In the very latest Chet Chat podcast, we wondered aloud if Apple was heading into what you might call the “patching mainstream.”
That’s where you have some sort of schedule for security updates, and some sort of willingness to engage with your customers as soon as security problems arise, rather than only after they have been completely solved.
Apple has always taken a contrary stance, with its official verbiage making the company’s Security Cone of Silence policy quite clear:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
(Quite how it protects your customers to keep them in the pitch dark until each issue is completely solved has never been clear to us here on Naked Security.)
Anyway, in the podcast, we put it this way, saying, “It would just be nice if [Apple] took that old policy about not saying a word until it’s too late, tore it into little bits, and started doing what the rest of the world was doing.”
Apple certainly seems to be leaning in that direction, given that it recently violated its own policy twice.
The company commented publicly, before it had patches ready, after a security flaw was reported in iOS email encryption, and when a risky SSL bug was found in OS X.
The company acknowledged these security holes, and admitted right away it was working to fix them.
Huzzah for that!
And, wouldn’t you know it, within 12 hours of publishing the aforementioned podcast, an Apple Security Advisory dropped into our inboxes.
But it wasn’t the promised iOS lock screen patch, delivered in double-quick time.
Instead, it was a full-blooded point release that has been bubbling along in Beta for a while: OS X Mavericks 10.9.3.
Often, OS X point releases contain a raft of new features and a slew of security fixes, but this one seems to be different.
OS X 10.9.3
As far as we can tell, and as far as Apple seems to be saying, 10.9.3 seems to be last month’s security update, 2014-002, delivered along with a modest list of bug fixes, oops, new features and improvements.
The list is brief:
- Improves 4K display support on Mac Pro (Late 2013) and MacBook Pro with 15-inch Retina Display (Late 2013)
- Adds the ability to sync contacts and calendars between a Mac and iOS device using a USB connection
- Improves the reliability of VPN connections using IPsec
- Includes Safari 7.0.3
As it happens, Safari 7.0.3 was itself rolled into Security Update 2014-002, at least on Mavericks, so that too is an security fix that you really ought to have had for some time if you are an OS X user.
Should you update?
So, should you apply the 10.9.3 update?
If you skipped Security Update 2014-002, then the answer is an unqualified, “Yes.”
If you applied 2014-002, then it doesn’t sound as though this is a must-have from a security point of view.
→ The OS X 10.9.3 update is just under 0.5GB if you are already on 10.9.2, or just under 1GB if you want the “Combo” update that can jump you forward from any earlier version of OS X 10.9, including from a fresh installation.
But there is one new feature that ought to make a great many Naked Security readers happy, namely item (2) above.
Some Naked Security readers have told us that they’re sticking with older versions of OS X, and avoiding Mavericks altogether, because Mavericks forces you to sync iOS devices via Apple’s cloud service, rather than over a regular USB cable.
What with the ongoing revelations about the extent to which online traffic is snooped on and slurped up by the world’s intelligence services, this understandably upset a lot of people.
Apparently, Apple listened.
You can once again sync from your Mac to your iDevice over 15cm of USB cable, rather than sending your personal information on a ecologically unsound 40,000km round-the-world data trip via one of Apple’s server farms.
Huzzah for that!
iTunes 11.2
By the way, Apple is pushing out an update to iTunes at the same time, taking it to 11.2.
As usual, Apple sends you to its HT1222 landing page for security information about the new iTunes version, but HT1222 hasn’t been updated yet. [2014-05-15T22:05Z]
So we can’t tell you whether you need to grab the new iTunes (which is also updated on Windows, in 32-bit and 64-bit flavours) for security reasons, or whether you might merely wish to do so, based on its new feature list.
I guess that answers our question from the top of the article, “Is Apple heading into the patching mainstream?”
Nearly. But not quite.
Update. Shortly after this article went live, an email arrived from Apple Product Security stating that the Windows version of iTunes 11.2 fixes a bug in HTTP cookie handling that could allow authentication credentials to be hijacked. That makes the iTunes update into a need, not just a want. [2014-05-15T22:50Z]
It doesn’t help those of us who have a perfectly good older iMac running 10.6.8 and which, according to Apple, isn’t compatible with this upgrade because it is too old. What we need are security patches without having to upgrade.
First, what we need is a clear statement from Apple about what’s supported and what is not. Some Naked Security readers are living in hope that OS X !0.6 will get some sort of security fixes at some stage. But since Mavericks came out, only 10.7, 10.8 and 10.9 have received patches, and even 10.7 nd 10.8 seem to lag behind a bit in the update stakes.
