Mountain Lion - No More Security Updates???

Munkeee
New Contributor III

I apologize if this topic has already come up, I didn't see it.

So, Apple hasn't released any security updates for Mountain Lion (or earlier OSes) along with the release of Mavericks. I sent an email to my Apple Systems Engineer and he could not confirm or deny if they would release one (mostly as he doesn't know).

I don't know about the rest of you, but this puts me (and my company) in a bad position. We cannot turn around an OS update for our Mac users as fast as we would like. We have application dependencies that need to be vetted. We need to setup our ability to image, netboot and do many things to make sure we can manage Mavericks.

I think it is unacceptable that Apple didn't give us a clear heads up that this was coming. It is irresponsible of Apple to release an OS without a security patch for the previous OS (esp when you include a notice of what has been patched); thereby giving hackers all the information they need to exploit the last version of your OS.

So what is my point? If your in the same situation as me, I suggest you contact your Apple Reps (or send an email to Tim Cook) to vent your frustration with this move. While I understand their need to move user's forward to the latest OS, they have infuriated the very people (at least this one) at enterprises that they need on their side.

45 REPLIES 45

stevewood
Honored Contributor II
Honored Contributor II

There's nothing new in the way Apple released this OS update. They've done the same thing for every version of OS X that they've released. They release a new version of the OS and typically continue to support/patch 2 versions back. While they did not release a security update this week, that's not to say they do not have one already in the pipeline.

I would imagine we will not see another point release of Mountain Lion, but we will continue to see security patches for Mountain Lion until 10.11 is released. That's my opinion and in no way reflects any insider knowledge I have, other than the years of experience I have supporting Apple in the enterprise.

Apple has never released a "clear" road map for hardware or software. You could argue that their beta builds that are released to the developers could constitute a road map of sorts. I know that other vendors do release road maps, and that allows the enterprise players to prepare for what's coming, but Apple is NOT an enterprise company. There was a comment in one of the JNUC sessions last week about Apple and the enterprise, and I cannot remember it, but it was a good description of what Apple is to the enterprise. Hopefully someone else was in that session and remembers.

Anyway, I applaud your desire to write to Tim Cook and to Apple to let them know your feelings, but I have a feeling it will not sway the way they do business one bit.

scottb
Honored Contributor

Mt Lion was just updated to 10.8.5 and Apple is still releasing security updates for 10.6.8. A security update was released for Lion in September. Apple typically does not stop security-based updates for some time. Rather than getting heated about something that hasn't happened, look at the past actions of Apple.
Apple is well-known for not putting out roadmaps, but over time you learn how they work.
Not sure what's so infuriating about this release. Nothing new - we all have the same challenges. And at least now we don't have to manage licenses for OS upgrades. That's a huge plus when it does come time to rollout.

scottb
Honored Contributor

@stevewood. That's just scary… :)

rtrouton
Release Candidate Programs Tester

I don't know the comment in question, but Andy Ihnatko summed it up perfectly during his talk at MacTech 2011:

"Apple doesn't care about you."

This is not necessarily a bad thing. It just means that Apple is only taking their own concerns into account when they make decisions.

scottb
Honored Contributor

Well, no company "cares about us". Apple just has their own way, and over time, most have figured out how it works. Join the dev team and you can get seeds to test and be slightly more aware of the releases upcoming, as well as having the software to test/vet.
I know the Wintel guys go through the same crap, but they do get a better roadmap from MS. But what good is a map that leads you off of a cliff? :)

Munkeee
New Contributor III

Every major OS release (10.8, 10.7 etc) included a Security Patch the same day. Previous to 10.8, Apple had only patched the previous OS (with 10.8 it is true they did patch back to 10.6). You can read up on the history and theory of what is going on here...

http://www.zdnet.com/os-x-mountain-lion-users-no-more-security-updates-7000022322/

This all explains why Mavericks is free to every OS back to 10.6 and all hardware that can run. 10.9 is the security patch.

I fully understand that Apple doesn't give roadmaps; I know this. I've been doing this long enough (10 years) to know that. But I do believe they care about marketshare, and the enterprise can have a big affect on this. Regardless, they are leaving all of us in a bad place.

