82% of enterprise Mac users not getting security updates

Filed Under: Apple, Apple Safari, Featured, OS X, Vulnerability

Apple109-250Last week I saw a post by Computerworld journalist Gregg Keizer about the fragmentation of OS X versions and how it flew in the face of Apple's plans to unite users onto OS X Mavericks.

I have worked with Gregg for years and immediately began to think of the security implications.

Paul Ducklin wrote of the security fixes included in Mavericks, but strangely it appeared that Apple had not released similar fixes for OS X 10.6, 10.7 and 10.8.

The Net Applications data Gregg quoted was interesting, but I thought I would look into how Sophos customers have approached Mavericks.

Enterprise IT departments are often far more hesitant to deploy new operating system versions quickly and this time it might come along with some rather risky security consequences.

SAVMacOSVersions500

As you can see in the charts, 55% of Sophos Anti-Virus for Mac Home Edition (Free!) users have upgraded to OS X Mavericks, whereas only 18% of enterprise users have jumped on board.

After only 77 days these numbers reflect one of the highest adoption rates of a new OS I have seen. Unfortunately, that may not be good enough.

Without saying it in so many words, or any words for that matter, Apple appears to have stopped releasing security updates for OS X 10.6.8, 10.7.5 and 10.8.5.

It is a nice gesture that OS X 10.9 Mavericks is a free upgrade, but not everyone can upgrade. OS X 10.8 Mountain Lion has only been available for 15 months and is apparently already orphaned.

Microsoft has been taking heat for discontinuing Windows XP after supporting it for more than 12 years. I think Apple might be able to do a little better than 15 months.

If you are an Apple user, please update to OS X Mavericks or if you can't, perhaps install Windows 7 or Linux.

If you must run an older version of OS X, you may want to follow the advice Duck and I had in a recent Techknow for Windows XP users to minimize the risk of compromise.


(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Apple is famous for the secrecy around its product and service launches. It's unfortunate it has decided that the safety of Mac users should also require reading tea leaves.

, , ,

You might like

52 Responses to 82% of enterprise Mac users not getting security updates

  1. There's a lot wrong with the "free" upgrade that points to a disturbing and cynical move in Apple's treatment of its loyal user base. The free upgrade has in fact cost me more than US$1000 to update old versions of essential business software that still run fine under Snow Leopard, even the 9 year old Office version, simply because Apple decided to abandon their long standing creed of backwards compatibility.

    Likewise, 3 older Macs in the office are also obsolete and will need to be replaced because Mavericks doesn't support earlier Intel Macs and the files created on the Mavericks machine won't open with the older application versions...

    Free upgrade, not.

    For the first time in 30 years of using and supporting Apple I'm considering my next hardware upgrade will be to a Windows machine. If I'm going to be treated like a Windows user I might as well pay less for the hassle.

    • Bobby Newmark · 236 days ago

      You have to remember that the biggest source of incompatibilities with old software comes from switch to strictly 64-bit architecture.

      PS: Come on man - 9 year old Office? They are coming with 2014 in couple of months :)

      • gus · 235 days ago

        The Office 2004 version has all the functionality I need. Never versions look more modern but don't work any better.

    • Berry Williams · 235 days ago

      What everyone appears to be missing is this: 10.9 forces everything to be tied to an Apple account. Any updates, to the OS or any downloaded apps, become married to the App Store credentials used to install them. They are pushing the most comprehensive DRM built down their user base's throats, and no one is noticing - quite the contrary, articles like this are saying, "you really should do this upgrade, for security's sake". Quite clever, from Apple's perspective...

      • Anonymous · 234 days ago

        Except for the fact that the OS security updates are not requiring or tied to an Apple ID.

        • Yet, it would seem the OS security update(s) are requiring one migrate to 10.9x, which is very dumb on Apple's part (but maybe they save a few bucks on engineering/coding/updating time). This is almost as dumb as Apple not giving users the option to turn off Faces in iPhoto '09/'11 ...

      • lurs almoc · 233 days ago

        Um, no.

