Apple policy document admits withholding security fixes for devices not on the latest supported OSes

[AlTech]

Summary

 

Apple has released a policy document clarifying their policies on security updates.

 

Most of the information contained in the document was already known but, Apple admitted withholding security fixes from minor OS versions (what it calls "updates") that aren't on the latest OS version (what it calls " upgrades").

 

The policy said that whilst older supported "upgrades" would get some security ffixe in updates, not all security fixes are backported in updates provided to supported older "upgrades".

 

Security researchers have suspected this but were never able to prove this was the policy until Apple released the policy document admitting this.

 

This means that the only way to truly be safe against security issues on Apple Hardware is to stay on the latest OS version.

 

Quotes

Quote

 Most of the information in the document isn't new, but the company did provide one clarification about its update policy that it hadn't made explicit before: Despite providing security updates for multiple versions of macOS and iOS at any given time, Apple says that only devices running the most recent major operating system versions should expect to be fully protected.

Throughout the document, Apple uses "upgrade" to refer to major OS releases that can add big new features and user interface changes and "update" to refer to smaller but more frequently released patches that mostly fix bugs and address security problems (though these can occasionally enable minor feature additions or improvements as well). So updating from iOS 15 to iOS 16 or macOS 12 to macOS 13 is an upgrade. Updating from iOS 16.0 to 16.1 or macOS 12.5 to 12.6 or 12.6.1 is an update.

 

Quote

"Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13)," the document reads, "not all known security issues are addressed in previous versions (for example, macOS 12)."

Quote

In other words, while Apple will provide security-related updates for older versions of its operating systems, only the most recent upgrades will receive updates for every security problem Apple knows about. Apple currently provides security updates to macOS 11 Big Sur and macOS 12 Monterey alongside the newly released macOS Ventura, and in the past, it has released security updates for older iOS versions for devices that can't install the latest upgrades.

 

 

My thoughts

 Not gonna lie I think this should be illegal. If an OS version is a supported OS and the decekopers know it has security issues they should be legally obligated to fix them or to drop support for that OS entirely.

 

The justification provided by Apple that new OS versions have different dependencies on architecture changes and system changes sounds legit until you realuze that macOS hasn't changed that drastically under the hood since macOS 11 and even then the only major under the hood change was ARM64 support; most of the other changes were cosmetic changes.

 

Sources

 https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/

Edited October 28, 2022 by AluminiumTech
Clarify security fixes vs updates

[Salv8 (sam)]

bro even microsoft updates older windows versions because it keeps the userbase safe.
they fuckin updated xp in 2014, AFTER THEY DISCONTINUED SUPPORT.

i don't like microsoft but i can commend their actions when it comes to important security patches.

 

this is just plain horrible, the people who can't afford the latest and greatest apple devices get fucked because an apple exec decided the aren't worth it?

not cool.

[hishnash]

Yer if you device supports a newer os version apple is unlikly to ship sec updates for the older one.  When apple does ship sec updates for older os version this is for devices that cant be updated further (do not support a newer os version). Some os versions just so turn out that every device that supports them supports the next os version so these os versions basicly never get sec updates as every device that can run them is able to update to the new major version. 

[hishnash]

6 minutes ago, Salv8 (sam) said:

this is just plain horrible, the people who can't afford the latest and greatest apple devices get fucked because an apple exec decided the aren't worth it?

Apple typicly will update os versions of devices that cant be updated for many years for sec updates. The os versions they do not provide sec updates for are os versions were every device that can run that os version is also able to run a newer version that does have the sec update.    Its not uncommon for there to be multiple year long spans of os versions were every single device can be upgrade. 

for example iOS 12 continues to get sec updates but there are no sec updates for 13, 14 as every device that runs 13 also runs 14 and also runs 15.  That is what this document is saying... if you device supports a newer os version apple is not going to ship sec updates to your current os version you need to update your os to the newerest version it supports to get the sec updates. 

[Dracarris]

13 minutes ago, Salv8 (sam) said:

the people who can't afford the latest and greatest apple devices get fucked

iOS 16 goes back to the iphone 8 from 2017

iOS 15 goes back to the iphone 6S from 2015

 

Every device gets regular security updates on the latest supported OS for that device, even if that OS is not the "current" one.

iOS 12 which goes back to the iphone 5S from 2013 was last updated this August, 57 days ago.

 

That's planned obsolescence right there ladies and gents. They diabollically plan for your phone to break down only 9 years after purchase.

[Gamer Schnitzel]

If you are too poor to upgrade to the newest iPhone every year then you deserve any malware coming for you.

[Arika]

 

 

32 minutes ago, Dracarris said:

Every device gets regular security updates on the latest supported OS for that device, even if that OS is not the "current" one.

So you're saying that a device that the last supported OS is iOS15 will get all security updates, but a device that can upgrade to iOS16, but decides to stay on iO15 doesn't get those exact same security updates that the older device gets?

 

that's some bullshit.

 

Imagine if Microsoft did that.

"oh, your computer can upgrade to Windows 11, but you're still on Windows 10? you don't get any updates or patches you have to upgrade!"

 

[AlTech]

1 hour ago, hishnash said:

Yer if you device supports a newer os version apple is unlikly to ship sec updates for the older one.  When apple does ship sec updates for older os version this is for devices that cant be updated further (do not support a newer os version). Some os versions just so turn out that every device that supports them supports the next os version so these os versions basicly never get sec updates as every device that can run them is able to update to the new major version. 

That is a separate issue of Apple witholding older updates on IOS, iPadOS, and watchOS when devices support a newer version.

This thread topic is about Apple witholding security fixes regardless of whether the device can run a new major version or not.

I said fixes throughout the original post cos Apple does put out security updates for older OSes but those are missing fixes for known security issues because Apple decided not to fix them in older OSes.