And rtrouton, your right, 'they don't care about us'. I've said this long before Mr. Ihnatko.

Trust me when I tell all of you; I hope I am wrong, wrong, wrong! I just don't think I am.

scottb
Honored Contributor

Well, at some point it becomes expensive and time-consuming to support years-old OS's. I can barely remember how to support 10.6 even though I spent countless hours on it with clients. It seems smart to reasonably push people to move forward. We're talking support now for four OS versions. Dunno. if the sky falls I'll worry about it then. Of course it doesn't hurt to email your Apple reps or just Apple. They do on occasion listen.

Munkeee
New Contributor III

To boettchs point about the Developer program...
Being part of Apple's dev program only saves me a couple weeks of development really. Ultimately I'm at the mercy of software companies and their compatibility with Mavericks. And when you talk about systems with backend servers and clients in a large enterprise, you can be talking months until were ready to move....

mm2270
Legendary Contributor III

It is stupid that they aren't releasing security updates for older OSes from here on out. I can understand them dropping say, 10.6 and even 10.7 support, but to drop security updates for the OS that up until just a couple of days ago was the latest public release seems crazy to me. I'd be happy if they kept up security updates for 1 release back. So, as long as 10.9.x is the latest, continue to support 10.8. Even if that required that the Macs be running 10.8.5 it would be acceptable. Once the next major release is out, drop support for 10.8 and keep up updates for 10.9, that sort of thing.
Dropping all security updates for the last version immediately after a new release though really isn't acceptable.

nessts
Valued Contributor II

I am with Apple on this one shockingly, I would much rather have a good standpoint to tell my users sorry i cannot support that 10.6 any longer. Of course i have stupid license servers running on 10.6 servers in some locations because the vendor cannot update their license server, and really at this point i am running those Xserves in the condition they are in until they die, but that is what virtual machines are for.

nessts
Valued Contributor II

10.8.5 came out just a few weeks ago, why do you want another update already? is it necessary? is there a known bug in 10.8 that needs addressed?
and lets see this is year 3 of yearly OS updates, plan for it, its an agile world you live in when dealing with apple, if you can roll with apple you can make your Windows team look like slugheads because they are still supporting an OS from the previous Century :)

mm2270
Legendary Contributor III

"is there a known bug in 10.8 that needs addressed?"

Actually, yes. If you look at the article, Apple announced that vulnerabilities that exist in 10.8 were patched in 10.9, but no forthcoming patch for 10.8 to fix those same issues has been released, and may never be, although its impossible to know for sure given their secrecy. This is at the core of the issue. Now that these vulns have been disclosed it means attack mechanisms to exploit them by ne'er do wells can be crafted a bit more easily. See the issue here?
Seriously, people need to stop being so naive, Apple did not make Mavericks free out of the goodness of their hearts. They are a company and this was a calculated move on multiple levels. Mavericks was made free to ease the $$ burden of forcing all Mac users to upgrade to it to continue to receive security patches.

Munkeee
New Contributor III

nessts...
OK, just to clarify. There is a difference between a dot release (like 10.8.5) and a security update (ie. Security Update 2013-004). I'm talking about the Security Updates. I fully understand there will be no 10.8.6. I'm also not advocating they support 10.6 or 10.7 with security updates either. I'm only talking about 10.8.

Your problem is now, 10.8.5 has KNOWN security vulnerabilities (that Apple disclosed with the release of 10.9) that will likely not be patched. So when all of our systems get compromised, will Apple care then? If I was a hacker, I would immediately begin writing exploits to attack Apple OSes prior to 10.9.

Munkeee
New Contributor III

mm2270, you have it 100% right. Glad I'm not the only one getting this (assuming I'm right). I think our best course of action is to freak out on everyone we know at Apple. I'm not asking for the world. Just 1 security patch for one version of the OS, 10.8 (and subsequent ones when they disclose new vuls.)

donmontalvo
Esteemed Contributor III

OH: "10.9 *is* the bug fix / security patch for 10.8".

