When Apple launches a new version of one of its OSes, say, macOS Sierra, the first thing users think about is the features. If they’re a bit more methodical, they’ll look at their mission critical apps and monitor for updates from those associated developers. But, above all, a decision to not upgrade (or do it soon) must be balanced against the security updates folded into the new version. .
__________________________
Security Protocol
The feature list of macOS Sierra is deceptively simple. It is so modest in its scope that some users may be seduced into thinking that they may not need the upgrade, even though it’s free. That’s a bad idea.
When a new version of macOS comes out, my first reaction is to check my mission critical apps. Being both a writer and a podcaster, I can’t afford a show stopper. But I’m always mindful that, in this day and age, many security fixes, many of which have architectural impacts, are rolled into each major release.
Those architectural changes, in some cases, can impact the operation of some apps. That’s one reason why Apple has a long period of developer and public betas to work out those kinks. By the time a major release, like Sierra, is launched, most of those problems should be solved.
Why doesn’t Apple roll out the fixes piecemeal? The answer is that some are synergistic and depend on major OS changes that could, in turn, affect developers. Secondly, many sound scary, but are still in proof of concept phase and aren’t widespread in real world exploitations. They need to be attended to, but an urgent single point security update isn’t called for.
A Helpful Analysis from Intego
The Mac Security Blog at Intego is a very helpful place to find out more about all this. In the post for 21 September 2016, Jay Vrijenhoek explains the situation with Sierra nicely.
1. Apple maintains a webpage that provides details for all its security updates.
2. The entry for Sierra cites 65 security fixes.
3. According to author Vrijenhoek, there is something important to note:
For those not familiar with reading Apple Security bulletins, the addressed vulnerabilities mention ‘Available for: OS X El Capitan v10.11.6,’ but this means the vulnerability was found in OS X El Capitan and fixed only if you update to macOS Sierra.
Note that the Security Update2016-001 for El Capitan and 2016-005 for Yosemite only fixes a few critical kernel issues, not the 65 issues fixed in Sierra.
Accordingly, if you’re good to go with all your mission critical apps, it’s a good idea to upgrade to macOS Sierra just to make sure one of these obscure bugs doesn’t get exploited in the wrong place and the wrong time: your Mac.
It’s also important to recognize that because iOS is a descendant of [Mac] OS X, it often shares common security flaws. Author Vrijenhoek correctly points out:
As an added bonus, the list of vulnerability fixes in iOS 10 was amended to show 28 additional vulnerabilities that were addressed in the release. Apple did not release these details until Sierra was released, likely because both operating systems shared the same flaws. Publishing details on the flaws that were addressed in iOS 10 would have given those with malicious intent a nice roadmap of what to exploit in OS X.
I surmise this is why major releases of macOS and iOS and tvOS are rolled in the same month. Apple often has to address the same flaw in all variations of its OSes.
Be Aggressive. Like Apple
I’m being a little over the top next, but not much. If you’ve been thinking that you can continue to survive with, say, a 2007 iMac running Mountain Lion, I’d advise against it if that Mac is connected to the Internet.
I also surmise that the reason Apple encourages updates with it’s Auto-downloading feature is so that customers are always mindful of the need to upgrade. Because Apple’s OS updates are free, Apple’s only incentive is to protect its customers, not develop a revenue stream. On the other hand, forcing users to upgrade before they’ve certified their mission critical apps would be inappropriate. Apple has chosen a wise middle ground. “macOS Sierra Now Auto-downloading, but not Auto-installing.”
After a new macOS release, there are lots of articles that will guide you though the update of your apps so you can then update your OS. Here’s one by our Bob LeVitus: “macOS Sierra and App Compatibility.”
The bad guys are resourceful and aggressive. Apple customers should never assume they can do nothing and get away with it.
_______________________
Teaser image via Shutterstock.
PureVPN is an American company? I do not see a canary letter on their web site. Which means all your data goes directly to NSA, etc. Thank you very much!
Apple security is a big concern nowadays, thats why i would recommend PureVPN’s iOS App to hide our online private data
“For those not familiar with reading Apple Security bulletins, the addressed vulnerabilities mention ‘Available for: OS X El Capitan v10.11.6,’ but this means the vulnerability was found in OS X El Capitan and fixed only if you update to macOS Sierra.”
That is NOT the meaning I have from reading that text.
To me, “Available for: OS X El Capitan v10.11.6” means that the fix for this vulnerability is available for 10.11.6.
I would like someone with easy access to Apple to query this interpretation – it has been tossed around a lot lately and it’s time that Apple defined what the meaning really is.
“There are lies, damned lies, and statistics.”
Counting the number of vulnerabilities fixed is a red herring. One would expect that newer software would require more maintenance than more mature software. It’s the nature of the beast.
It is also irresponsible reporting. Rather than suggesting Sierra is “more secure” because of the fixes, I will contend that Sierra is less secure because it requires additional hardening.
Further this “Vrijenhoek” is wrong based on real analysis of the systems. If Apple has a CVE open for a vulnerability in El Capitan and reports to the government that it is fixed and has the CVE resolved in El Cap, then the fix was applied to El Cap. Otherwise, it would not pass government accreditation and it would be business Apple would lose. Do you know how many iPhones are running iOS 8 that would never get upgraded to new models if Apple lies about this?
I love all of these “experts” who wouldn’t know a fact if it jumped up and bit them in the behind. It really makes it more difficult for those of us on the ground trying to prevent people from being more stupid than they are!
So with luck I’ll be updating to a new MBP in the next month. My old one is going to my wife to replace her 2008 MB running Snow Leopard. “Aw darn honey, the system has Sierra on it. I guess that old Filemaker from a decade or more ago is going to have to go. And the other Apps that you love, I guess you’ll have to upgrade them too. Sorry. But look you get a 15 inch screen.”
There’s method in my madness.,
exAppl0088: Thanks for the props. And an interesting challenge!
Excellent article! As ex Apple employee #0088 i always read your editorials and
Particle Debris blog which are the best rational viewpoint on Apple on the Web.
As a developer still using Terminal for development, i would like to read a
regular article about the issues that arise with new major MacOS releases for the
world of unix development tools installed via HomeBrew, MacPorts and the like.
E.G. database engines like Postgres, Java SDK development, JAVA EE, and the
like which i use with BBEdit, for my (now outdated) habits of CLI development.
Keep up the good (rational) work.