        Why do apple haters continue this lie? The app store is optional, and everything still installs fine without it, and stays independent of it.

        Forces everything to be tied to the apple account? No, no no.

        IF YOU DON'T LIKE APPLE JUST DON'T BUY ONE, it's WAY easier than having to get on forums and show that you most likely have never even used one (yeah, we can tell)

    • isitjustme · 234 days ago

      I wonder what sort of files you used Mavericks to create and as far as I know Mavericks is an OS.

      I have news for you the last version of Photoshop cannot open the files created by the latest one.

      I have older Macs using Snow Leopard and they work just fine.

      Do I need the latest and greatest sure provided my Mac supports it if not I can do without.

      One more thing go ahead and buy PCs and I can guarantee you you will be paying for Sophos services for life and will definitely cost more than the imaginary $1k you paid for your imaginary Mac.

    • Anonymous · 234 days ago

      Seems that your main complaint about Apple's upgrade is that you had to spend $1000 on Microsoft software :-)

      (As for "Apple's long standing creed of backwards compatibility," I think that's a bit of a myth. In the 9 years you've been using your old Office version, Apple has abandoned for ever both PowerPC and 32-bit Intel CPUs. My Mac Mini, bought long after your Office 2004, has been off Apple's support radar for several years already.)

    • Apple never had a "longstanding creed of backwards compatibility" - that's Microsoft (who ditched it with the arrival of Vista).

      Dumping all the old applications and forcing you to upgrade them is the norm for Apple - from the switch from 68000 to PowerPC, to going from PowerPC to Intel, to going from Intel 32-bit to Intel 64-bit.

      Sure, the first version or two of Mac OS after the switch has a backward compatibility ability, but that's as far as it goes.

      If you take an old DOS executable from DOS 2 in 1984 and run it on a current machine with 32-bit Windows 8.1, then it will work (unless it uses some weird feature - won't work on 64-bit Windows, though). Take a Mac executable from the same era, and current Mac OS won't even acknowledge it's an executable to refuse to run.

  2. AC · 236 days ago

    I downloaded Mavericks on its release on all my computers but had so many issues using Adobe products and external hard drives that I had to uninstall it again. The fact that the security patches are tied in with Mavericks is bad bad news.

    • Yes - Apple's "free" update is not free at all, though it will have a direct cost of $0USD... It would appear that because Apple has released Mavericks for free, they expect everyone will update ... but not everyone is able to update for one reason or another.

      Any major OS update is bound to cause some issues with legacy software ... require paid upgrades to supported software ... and there are always glitches - like with the external WD HDDs ... or other things (the nap feature seems to also cause some problems here and there - even when off?) ...

      I would think security updates should be required for 10 years after the OS is introduced. I understand not wanting to add actual, useful features or more modern technology (say OpenGL 4.1 vs OpenGL 2.1, or Java 6 vs Java 7, etc...) but long term (5 to 10 years) security patches should be required - IF the company has any standards.

      • Paul Ducklin · 233 days ago

        You say security updates should be required for 10 years. Then you say 5 to 10 years. (Quite a difference there :-)

        A lot can change in 5 years - from a security perspective, in 5 years you'd probably expect to see significant internal changes that improve security a lot. What if those changes can't be retrofitted to the old OS version...but the company lets everyone upgrade for free to the new one. Isn't that actually a _better_ way that mandating backported fixes for old code?

        (The issue of whether the free update should be required to work on 5-year-old hardware is a separate issue. I am bypassing it here.)

  3. Daren · 236 days ago

    "Microsoft has been taking heat for discontinuing Windows XP after supporting it for more than 12 years. I think Apple might be able to do a little better than 15 months."
    Well said

  4. Anonymous · 236 days ago

    It's a difference in attitude. Home Mac users who have been proactive enough to install Sophos Anti-Virus even though "everyone" knows Macs don't get malware (cough) are also more likely to want the latest OS version. Enterprise users don't like updates in general, because they sometimes break things, and time is money, so absent any obvious malware attacks, they're going to be more resistant to upgrading. Enterprise Windows administrators have to keep on top of security updates because they don't really have a choice.