--
https://donmontalvo.com

mm2270
Legendary Contributor III

@bcunning
We're in a similar situation in that we can't jump to 10.9 so quickly because we have 3rd party software dependencies, and we're waiting on these developers to release Mavericks compatible updates. Its impossible to say how long we may need to wait. We're an enterprise company and I mean enterprise as in worldwide with customers in nearly every major country in the world, managing 6000+ Macs (and 10s of thousands of Windows PCs) As such, security is at the top of the list of priorities here and taken very seriously.
Moving to Mavericks will take us some time and thorough testing. Apple just doesn't get this stuff. They treat everyone as if their OS is being used on a home Mac, and that just isn't the case. TO be very clear, I'm not trying to say that Apple needs to bend over backwards for big enterprises. In fact, I'm glad they don't do a 'Microsoft' and continue to support a decade plus old version of their OS. Its really better the way they do it, but I just think if its true they've dropped security support for 10.8, it feels way too fast in my opinion. Even if they set a date when support would end, in say 4 or 6 months, that would be better. Give us some time to do this transition the right way, instead of creating a situation of scrambling to keep our systems safe from exploits.

nessts
Valued Contributor II

But has anybody a statement from Apple that there are no more updates ever for 10.8 and lower? Or are we reacting to the supposition of a journalist that since an update was not released yesterday or the day before one is never coming? if we look at the guys chart, he shows the first security update released after 10.8 became available as happening Sept. 2012 and if I remember correctly 10.8 was released July 2012. they did not release a security update on his list with the release of 10.8. Maybe we should have a little faith that as dumb as Apple can be about some things, they are not complete morons. I have sent a question to a technical rep if i get an answer I will share.

Munkeee
New Contributor III

Everyone ready to jump off a bridge yet ; )

Maybe the smaller companies out there don't care, and can move quickly. But us big ones can't.

Call Apple, I'm betting if enough of us complain, maybe just maybe, they will release a patch. I tried to explain to my rep that the iOS explosion in the enterprise is tenuous. I fully believe that IT management (not just my company, but any large enterprise) will look to move away from Apple once there is a competitive product that consumers accept (that isn't a security hole, I'm looking at you Android). This will be another reinforcement to IT management that 'Apple doesn't care about us'. I've accepted this, I've been at this long enough, but management, they are new to this approach.

Munkeee
New Contributor III

@nessts
Yeah, I'm reading the tea leaves, but given past history and the free for all Mavericks, I don't think my conclusion is wrong. Apple isn't going to tell us anything, and I've asked. I've already been instructed by our security group to update my Macs to 10.9, via defense department standards that we follow. This is DOD's remediation for the vulnerabilities in 10.8.x.

A security patch (for at least the previous OS) has accompanied every major OS release and dot release the SAME DAY. We are now 2 days out since the release of 10.9 and no update.

This also follows iOS. Once they release an update, they don't patch the old OS. Apple is not going to confirm or deny.

I'll say it again; I hope I'm little boy blue screaming my head off over nothing. I just don't think this is the case.

Munkeee
New Contributor III

@nessts
And I had this conclusion before I found the ZDnet article (yeah I know the source is not exactly the best). But the article just confirmed (somewhat) what I concluded based on the remediation course I had been given.

Munkeee
New Contributor III

Has anyone heard anything from their Apple reps? They've gone silent, despite saying they would get back to me.

Further evidence there will be no security updates (barring exploitation of their old OSes), Apple's own security updates page (Note it says that 10.9 remediates issues from 10.6 on)....

http://support.apple.com/kb/HT1222

mm2270
Legendary Contributor III

We contacted our reps yesterday. We were promised some information once they've had a chance to ask their higher ups. The general feeling was that they aren't really sure if support really is dropping for older OSes, although they are of course noting their history of support for previous OS versions as evidence to the contrary. Problem is that Mavericks has so far broken this trend which is what's so concerning.

If we hear anything I'll post what I can about it.

JPDyson
Valued Contributor

Never mind the fact that 10.6 just saw an update within the last month; let's all assume that 10.8 is officially dead now.

"You see, it would be this matt, that you would put on the floor, and it would have different conclusions written on it, that you could jump to!"

