Apple’s MacOS Decision Is Bad News For MacBook Pro Owners | #macos | #macsecurity

Part of updating macOS (or indeed any any operating system) is to patch out any vulnerabilities and address any security concerns. Attention this weekend has been drawn to a ‘watering hole’ attack on macOS and Apple’s response across the macOS platform. 

Andrew Cunningham reports: “News is making the rounds today, both via a write-up in Vice and a post from Google’s Threat Analysis Group, of a privilege escalation bug in macOS Catalina that was being used by “a well-resourced” and “likely state-backed” group to target visitors to pro-democracy websites in Hong Kong.”

Putting aside the political implications of the vulnerability, how Apple has dealt with this issue needs to be discussed.

The normal advice is to keep your operating system as up to date as possible, and Apple continues to push “update now” messages to Mac owners. Unfortunately this view is rather problematic given Apple’s approaches to security updates.

Not everyone can update to the latest version of macOS. For those consumers, Apple continues to release security updates for older hardware, and the general view (although unconfirmed) is two further years of security updates are offered after hardware is unable to upgrade to the new OS proper.

Which is where Apple has apparently made a poor decision. The aforementioned vulnerability was patched in macOS Big Sur on February 1st this year, but it was not patched in macOS Catalina at the same time. Security Analyst Josh Long writes:

“This wasn’t patched for Catalina until Sept 23. Not mentioned: This was 234 days after #Apple patched the same [vulnerability] for Big Sur. Apple randomly choosing which [vulnerabilities] you patch for two prior macOS [versions] endangers customers.”

I struggle to see how Apple can reconcile this significant delay in securing its consumers computers, while it claims to offer the most secure platforms possible.

No doubt security researchers will be looking to see if this is an isolated case or the start of a pattern, but in the meantime there is something pro-active that Apple can do. It can talk openly and offer concrete information in how it handles the security updates.

First of all, be incredibly clear in both the support that is being offered to older versions of macOS, and how long at a minimum this support will last for. If Android manufacturers can offer this as standard, so can Apple. 

Also be clear on what is being updated. Changelogs full of “various bug fixes and security updates” is not enough. There’s nothing to be embarrassed about in showing what has been addressed. That said, given the lack of feedback offered to security researchers who take the time to submit vulnerabilities that are found, Apple’s default mode of “say as little as possible” is not serving it well in its relationship with the security community.

Most importantly, don’t delay updates for the older versions of macOS. Update everything quickly, and at the same time. Supporting the older versions of macOS does mean there are more hardware and software combinations to consider, but its still magnitudes less than the combinations that Windows has to deal with, and I’m sure Apple’s developer teams are on a par with Microsoft’s.

All of this takes place as Apple switches the macOS platform away from Intel to its own ARM-based silicon. Naturally Apple will be putting its efforts into the new architecture, but there is a considerable amount of life left in the Intel range, a digital life that demands the security of macOS over the next few years.

Security is as much about appearances as it is about implementation. Apple’s aura suggests that this will all be fine and everything will stay secure. But its recent actions could call that into question. 

Now read the latest Mac, iPhone and iPad headlines in Forbes’ regular Apple Loop column…

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

+ twenty two = thirty