I think it’s reasonable to assume that 10.6 is implicitly, if not explicitly, “end of life.” That puts you in a similar position to XP users:
1. Continue without updates at all, and run the risk.
2. Switch to another OS, e.g. Linux.
3. Switch to a newer Mac.
Don’t shoot the messenger – it just seems that’s how it is.
Uhm, 10.6 should be supported, due to the fact that it has the app store, and Mavericks is in fact 100% free.
10.6 certainly does *not* seem to be supported, at least from a security point of view, judging by the fact that since Mavericks came out, only Mavericks and (less frequently) Lion and Mountain Lion have received security fixes.
And if 10.6 is supported, you’d have to argue it’s not being supported very well, given that it is now, what, nine months behind on security updates…and there have been many things fixed in 10.7, 10.8 and 10.9 that almost certainly also apply to 10.6
Loosely put, it seems as though the official “security fix” for 10.6 is 10.9. If your Mac will run 10.9, of course.
Will the latest Mac OS, and the latest Sophos for Mac work together now? Before yesterday, there is a know issue with Sophos for Mac that causes kernel panics. I just reinstalled Sophos last week, got a kernel panic, and Sophos was first on the list as the culprit. A couple of months ago, the Mac OS directed me to an Apple site stating that there were issues with Sophos for Mac.
You haven’t given me enough information to answer, I’m afraid 🙂 (I’ve used SAV for Mac for years and I have never had a kernel panic.)
If the issue is known, what is it? Where on the Apple site was something saying your issue was caused by SAV for Mac? What other drivers, software etc. are installed?Anti-virus programs often get the blame because they are invariably at or near the top of listed drivers…
There are lots of possible interactions, and when kernel drivers are concerned, the fact that you remove product X and the problem goes away doesn’t necessarily mean X was to blame. It could be that a bug in product Y only causes serious trouble when some other products, X or Z, say, are installed.
May I suggest you head over to our online support forum? (You’ll need to be ready to share info about your system, config details, other software, and so on.)
http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/bd-p/FTT_MAC_MAGNET
PS. I hope I dont sound dismissive or holier-than-thou here. I just want to make sure that you solve the *actual* problem, rather than merely removing the symptoms. If the problem is in our code, we’d love to find out where so we can fix it. If it isn’t, then removing our product is going to end up giving you a false sense of safety, because the instability will still be there.
I wish people would stop hinting everywhere that Apple’s method (keep information and media coverage low until it is fixed) is a weaker position. Being given an update schedule is NOT being better-informed or getting more-timely updates. Being told about security issues as they are found (instead of after some fix is devised) isn’t better, it only makes users FEEL better.
We all know that ‘feeling’ better about your security means less than nothing; more transparency might even help the black-hat squads. Let’s back off this criticism; what matters is reducing holes and fixing issues quickly, NOT interim information to users.
The mushroom principle! Keep ’em in the dark and feed them…well, in Apple’s case, feed ’em nothing.
Sorry, but you are not going to convince me that having an official policy that amounts to implicit denial of any and all security problems until after they are fixed (when they have, technically speaking, become unproblems) is good for users in *any* sense, and you are not going to convince me that more transparency will inevitably help attackers.
Don’t forget that in the case of a zero day, the crooks already know how to exploit the hole, so you can much more convincingly argue that *suppressing* information that could help users will help the Black Hats.
The world used to have a policy of keeping information and media coverage low in respect of data breaches…didn’t stop them happening, and certainly didn’t seem to lead to a security culture in which their likelihood was reduced. Only now things are a bit more out in the open do we seem to be taking things a bit more seriously.
I use Little Snitch to monitor my mac’s connections and noticed that the 10.9.3 update tried to communicate with my most frequented websites. I don’t use Safari. Does anyone know why this happened on two of my computers? It seems strange. I have Send diagnostic and usage information to Apple turned off in the Security control panel. Also, Logic Pro X used to try to connect to Facebook every time that I started the application. It no longer does this. Is this sort of thing legal? I didn’t notice anything in the App Store terms of use that said this was an okay behavior. Is this normal?
What browser do you use? Do you have it set to discard all history on exit? Many browsers have a “wall of recent sites” thumbnail page, don’t they…perhaps that’s where the traffic came from…or did Little Snitch identify the process that made the connections?