Mountain Lion - No More Security Updates???

I'll be the first to say Apple can do more in the enterprise. However, I call BS on that article. Apple hasn't said a thing about not releasing any more security patches nor updates to their previous OS's. In fact, they still have Lion and Mountain Lion for sale. http://modmyi.com/content/12606-apple-now-selling-os-x-lion-mountain-lion-content-codes-web-site-older-macs.html

I know Apple can do more but I'm not jumping to conclusions based off something I read on the internet :P

Agreed. CNET isn't Apple. Apple has just released TWO major OS's - Mav's and iOS 7.
A slew of new hardware, and really, give 'em a break. Do you guys really need a patch today?

@mm2270
I hope your right. I still find it odd they would release 10.9, announce vuls, and not patch in the earlier OSes. I still feel like they should be letting us know (I know it is Apple), what the deal is.

I heard (this could all be bull, but I trust my source) from a buddy of mine that Apple is dealing with vuls in a whole new way with Mavericks. They are using a method of detecting stack overflows that would essentially make most malware useless as it would get shutdown at the point of trying to own the system. He says they are not even patching the OS, but using this system to remediate. If this is the case, it could explain why the update for earlier OSes is not ready/available as this system wouldn't be in earlier OSes.

@boettchs
No I don't need it today. But past history is they release patches when they announce vuls. They didn't do this. This is my point. They even go as far to say on the Security Updates page that 10.9 is the Security Update for earlier OSes.

I'm not in the business of giving Apple a break. When I'm being told to remediate vuls in 10.8 with 10.9, I take that seriously.

I think all of us Admins need to stop giving Apple a break when it comes to being quite on security. The next Mac hardware, fine. The new features in the OS, fine. When some product will release, fine. You can hide this information; I get it, the public is driven crazy waiting for these announcements and it helps Apple create 'buzz'. But security patches, no; this directly affects my business, how it operates and potential loses that holes in their OS could allow to be exploited. Is Apple going to take responsibility if one of my Macs get owned, and someone is able to steal data from my company. No they are going to say, we gave you a remediation path to Mavericks, you didn't take it. Well guess what, this forum is littered with applications we use that don't work in Mavericks (I'm looking at you Cisco). Will these get patched, yes. Will it be timely, I have no idea.

Stop giving Apple the benefit of the doubt and demand at least on this point, until they come up with answers. If/When one of your companies gets owned, you may think differently.

Anyone notice, no updates for older OSes (security update, not a dot release) with the release of 10.9.1? So much for my Apple rep's reassurances...

@bcunning][/url Yep, I've noticed. I've been waiting patiently to see what was going to happen here. As expected, Apple disappoints. Either their original 'plans' changed, or they never had any intention of releasing security patches for previous OSes. Their security KB article does actually spell that out anyway, so no real surprise there.

This really begs the question though. Did Apple intend to release updates as they said, or are they now in the business of lying to customers, or lets be nice and call it, providing 'lip service', just to get everyone off their backs? I want to believe the former, but their actions lately have me leaning more in the direction of the latter. Its shameful really.

I also wanted to note that back in Spring of this year a few of us on here had high profile meetings with Apple's internal security folks. They promised a lot of things. Other than some small token changes in how to manage XProtect, very little of what we talked about has transpired so far. We'll see what the next OS brings...

@bcunning wrote:

Anyone notice, no updates for older OSes (security update, not a dot release) with the release of 10.9.1? So much for my Apple rep's reassurances...

http://patternbuffer.wordpress.com/2013/10/22/10-9-mavericks-is-your-security-update-for-10-6-through-10-8-5/

This update to his post is interesting-

Update: 10/4/2013 While it was fun to speculate about Apple forcing us to upgrade to 10.9. It was just speculation. I now believe I was wrong and I expect Apple to release updates for older versions similar to its past behavior.

Maybe Kyle needs to revisit that, again? BTW @donmontalvo][/url][/url][/url][/url. we all know about the Apple KB articles that specifically lists 10.9 as the security update for 10.6 - 10.8. What's disturbing is that some of us received very direct and no BS words to the contrary from Apple employees after this $hit hit the fan. Here is an exact quote from someone at Apple we got in an email-

We will provide security updates for older versions of the OS, though as always, some fixes are architectural in nature and can’t be applied to older OSes. We are in fact continuing to support older versions. Nothing has changed.

So again, was Apple just lying to us? Is that what its come down to now from them?

@mm2270 Kyle sits a few cubicles over from me, I'll shoot a spit ball over to him to see if he has any insight.

I spoke with various people at Apple. For me, they all speculated that they would continue to release security patches, nothing was guaranteed by them. I think they just didn't want to believe it either. I didn't get anything as concrete as @mm2270.

@bcunning Yea, looks like that's the word on the street. Apple has been getting sloppy since outsourcing patch development these last couple years (not to mention the Maps fiasco).

It has been two months now. I was drinking the cool aid myself thinking that this would not be true. The writing seems to be on the wall. 10.6, 10.7 ok fine but 10.8? Apple is still selling it on the mac app store! We can either sit here and talk about it or contact upper apple management by email and our apple reps. They have been known to reverse course and I hope they do on this one. I cant remember the last time I felt this disappointed in Apple..... Oh! actually I just remembered. It was November 5, 2010.

Well, it may not be all doom and gloom just yet. I stand (somewhat) corrected. My Apple rep pointed out that Apple released some Safari updates for 10.7.5 and 10.8.5 along with 10.9.1 that are actually listed as security updates. See here:
http://support.apple.com/kb/HT1222

Although this doesn't address all the vulns that were patched with Mavericks, at least its something. I don't know that we'll ever really see the "Security Update 2013-xxx" style updates anymore for older OSes though. Looks like it will be core application updates only. Time will tell I guess.

@mm2270, I saw that, but really that is only one piece of the puzzle. If they are not remediating the core OS, what good one off app updates?

I'm willing to bet hackers are noticing this, and they are noticing that 10.9 has not exactly caught on as much as Apple had hoped. By my calculation of web stats (via netmarketshare.com), 10.9 is only about 1/3 of the Mac install base (going back to 10.5).

Just sad that Apple won't be honest with Enterprise customers. They constantly ask me how they can make it easier to get Macs into our environment...I can think of a few: patch your older OSes, release new hardware that will run on the last OS (retina Macs only run 10.9 and they discontinued the older MBP) and be more forthcoming with your future plans (Nothing drives IT management more crazy then being surprised by tech companies).

Wow...if only the 31% Windows XP users knew what they were missing (yea, probably enterprise users).

http://donmontalvo.com/jamf/jamfnation/holy-moly-internet-os-breakdown.pdf

So a co worker of mine just pointed out a good find and confirms what our apple reps have told us.

In 10.8.5 if you go into software update.

Look at the option "Install system data files and security updates"

That almost tells me the mechanism has changed.

That's been around since 10.8. Nothing new.

http://support.apple.com/downloads

There ya go...

Or:

http://support.apple.com/kb/ht1222

nm