    • Anonymous · 235 days ago

      I am a home Mac user and use Sophos Anti-Virus but hated that I HAD to install Maverick. It took 2 wks, many hrs/day of tech support using senior advisors and finally a trip to the Apple store w/ my iMac to get it working correctly! I do not like that they didn't do security updates in the older OS's but I think it was not only security - they wanted to include iCloud because the release of OS 7 at the same time made syncing the iPhones w/ the older OS's impossible. Extremely dislike to say the least. Have been a Mac user since the mid 90's.

    • Karen · 235 days ago

      I am a home Mac user, (my OS was up to date - answer to below) and a Sophos Anti-Virus user (altho it took some days for Sophos to come out w/ a version compatible w/ OS X), but hated that I was made to upgrade to Maverick. Since OS 7 came out at the same time this made it impossible to sync my iPhone w/ my iMac if I didn't upgrade. I think the upgrade was not just for security reasons but also to give iCloud to those who needed it to sync their iPhones. Took 2 wks, many hrs/day of tech support w/ senior advisors and then a trip to the Apple store to get it working correctly. Now I'm having to install more memory since Maverick is so large it has, indeed, slowed down my computer! To say that I detest all this is putting it mildly. It was a complete waste of my time. (I have been a Mac user since the mid 90's)

    • Macintosh computers generally do not "get" malware of any kind. This does not mean they are immune, but it is generally easier to keep & play safe with a Mac on a network - connected to the web ...

      of course Apple can and should do better. They are adding more security to Mac OS X, but requiring people to migrate to Mavericks for security updates - is dumb, short sighted and shows a lack of respect to its user base.

      Microsoft is not much better, but then again, two companies with low standards does not increase anyone's security... or standards.

  5. None · 236 days ago

    Apple badly need to release the EOL for the different versions of OS X if they want enterprise credibility

  6. M. Schoelderle · 236 days ago

    Unfortunately, upgrading to Mavericks is not an option for everyone. Apple has taken away with Mavericks the option to locally sync users' Contacts and Calendar data, thus forcing everybody to backup their data on the iCloud. Unfortunately, this is NOT an option for all users, in particular in Europe certain companies and professionals (ie. psychologists, doctors, etc) are in a dilemma as they are not allowed to store their clients' data on any cloud services. And it also seems quite a lot of private users are reluctant to use the cloud as storage - see Apple forum discussion 'How to locally sync an iPhone with OS X Mavericks? iCloud is NOT an option.' The thread seems quite popular with 132 pages and almost 164,000 views so far.

    https://discussions.apple.com/message/23444199#23444199

    I have left a comment about this on Paul Ducklin's original post and have also emailed Sophos at the time of Maverick's release but it seems this very important topic is being overlooked/ignored?

    • agreed. Though I think a 3rd party backup solution: Super Duper, Carbon Copy Cloner, etc... can backup locally and work fairly well - Time Machine should also still allwo local backups - though - synching shortcuts/favs/etc... locally may have been killed with Mavericks - that is unfortunate.

      Sometimes Apple over simplifies ... it is great to have a feature like Faces in iPhoto, yet there should be options to turn this off... also like you said the 'cloud' is not a solution for everyone. Some people and business need their own private 'cloud'.

  7. Anonymous · 236 days ago

    15 months of support for an OS is pretty pathetic!

  8. I was invited to upgrade to Mavericks for free, but I can't because of the OS I have currently. Also there are a lot of negative reviews about that OS. I don't want to open myself up to a lot of headaches and I usually wait for awhile until a new OS has time to work out the bugs. It isn't right for Apple to leave older OS users as orphans.

  9. Bobby Newmark · 236 days ago

    "Microsoft has been taking heat for discontinuing Windows XP after supporting it for more than 12 years." - That's because after XP they released only crapware. The first good OS they released was Windows 7 (after 10 years since XP release) and let's face it - Windows 8(8.1) is unusable for an enterprise users. I'm a professional and I can't see too many companies taking a leap to 8(8.1) anytime soon (let's say another 10 years?). Part of this is MS's policy to force Metro style desktop on everyone including corporate users who most of the time utilize desktop interface heavily. For anyone like me who has to switch from Server 2008 to 2012 it's just a nightmare - and still I go to metro style only to reboot the server. I have no idea what MS was thinking.

