Saturday, November 23, 2013

OS X Mountain Lion: Still unsupported and vulnerable

from ZDNet.com
Summary: One month after the release of OS X Mavericks and the disclosure of 48 vulnerabilities in Mountain Lion, Apple has not released any updates to fix these or any other problems in Mountain Lion.
Hey you guys!  Wait UP!

One month ago today, Apple killed off OS X 10.8, a.k.a. Mountain Lion.

It wasn't a big, or even small news story at the time. There was no mournful funeral procession, no clamor to find out whodunnit. In fact, based on the reaction I received when I first suggested that Apple had killed Mountain Lion, many refused to believe it was dead. To this day, I think I'm the only one to write about it.  Even Wikipedia, that ultimate repository of the truth, still lists OS X Mountain Lion as 'Supported'.

How did the killing of a prominent operating system go unnoticed? Death came to Mountain Lion in a passive way: On October 22, 2013 Apple released OS X 10.9, a.k.a. Mavericks. In the past, at least for the past few versions, whenever Apple released security updates for a version of OS X, and those vulnerabilities affected prior supported major versions of OS X, they would release the updates for all supported versions at the same time. There's a clear logic for this practice: Once the vulnerabilities are disclosed and the updates are released, users of any versions for which there are no updates are vulnerable to attack.

This is the situation in which users of Mountain Lion (and Lion and any other prior version) find themselves. On October 22, as they released Mavericks, Apple disclosed 48 vulnerabilities in Mountain Lion that were fixed in Mavericks. They did not release an update for Mavericks to patch these vulnerabilities, as they have done in the past for prior, supported versions.

Many readers and outside observers told me they were skeptical, and that of course Apple could still release the updates. Of course they could. The problem is that it's a month now and there's no reason to believe they will. Indeed, without saying anything specific about any specific versions, Apple told me that they have not changed their policies about updating operating systems. If this is true, and if their past practices are indicative of their policy, then they have stopped supporting Mountain Lion.

I'd like to wait to see the next set of NetMarketShare numbers on it, but clearly there are still a lot of people running Mountain Lion. I know of one person who upgraded to Mavericks and then downgraded back to Mountain Lion. You have to be pretty desperate to go this route, as reverting a system backwards from Mavericks is no picnic.

I know of no actual attacks on Macs using these vulnerabilities, but if I were writing malware I would see them as a big fat invitation to attack. All those users on Moutain Lion (and Lion) are vulnerable and there's nothing they can do but upgrade.

Why would Apple do this? I stand by my earlier theory: Much was made of Apple's decision to make Mavericks free. The significance I attach to it is that they are bringing their OS X and iOS upgrade and pricing policies in line: Now both are free and only one version is supported at a time. All users must upgrade to the next version in order to receive support, including security updates.

Complaints about bugs in Mavericks are common; my colleague David Gewirtz thinks Apple should call Mavericks beta. Of course they would never do this anyway, but doing so now would mean that there would be no shipping, supported version of OS X. Even so there would still be a hardcore of fanboys who will take whatever abuse Apple heaps on them and beg for more.