Concerned about OS X fragmentation and security? Don't be
Think platform fragmentation is something only Android users need to worry about? Over at the Sophos blog, Chester Wisniewski thinks Mac users should worry, too. Why? Because with the increasing pace of OS X updates, those who don’t or can’t update to the latest version of Mac OS may be left vulnerable to security exploits. Wisniewski claims that, “Apple appears to have stopped releasing security updates for OS X 10.6.8, 10.7.5 and 10.8.5.”
Before you fly into a panic and yank the power cords out of all your old Macs, let’s take a look at Wisniewski’s assertions.
First of all, his examples comes largely from the enterprise market. According to his figures, 82 percent of enterprise Mac users are at risk because they haven’t updated to OS X Mavericks. But in the enterprise sector, adoption rates are generally slower anyway. The plurality of enterprise users are still using OS X Mountain Lion, with smaller (but not insignificant) chunks on Lion and Snow Leopard.
As if that sample weren't limited enough, it’s also worth noting that his numbers are based on those enterprise users who have installed Sophos Anti-Virus for Mac Home Edition. That software might be attractive to some companies because it's free. But Sophos also sells a wide-range of products aimed specifically at the enterprise. So while those enterprise users of the Sophos home product might account for a decent number of computers, it’s unclear whether it’s truly representative of the enterprise market as a whole.
And what about Wisniewski’s claim that Apple has stopped releasing security updates for earlier versions of OS X? The most recent update was 2013-004 on September 12 of last year; it was issued in Snow Leopard and Lion versions. Mountain Lion users got 10.8.5, which received additional security patches in October. Mavericks was released in late October, with a 10.9.1 update arriving in December. Apple also patched both versions 6 and 7 of Safari in December, which brought fixes to Lion and Mountain Lion (though not Snow Leopard).
The fact is that Apple regularly goes months between releases of security updates. And while patching vulnerabilities on older versions of the OS is important, it may take a back seat to fixing the current version of the OS. Either way, it seems too soon to declare that Apple has given up all support for previous versions of OS X.
Finally, Wisniewski also contends that Apple has left older users out in the cold:
It is a nice gesture that OS X 10.9 Mavericks is a free upgrade, but not everyone can upgrade. OS X 10.8 Mountain Lion has only been available for 15 months and is apparently already orphaned.
Calling Mountain Lion “orphaned” is a bit misleading. Every Mac that’s capable of running Mountain Lion is also capable of running Mavericks. In that sense, Mavericks provides a full upgrade path for those users.
Lion is a little more difficult: Most Macs running Lion can handle Mavericks—the newest machine that can’t is from 2008, and there are only a handful of them. Snow Leopard, for its part, has been relegated to the OS of choice for many legacy machines, and while that shouldn’t mean being denied security updates, you have to know what you’re getting into when your operating system is five years old and has been superseded by three later updates.
Wisniewski and I are in agreement about one thing: Apple should publicly state what level of support it’s providing for older versions of OS X and for how long, especially if it plans to continually release new major updates every year. But while staying up to date with security patches may be a concern, fragmentation on the Mac and fragmentation on Android are still two very different ballgames.