    On the other hand upgrade of Mac OS X is seamless, interface familiar and very rarely there are incompatibilities with software. That's the main reason of such a great deployment. I'm surprised by stats for enterprise users but at the same time I also know that OS upgrade is a big project in corporate environment. Especially if you have let's say 500+ users on 5 different continents.

  10. 4caster · 236 days ago

    I had enough trouble when upgrading from Lion to Mountain Lion, with missing printer and scanner drivers, and FaceTime that still will not work.

  11. Bart · 236 days ago

    How much did the recent update to Mavericks improve that version? A while back there we lots of complaints by those who upgraded right away.

    • Paul Ducklin · 235 days ago

      I upgraded as soon as I could get the 5GB download across my 3G link, mainly because of the security fixes.

      Like you, I saw lots of complaints online, most of which seemed to be of the "it slows down your Mac" sort, few of them based on any genuine evidence I could find, and many of them "affirmed" by people who hadn't upgraded. (So how could they know?)

      So I ignored the bogomoaners and unscientists, wiped my disk, did a fresh install, and was immediately happy. It took me half a rainy afternoon and I was delighted. I don't have any hard evidence of my own but my gut feeling is that battery life is better and the system seems slightly more responsive.

      Colour me impressed. Of course, YMMV. That's all I'm saying.

  12. mcclainra · 236 days ago

    I upgraded to Mavericks on my iMac, and hate the new version of Mail which is really screwy with gmail, whereas old one isn't. I decided not to upgrade on my laptop for that reason, but maybe I should. I am a believer in Sophos for sure.

    • Paul Ducklin · 235 days ago

      For all my fanbuoyishness in other comments, the new Mail app is pretty ordinary. But I got over it.

    • janey · 233 days ago

      gmail isn't the be all, end all of email. So many proprietary Google extensions in Gmail that they don't document. Mail works just fine with a standards compliant email setup, not wibbly wobbly gmail.

      Google wants people using the web version via Chrome anyway. Easier to shove ads at you.

  13. Jimmy B · 235 days ago

    I've been a loyal mac user for years. Some of the updates have been not too good but Mavericks is by far the worst.

    It's a Beta basically. All the people who've downloaded it are basically testing it for apple.

    Apple's attempting to push iPhone users into the iCloud by removing local sync too.

    What a mess.

    Mavericks is apple's Vista.

    • Paul Ducklin · 235 days ago

      I've read other people saying "it's a beta, you're just testing it." What makes you say that? On my Mac, it doesn't seem to have any rough edges or "still to be tweaked" parts. It installed like a release, has behaved like a release, and appears to run slightly faster. It's also IMO *much* closer to ML in both look-and-feel and usability than Vista was to XP. What makes you call it a Vista?

  14. Supported hardware and software from Apple. OS X 10.5, 10.6, 10.7, 10.8 and 10.9.

    http://www.apple.com/support/sitemap/

    • Paul Ducklin · 235 days ago

      Intriguingly, I can see: OS X; OS X Lion; Mac OS X v10.6 Snow Leopard; and Mac OS X v10.5 Leopard. No mention of Mountain Lion :-)

      • Berry Williams · 235 days ago

        Wow, you are correct - no 10.8 link. Sheesh...

    • Bart · 235 days ago

      So, does this mean that OS X versions on the list do receive security updates?

      • Paul Ducklin · 234 days ago

        It doesn't seem so...not the OS parts, anyway. Safari 6 (the pre-Mavericks flavour) got a recent update, including of security stuff, at the same time as Safari 7 got updated (which was part of O X 10.9.1) but updates to the OS itself appear to be for 10.9 only.

  15. Nigel · 235 days ago

    It is simply not possible for me to install Mavericks at this point. Apart from the fact that it would necessitate spending a small fortune to update apps that run perfectly fine in Snow Leopard through Mountain Lion, there are some apps and plugins I use every day that are completely broken in Mavericks.