ClassicII
Contributor III

Apple has done some really goofy things but.. This is one thing I do not see them doing. I can see dropping 10.6 but it would be absolutely crazy not to release security updates for 10.7 and 10.8 which still account for a very large population of macs. Forget Enterprise for a second and just think of all the home users that would be affected by this. It would be an absolute field day for the malware and virus attackers.

I really believe they will be continuing the security updates. I do admit that this "OS X Mavericks v10.9
Mac OS X v10.6.8 and later 22 Oct 2013" does not look good. And the fact that they are breaking with the past is not good but I just cant seem them doing this.

If they do It will turn into a situation like how they did not give a crap that new hardware was not EPEAT certified.

They reversed pretty quick on that one. Lets hope it does not even get close to that point.

mm2270
Legendary Contributor III

You may be right. We just received an email from our Apple reps with a quote from "someone" at Apple's software team that they will in fact continue to provide security support for older OSes, Whether this was the way it was to be all along or just a response based on voiced concerns I can't say, but It doesn't really matter. The "unofficial" word we got is that yes, they will continue to provide security support for pre Mavericks OSes.

What was left unanswered was the "when" Still no similar patch for 10.8, 10.7 or 10.6, but its only been a few days. Again, I don't even care if they only provided 10.8 support and dropped the other 2. Let's hope they release something soon.

krichterjr
Contributor
Contributor

I'll be the first to say Apple can do more in the enterprise. However, I call BS on that article. Apple hasn't said a thing about not releasing any more security patches nor updates to their previous OS's. In fact, they still have Lion and Mountain Lion for sale. http://modmyi.com/content/12606-apple-now-selling-os-x-lion-mountain-lion-content-codes-web-site-old...

I know Apple can do more but I'm not jumping to conclusions based off something I read on the internet :P

scottb
Honored Contributor

Agreed. CNET isn't Apple. Apple has just released TWO major OS's - Mav's and iOS 7.
A slew of new hardware, and really, give 'em a break. Do you guys really need a patch today?

Munkeee
New Contributor III

@mm2270
I hope your right. I still find it odd they would release 10.9, announce vuls, and not patch in the earlier OSes. I still feel like they should be letting us know (I know it is Apple), what the deal is.

I heard (this could all be bull, but I trust my source) from a buddy of mine that Apple is dealing with vuls in a whole new way with Mavericks. They are using a method of detecting stack overflows that would essentially make most malware useless as it would get shutdown at the point of trying to own the system. He says they are not even patching the OS, but using this system to remediate. If this is the case, it could explain why the update for earlier OSes is not ready/available as this system wouldn't be in earlier OSes.

Munkeee
New Contributor III

@boettchs
No I don't need it today. But past history is they release patches when they announce vuls. They didn't do this. This is my point. They even go as far to say on the Security Updates page that 10.9 is the Security Update for earlier OSes.

I'm not in the business of giving Apple a break. When I'm being told to remediate vuls in 10.8 with 10.9, I take that seriously.

I think all of us Admins need to stop giving Apple a break when it comes to being quite on security. The next Mac hardware, fine. The new features in the OS, fine. When some product will release, fine. You can hide this information; I get it, the public is driven crazy waiting for these announcements and it helps Apple create 'buzz'. But security patches, no; this directly affects my business, how it operates and potential loses that holes in their OS could allow to be exploited. Is Apple going to take responsibility if one of my Macs get owned, and someone is able to steal data from my company. No they are going to say, we gave you a remediation path to Mavericks, you didn't take it. Well guess what, this forum is littered with applications we use that don't work in Mavericks (I'm looking at you Cisco). Will these get patched, yes. Will it be timely, I have no idea.

Stop giving Apple the benefit of the doubt and demand at least on this point, until they come up with answers. If/When one of your companies gets owned, you may think differently.

Munkeee
New Contributor III

Anyone notice, no updates for older OSes (security update, not a dot release) with the release of 10.9.1? So much for my Apple rep's reassurances...

mm2270
Legendary Contributor III

@bcunning][/url Yep, I've noticed. I've been waiting patiently to see what was going to happen here. As expected, Apple disappoints. Either their original 'plans' changed, or they never had any intention of releasing security patches for previous OSes. Their security KB article does actually spell that out anyway, so no real surprise there.

