPC based Macs a while back as well.

          They aren't big announcements, but they have mentioned it by-the-by.
          • ISTR?

            I don't STR it. If you can come up with an actual announcement I'll feel differently
    • It's better for users to have the latest OS

      Apple releases security patches for OSs when they have one to release. As people get off of older computers, then they have less reason to continually spend time and money on something no one uses.

      Apple has less of a concern about older versions of OS than Microsoft. There are still a lot of XP users that refuse to upgrade and their support goes away REAL soon.
      • I'd like to...

        upgrade, but Apple won't let me. My iMac still runs nicely, if a little slow, but Apple have blocked it from upgrading to the last 2 versions of OS X (ML and Mavericks).
      • newer OS releases are often not better - often they are worse...

        depending on the environment, WD drives corruption or whatever. Many people wait until the 10.x.3 updates before taking the leap. Sometimes the newer features are not compelling for ones needs. Sometimes they drop cool little features that are still compelling (FrontRow is kinda cool for TV & Movie libraries) and sometimes and certain environments you keep to keep older OSes for compatibility - with professional apps - that are required for a job - or your lively hood.

        While all these still work, the fact that Apple has not patched 10.8 is dumb. Apple is lazy on this. Maybe some people like Mountain Lion over Mavericks? The cost is too high ... Apple should drop their OS X/Mac line and give it to a company that gives a damn.
        Bee Ryan