    It's a given that Apple will not fix such incompatibilities on their end; it's up to the developers to fit their applications to Mavericks. Well, OK...but that takes time, and until it happens, I'm not going to stop being productive. Forcing me to make a choice between productivity and security is not the way to keep me as a customer.

    If Apple has truly dropped security support for all pre-Mavericks versions of OS X, that is an unconscionable betrayal of user trust and loyalty. I know Apple doesn't care, but I do. The increasing trend toward forced obsolescence is just another sign that they're losing their way in Cupertino.

    • Paul Ducklin · 234 days ago

      I had a couple of paid-for apps that hadn't been readied for Mavericks. I ended up looking around for more modern alternatives and found replacements that were both free and better.

      I think the words "unconscionable betrayal" may be going a _bit_ far, but...why not switch OS? If you like Unixy platforms, you have Linux and the various BSDs to choose from. (And it's true you *do* get a wider/better choice of mail apps on those platforms :-)

      • Bart · 234 days ago

        Thanks for all this, Paul. I did see and install the recent fix for Safari on my ML.

        While I will pick up Mavericks, my wife is a dedicated Quicken user and so seems stuck on an older version of OS X.

        • Richard Mabry · 233 days ago

          Interesting conversation. I upgraded from Mountain Lion to Mavericks, with no problem. I continue to use Quicken for Mac 2007 and have no difficulties with it. For a while I had to use Express, but when I went to Mt Lion, I was able to go back to Quicken.
          Thanks for the info.

          • Bart · 233 days ago

            Thanks, Richard. She is on Quicken 2005 and because of Eudora never upgraded to Q 2007 or went past SL. I'll pass this on.

  16. Bill · 234 days ago

    Apple doesn't care about Enterprise IT, never has so this is not news. Apple supports last 2 versions, that is it.

    To meet federal requirements for protection of user, we must encrypt drives and our IT supports a third party app. Giving away Mavericks has allowed users to think they can download and install but our app doesn't support, so breaks their machine.

    Sometimes I wish Enterprises would just not buy Macs. Allow Apple to sell iPhones, and iPods to consumers instead.

    • Winthrop R Chesterfield · 179 days ago

      Macs have their place in the enterprise. My experience has been that total cost of ownership is lower for Macs up to at least 50 seats. So for smaller business, particularly without much full time IT support, they can be a better choice.

      And remember that OS X is Unix, so there are an extraordinary number of tools that can be leveraged for management.

  17. Ken Berger · 232 days ago

    Wow what a perverted view of the computer world, I advise all my users to never install Sophos software on their Macs it add nothing (never had a MAC out of mrs than 2,000 that ever got anything that Sophos was useful for. Never (in more than 10 years) seen a problem other than the brief and incident with the Java based Trojan on any mac and then Apple fixed it in a few weeks and it only effected a few Macs.
    OSX 10.7 is still more secure than any version of Windows I have run (only now testing Win8 it looks ok). And Apple supports older versions including 10.7 with updates only there are no glaring holes to keep fixing like XP, Vista, and W7.
    If anyone understood basic security on PC's they would never run MSFT software.

    • Paul Ducklin · 232 days ago

      Errrr, you have never seen any Mac malware except for the malware that infected "a few Macs" (IIRC, the count was at least 600,000 of them, a big botnet by any standards), and anyway Apple fixed it "in a few weeks." (That's cause for concern, surely, not for praise?)

      You're saying OS X 10.7 (the one with the gaping root-access hole in sudo that Apple never quite got round to fixing, right?) is more secure than any version of Windows, but you're excluding Windows 8, even though that has been out for a year and half already. (Isn't that a bit unfair?)

      You're saying "Apple supports older versions including 10.7 with updates," yet one of the key points of this article is...

      ...that Apple *doesn't* support 10.7 with updates, security related or otherwise. (You need Mavericks for the latest security fixes, including some pretty important ones.)

      Are you sure you're giving your friends wise advice?