This really begs the question though. Did Apple intend to release updates as they said, or are they now in the business of lying to customers, or lets be nice and call it, providing 'lip service', just to get everyone off their backs? I want to believe the former, but their actions lately have me leaning more in the direction of the latter. Its shameful really.

I also wanted to note that back in Spring of this year a few of us on here had high profile meetings with Apple's internal security folks. They promised a lot of things. Other than some small token changes in how to manage XProtect, very little of what we talked about has transpired so far. We'll see what the next OS brings...

donmontalvo
Esteemed Contributor III

@bcunning wrote:

Anyone notice, no updates for older OSes (security update, not a dot release) with the release of 10.9.1? So much for my Apple rep's reassurances...

http://patternbuffer.wordpress.com/2013/10/22/10-9-mavericks-is-your-security-update-for-10-6-throug...

--
https://donmontalvo.com

mm2270
Legendary Contributor III

This update to his post is interesting-

Update: 10/4/2013 While it was fun to speculate about Apple forcing us to upgrade to 10.9. It was just speculation. I now believe I was wrong and I expect Apple to release updates for older versions similar to its past behavior.

Maybe Kyle needs to revisit that, again? BTW @donmontalvo][/url][/url][/url][/url. we all know about the Apple KB articles that specifically lists 10.9 as the security update for 10.6 - 10.8. What's disturbing is that some of us received very direct and no BS words to the contrary from Apple employees after this $hit hit the fan. Here is an exact quote from someone at Apple we got in an email-

We will provide security updates for older versions of the OS, though as always, some fixes are architectural in nature and can’t be applied to older OSes. We are in fact continuing to support older versions. Nothing has changed.

So again, was Apple just lying to us? Is that what its come down to now from them?

donmontalvo
Esteemed Contributor III

@mm2270 Kyle sits a few cubicles over from me, I'll shoot a spit ball over to him to see if he has any insight.

--
https://donmontalvo.com

Munkeee
New Contributor III

I spoke with various people at Apple. For me, they all speculated that they would continue to release security patches, nothing was guaranteed by them. I think they just didn't want to believe it either. I didn't get anything as concrete as @mm2270.

donmontalvo
Esteemed Contributor III

@bcunning Yea, looks like that's the word on the street. Apple has been getting sloppy since outsourcing patch development these last couple years (not to mention the Maps fiasco).

--
https://donmontalvo.com

ClassicII
Contributor III

It has been two months now. I was drinking the cool aid myself thinking that this would not be true. The writing seems to be on the wall. 10.6, 10.7 ok fine but 10.8? Apple is still selling it on the mac app store! We can either sit here and talk about it or contact upper apple management by email and our apple reps. They have been known to reverse course and I hope they do on this one. I cant remember the last time I felt this disappointed in Apple..... Oh! actually I just remembered. It was November 5, 2010.

mm2270
Legendary Contributor III

Well, it may not be all doom and gloom just yet. I stand (somewhat) corrected. My Apple rep pointed out that Apple released some Safari updates for 10.7.5 and 10.8.5 along with 10.9.1 that are actually listed as security updates. See here:
http://support.apple.com/kb/HT1222

Although this doesn't address all the vulns that were patched with Mavericks, at least its something. I don't know that we'll ever really see the "Security Update 2013-xxx" style updates anymore for older OSes though. Looks like it will be core application updates only. Time will tell I guess.

Munkeee
New Contributor III

@mm2270, I saw that, but really that is only one piece of the puzzle. If they are not remediating the core OS, what good one off app updates?

I'm willing to bet hackers are noticing this, and they are noticing that 10.9 has not exactly caught on as much as Apple had hoped. By my calculation of web stats (via netmarketshare.com), 10.9 is only about 1/3 of the Mac install base (going back to 10.5).

Just sad that Apple won't be honest with Enterprise customers. They constantly ask me how they can make it easier to get Macs into our environment...I can think of a few: patch your older OSes, release new hardware that will run on the last OS (retina Macs only run 10.9 and they discontinued the older MBP) and be more forthcoming with your future plans (Nothing drives IT management more crazy then being surprised by tech companies).