OS X Mountain Lion users: No more security updates?

[UPDATE: An Apple spokesperson told ZDNet the company has not changed its update policy but said some older OS X versions go unpatched for architectural reasons. Apple declined to respond to a request for more details about their security update policy or for when the most recently disclosed vulnerabilities would be patched in Mountain Lion.]

Has Apple changed their policy on security updates for versions of OS X older than the current one? Apple has no documented policy on supplying such updates, but they do have a history and it seems that their actions since the release of OS X Mavericks indicate a change.

The history shows that Apple provides security updates for the prior version of OS X, and sometimes even for the version before that. They release these updates and disclose the vulnerabilities at the same time they do so for the current version. It needs to be this way because once you disclose the vulnerabilities for the current version, some large number of them will also apply to the prior version. Without an update for the prior version, its users will have unpatched vulnerabilities.

Apple has released OS X 10.9 (Mavericks) and disclosed the vulnerabilities from prior versions that are fixed in it. That disclosure makes no mention of OS X 10.8 (Mountain Lion) and the web page where security updates for prior versions of OS X are normally found has no updates for 10.8.

I have asked Apple for information on this apparent change. I have not heard from them, but if they respond I will include their response here.

Below are all OS X security updates going back to the beginning of 2012. The first one (03 Oct 2013) is anomalous; it’s a single vulnerability for a feature that may not have affected OS X 10.7 (Lion). Or perhaps it did and was a sign of things to come.

Every time since the beginning of 2012 (and before that, although I haven't included that information — see the Apple Security Updates page for the full log), every time Apple has disclosed vulnerabilities and released updates for the current version of OS X they do so, at the same time, for the prior version, except for the 03 Oct 2012 update and an odd update on 14 May, 2012, affecting only Intel versions of OS X 10.5 (Leopard). This last update disables out-of-date versions of the Adobe Flash Player; it looks like a special case and, in any case, affects the version 2 generations back.

Assuming this is a sign of a change in policy, why would Apple stop supporting older OS X versions? Any OS company would want to do this, as it means they only have to keep one version current. This also allows them to drive hardware and software purchases more effectively, as all currently supported users are running the same version.

This is also the same policy that Apple has with iOS. Whenever a new version of iOS comes out, Apple stops updating the old one. If you want support, you need to update, which also means that hardware which can't run the new hardware is, by implication, unsupported.

The downside is that users who don't upgrade are necessarily running an operating system with many disclosed, but unpatched vulnerabilities. This opens them to attack.

A policy change like this may have played a role in Apple's decision to make Mavericks free (just as iOS upgrades are free). If they are, in effect, forcing users to upgrade in order to obtain security updates, charging for the upgrade would likely engender a great deal of ill will.

Even for free, it all works out well for Apple. Contrast this apparent new policy with Microsoft's policy of supporting an OS version for 10 years (12 in the case of Windows XP). Microsoft's policy creates a huge support burden for the company and impedes their ability to move customers forward with new technologies.

Bottom line: If you were planning to take your time upgrading to Mavericks, think again. Staying on Mountain Lion just got risky.