    • Winthrop R Chesterfield · 179 days ago

      Certainly, you cannot be serious? Word macro viruses have been active on Mac for more than 10 years. It also picks up Windows malware, and certain multiplatform malware (perl scripts, for example). It picks up emails with dodgy attachments, which can often mean the email itself is dodgy.

      I have seen dozens of infected files on OS X. Never as bad the worst Windows box, but still bad. It is not cool for a business to spread macro viruses, for example, or pass on Windows malware to their partners using Windows.

      Reputational damage is still damage.

      Macs are not magically secure, no current desktop OS can be described as secure. Some might be more trustworthy. There have been several vulnerabilities on OS X which have taken months to be patched by Apple.

      Sophos for Mac could be better. It could work better against certain web based attacks. It could offer more help for phishing attacks. It would be nice if it enumerated known vulnerabilities, like Java settings, installed tools, versions.

  18. Problem is, this is simply not true. There are still security updates coming out for Lion and Mountain Lion, as has been shown by other commenters (and the fact my ancient Mac Pro won't go to Mavericks and I just got some updates not long ago).

    Who would have guessed someone paid by a security software company (whose software is better knowing for slowing computers down and taking days to do a single scan of a computer that it is for making us safer, only not quite as badly as the competition) would make false claims about something to make an incorrect point about something, that results in possibly making more money?

    Like that hasn't been the typical approach of software security companies for the past 30 years. Please. Give us usable software and stop ginning up false fears based on patently false information.

    • Paul Ducklin · 232 days ago

      I'd have liked to have seen URIs actually linking to these security updates, given that you're as good as calling me a liar and a cheat...

      I simply can't find any post-Mavericks updates for OS 10.8 or earlier on Apple's official page (http://support.apple.com/kb/ht1222), other than the Safari update that I mentioned myself above.

      The most recent 10.8-specific update I'm aware of is one that predates 10.9: http://support.apple.com/kb/HT5964

      [This thread is now closed.]

  19. Marianne · 219 days ago

    I am a home/small office user in The Netherlands. It is the forced iCloud syncing that keeps me from upgrading. The Dutch privacy act Wet Bescherming Persoonsgegevens (WBP) explicitly forbids to keep or process other people's personal data on servers outside the EU. Other EU countries have similar laws. For EU residents, syncing contacts via iCloud would come down to breaking the law!

  20. Winthrop R Chesterfield · 179 days ago

    I have work in enterprise for many years supporting Mac. Jumping on the upgrade bandwagon early is a sure way to a headache.
    As others have mentioned, it is more than the OS that needs to be considered. All supporting software and infrastructure needs to be taken into account.

    All updates should be tested and qualified before deployment. Updates can, and do, break functionality, and even introduce new vulnerabilities. Updates to AFP in 10.4 broke syncing of microsoft user data for people using Office 2004 with Entourage and IMAP. Updates in 10.5.3 broke CS3 and saving to shares.

    The recent SSL issue with 10.9 is an excellent recent example of newer not necessarily being better. And certainly not more secure.

    Applying updates is fairly painless, rolling back can be a headache.

    And Apple does provide security updates on older versions, typically for at least the previous version, but more recently the 2 previous versions.

    At the end of the day, security is just risk assessment and money. If you know that it will cost $500/seat to upgrade, and the exposed risk is likely much lower, then the business decision is to wait and see. Yes, there is some art to it all, but a sys admin who is doing their job properly won't be upgrading blindly.

    • Paul Ducklin · 179 days ago

      To be fair to us here, Apple has never publicly stated that it does and will provide security updates for 10.7 and 10.8.

      It has now shipped updates for them, thus implying that it hasn't forgotten about the old versions altogether, but those are the first updates we've seen since 10.9 came out. Both 10.9 and 10.9.1 included numerous security fixes, none of which were backported to 10.7 and 10.8.

      In the absence of any official statement from Apple about its plans for older updates, I think you would be wise to assume that you will be getting security fixes for those platforms belatedly at best, because that's how things have panned out so far.

      The way things are going, Mavericks will be at 10.9.5 before you see your next fixes for the previous two versions...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.