The Most Important Reason to Upgrade to macOS Sierra: Security

3 minute read
| Editorial

Cyber security graphic.

When Apple launches a new version of one of its OSes, say, macOS Sierra, the first thing users think about is the features. If they’re a bit more methodical, they’ll look at their mission critical apps and monitor for updates from those associated developers. But, above all, a decision to not upgrade (or do it soon) must be balanced against the security updates folded into the new version. .

__________________________

Security Protocol

The feature list of macOS Sierra is deceptively simple. It is so modest in its scope that some users may be seduced into thinking that they may not need the upgrade, even though it’s free. That’s a bad idea.

When a new version of macOS comes out, my first reaction is to check my mission critical apps. Being both a writer and a podcaster, I can’t afford a show stopper. But I’m always mindful that, in this day and age, many security fixes, many of which have architectural impacts, are rolled into each major release.

Those architectural changes, in some cases, can impact the operation of some apps. That’s one reason why Apple has a long period of developer and public betas to work out those kinks. By the time a major release, like Sierra, is launched, most of those problems should be solved.

Why doesn’t Apple roll out the fixes piecemeal? The answer is that some are synergistic and depend on major OS changes that could, in turn, affect developers. Secondly, many sound scary, but are still in proof of concept phase and aren’t widespread in real world exploitations. They need to be attended to, but an urgent single point security update isn’t called for.

A Helpful Analysis from Intego

The Mac Security Blog at Intego is a very helpful place to find out more about all this. In the post for 21 September 2016, Jay Vrijenhoek explains the situation with Sierra nicely.

1. Apple maintains a webpage that provides details for all its security updates.

2. The entry for Sierra cites 65 security fixes.

3. According to author Vrijenhoek, there is something important to note:

For those not familiar with reading Apple Security bulletins, the addressed vulnerabilities mention ‘Available for: OS X El Capitan v10.11.6,’ but this means the vulnerability was found in OS X El Capitan and fixed only if you update to macOS Sierra.

Note that the Security Update2016-001 for El Capitan and 2016-005 for Yosemite only fixes a few critical kernel issues, not the 65 issues fixed in Sierra.

Accordingly, if you’re good to go with all your mission critical apps, it’s a good idea to upgrade to macOS Sierra just to make sure one of these obscure bugs doesn’t get exploited in the wrong place and the wrong time: your Mac.

It’s also important to recognize that because iOS is a descendant of [Mac] OS X, it often shares common security flaws. Author Vrijenhoek correctly points out:

As an added bonus, the list of vulnerability fixes in iOS 10 was amended to show 28 additional vulnerabilities that were addressed in the release. Apple did not release these details until Sierra was released, likely because both operating systems shared the same flaws. Publishing details on the flaws that were addressed in iOS 10 would have given those with malicious intent a nice roadmap of what to exploit in OS X.

I surmise this is why major releases of macOS and iOS and tvOS are rolled in the same month. Apple often has to address the same flaw in all variations of its OSes.

Be Aggressive. Like Apple

I’m being a little over the top next, but not much. If you’ve been thinking that you can continue to survive with, say, a 2007 iMac running Mountain Lion, I’d advise against it if that Mac is connected to the Internet.

I also surmise that the reason Apple encourages updates with it’s Auto-downloading feature is so that customers are always mindful of the need to upgrade. Because Apple’s OS updates are free, Apple’s only incentive is to protect its customers, not develop a revenue stream. On the other hand, forcing users to upgrade before they’ve certified their mission critical apps would be inappropriate.  Apple has chosen a wise middle ground. “macOS Sierra Now Auto-downloading, but not Auto-installing.

After a new macOS release, there are lots of articles that will guide you though the update of your apps so you can then update your OS. Here’s one by our Bob LeVitus: “macOS Sierra and App Compatibility.

The bad guys are resourceful and aggressive. Apple customers should never assume they can do nothing and get away with it.

_______________________

Teaser image via Shutterstock.

7
Leave a Reply

Please Login to comment
7 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
andruszvpndevScott B in DCgeoduck Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
andrusz
Member
andrusz

PureVPN is an American company? I do not see a canary letter on their web site. Which means all your data goes directly to NSA, etc. Thank you very much!

Member
Stacy Michal

Apple security is a big concern nowadays, thats why i would recommend PureVPN’s iOS App to hide our online private data

vpndev
Member
vpndev

“For those not familiar with reading Apple Security bulletins, the addressed vulnerabilities mention ‘Available for: OS X El Capitan v10.11.6,’ but this means the vulnerability was found in OS X El Capitan and fixed only if you update to macOS Sierra.” That is NOT the meaning I have from reading that text. To me, “Available for: OS X El Capitan v10.11.6” means that the fix for this vulnerability is available for 10.11.6. I would like someone with easy access to Apple to query this interpretation – it has been tossed around a lot lately and it’s time that Apple defined… Read more »

Scott B in DC
Member
Scott B in DC

“There are lies, damned lies, and statistics.” Counting the number of vulnerabilities fixed is a red herring. One would expect that newer software would require more maintenance than more mature software. It’s the nature of the beast. It is also irresponsible reporting. Rather than suggesting Sierra is “more secure” because of the fixes, I will contend that Sierra is less secure because it requires additional hardening. Further this “Vrijenhoek” is wrong based on real analysis of the systems. If Apple has a CVE open for a vulnerability in El Capitan and reports to the government that it is fixed and… Read more »

geoduck
Member
geoduck

So with luck I’ll be updating to a new MBP in the next month. My old one is going to my wife to replace her 2008 MB running Snow Leopard. “Aw darn honey, the system has Sierra on it. I guess that old Filemaker from a decade or more ago is going to have to go. And the other Apps that you love, I guess you’ll have to upgrade them too. Sorry. But look you get a 15 inch screen.”

There’s method in my madness.,

exAppl0088
Member
exAppl0088

Excellent article! As ex Apple employee #0088 i always read your editorials and
Particle Debris blog which are the best rational viewpoint on Apple on the Web.

As a developer still using Terminal for development, i would like to read a
regular article about the issues that arise with new major MacOS releases for the
world of unix development tools installed via HomeBrew, MacPorts and the like.

E.G. database engines like Postgres, Java SDK development, JAVA EE, and the
like which i use with BBEdit, for my (now outdated) habits of CLI development.

Keep up the good (rational) work.