Cyber security graphic.

When Apple launches a new version of one of its OSes, say, macOS Sierra, the first thing users think about is the features. If they’re a bit more methodical, they’ll look at their mission critical apps and monitor for updates from those associated developers. But, above all, a decision to not upgrade (or do it soon) must be balanced against the security updates folded into the new version. .

__________________________

Security Protocol

The feature list of macOS Sierra is deceptively simple. It is so modest in its scope that some users may be seduced into thinking that they may not need the upgrade, even though it’s free. That’s a bad idea.

When a new version of macOS comes out, my first reaction is to check my mission critical apps. Being both a writer and a podcaster, I can’t afford a show stopper. But I’m always mindful that, in this day and age, many security fixes, many of which have architectural impacts, are rolled into each major release.

Those architectural changes, in some cases, can impact the operation of some apps. That’s one reason why Apple has a long period of developer and public betas to work out those kinks. By the time a major release, like Sierra, is launched, most of those problems should be solved.

Why doesn’t Apple roll out the fixes piecemeal? The answer is that some are synergistic and depend on major OS changes that could, in turn, affect developers. Secondly, many sound scary, but are still in proof of concept phase and aren’t widespread in real world exploitations. They need to be attended to, but an urgent single point security update isn’t called for.

A Helpful Analysis from Intego

The Mac Security Blog at Intego is a very helpful place to find out more about all this. In the post for 21 September 2016, Jay Vrijenhoek explains the situation with Sierra nicely.

1. Apple maintains a webpage that provides details for all its security updates.

2. The entry for Sierra cites 65 security fixes.

3. According to author Vrijenhoek, there is something important to note:

For those not familiar with reading Apple Security bulletins, the addressed vulnerabilities mention ‘Available for: OS X El Capitan v10.11.6,’ but this means the vulnerability was found in OS X El Capitan and fixed only if you update to macOS Sierra.

Note that the Security Update2016-001 for El Capitan and 2016-005 for Yosemite only fixes a few critical kernel issues, not the 65 issues fixed in Sierra.

Accordingly, if you’re good to go with all your mission critical apps, it’s a good idea to upgrade to macOS Sierra just to make sure one of these obscure bugs doesn’t get exploited in the wrong place and the wrong time: your Mac.

It’s also important to recognize that because iOS is a descendant of [Mac] OS X, it often shares common security flaws. Author Vrijenhoek correctly points out:

As an added bonus, the list of vulnerability fixes in iOS 10 was amended to show 28 additional vulnerabilities that were addressed in the release. Apple did not release these details until Sierra was released, likely because both operating systems shared the same flaws. Publishing details on the flaws that were addressed in iOS 10 would have given those with malicious intent a nice roadmap of what to exploit in OS X.

I surmise this is why major releases of macOS and iOS and tvOS are rolled in the same month. Apple often has to address the same flaw in all variations of its OSes.

Be Aggressive. Like Apple

I’m being a little over the top next, but not much. If you’ve been thinking that you can continue to survive with, say, a 2007 iMac running Mountain Lion, I’d advise against it if that Mac is connected to the Internet.

I also surmise that the reason Apple encourages updates with it’s Auto-downloading feature is so that customers are always mindful of the need to upgrade. Because Apple’s OS updates are free, Apple’s only incentive is to protect its customers, not develop a revenue stream. On the other hand, forcing users to upgrade before they’ve certified their mission critical apps would be inappropriate.  Apple has chosen a wise middle ground. “macOS Sierra Now Auto-downloading, but not Auto-installing.

After a new macOS release, there are lots of articles that will guide you though the update of your apps so you can then update your OS. Here’s one by our Bob LeVitus: “macOS Sierra and App Compatibility.

The bad guys are resourceful and aggressive. Apple customers should never assume they can do nothing and get away with it.

_______________________

Teaser image via Shutterstock.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

7 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
andrusz