[AlTech]

58 minutes ago, Dracarris said:

iOS 16 goes back to the iphone 8 from 2017

iOS 15 goes back to the iphone 6S from 2015

And IOS 15 users aren't necessarily getting all the security fixes that IOS 16 gets because if Apple's policy.

 

So people with the 6S (or 6S Plus), SE 1st gen, and 7 (or 7 Plus) are screwed when it comes to security.

58 minutes ago, Dracarris said:

Every device gets regular security updates on the latest supported OS for that device, even if that OS is not the "current" one.

iOS 12 which goes back to the iphone 5S from 2013 was last updated this August, 57 days ago.

Which still doesn't receive all the fixes that are eligible to he fixed. See what I've said above as well as my original post

58 minutes ago, Dracarris said:

That's planned obsolescence right there ladies and gents. They diabollically plan for your phone to break down only 9 years after purchase.

If they say they're supporting an OS it should actually mean they're supporting it and if they don't want to support it then they shouldn't but Apple can't have it both ways.

[rikitikitavi]

40 minutes ago, Gamer Schnitzel said:

If you are too poor to upgrade to the newest iPhone every year then you deserve any malware coming for you.

Let me correct you - if you are too poor to upgrade your iPhone every 7-8 years... so you can get the latest OS... and after that only a lacklustre support of semiannual (or so) security updates for another several years... just unforgivable planned obsolescence...

[AlTech]

3 minutes ago, rikitikitavi said:

Let me correct you - if you are too poor to upgrade your iPhone every 7-8 years... so you can get the latest OS... and after that only a lacklustre support of semiannual (or so) security updates for another several years...

That doesn't make what Apple's doing right. It leads people into a false sense of security.

3 minutes ago, rikitikitavi said:

just unforgivable planned obsolescence...

 

[rikitikitavi]

4 minutes ago, AluminiumTech said:

And IOS 15 users aren't necessarily getting all the security fixes that IOS 16 gets because if Apple's policy.

Or it only means that iOS 13 and 14 don't get the updates, since there is no point - all devices are compatible with iOS 15 (6S being the low bar).

So basically with iOS 16 they drop 6S and 7 gen devices.

[WhitetailAni]

7 minutes ago, AluminiumTech said:

And IOS 15 users aren't necessarily getting all the security fixes that IOS 16 gets because if Apple's policy.

Um... no. iOS 15.7 includes every fix that iOS 16.0 provides that apply to iOS 15.

 

Apple received a serious WebKit and kernel exploit vulnerability chain. It was patched in iOS 15.6.1. Only the WebKit vuln was patched in 12.5.6, since the kernel exploit didn't apply.

 

A codesigning bug applies to only iOS 14.0-15.5b4 + 15.6b1-b5. The issue was introduced in 14.x. Older OS's may not need some fixes because they don't have the flaws.

[rikitikitavi]

8 minutes ago, AluminiumTech said:

It leads people into a false sense of security.

You will have to give me example of a certain pool of users you are talking about who keep their smartphones for this long and use it the way that it can be compromised.

 

Cause I can't really thing of anyone, aside from randos, the only big pool I know are people who keep their iPhones (any phone) for way longer and don't use it any different than a regular cellphone/dumbphone, so no special apps (Apps drop support), most probably no internet usage, just SMS and calls...

[AlTech]

7 minutes ago, FakeKGB said:

Um... no. iOS 15.7 includes every fix that iOS 16.0 provides that apply to iOS 15.

And will IOS 15 get all the fixes that 16 gets in the next year or two? Probably not even if a lot of the bugs affecting 15 will affect 16.

7 minutes ago, FakeKGB said:

Apple received a serious WebKit and kernel exploit vulnerability chain. It was patched in iOS 15.6.1. Only the WebKit vuln was patched in 12.5.6, since the kernel exploit didn't apply.

 

A codesigning bug applies to only iOS 14.0-15.5b4 + 15.6b1-b5. The issue was introduced in 14.x. Older OS's may not need some fixes because they don't have the flaws.

The policy document that Apple released says Apple does withhold at least some fixes in updates for older OSes.

[Blademaster91]

So if someone is using an older device and can't upgrade to the latest mac or iphone they won't get the same patches as the latest OS version, that just seems so typical of apple, instead of clearly stating what the updates contain they f*&k their consumers over by not fully patching the previous OS versions.

And with macs it seems like they want to kill off the intel macs, considering they dropped OS support with the 2016 macbooks.

[rikitikitavi]

5 minutes ago, AluminiumTech said:

And will IOS 15 get all the fixes that 16 gets in the next year or two? Probably not even if a lot of the bugs affecting 15 will affect 16.

Who says?

5 minutes ago, AluminiumTech said:

The policy document that Apple released says Apple does withold at least some fixes in updates for older OSes.

So... again, doesn't mean much - 15.8 might get a certain security patch, while 14.x won't, because no one cares for 14.x, since the last (cutoff point) iOS was 12 (5S and 6)

[hishnash]

1 hour ago, AluminiumTech said:

This thread topic is about Apple witholding security fixes regardless of whether the device can run a new major version or not.

 

History has shown that Apple doe ship out sec updates for devices that cant be updated to the newer os however. They might not provide a legal promise of shipping sec updates but in reality they do. Not for every, im sure it is many many years since the Apple I got a sec update and im sure the software is full of security holes but in general device sold in the last 10 years will be getting sec updates. 

 

 

58 minutes ago, Blademaster91 said:

So if someone is using an older device and can't upgrade to the latest mac or iphone they won't get the same patches as the latest OS version

That is not what this is saying, it is saying that apple is not going to ship sec updates for every os version in the past. If you look at the sec updates history os versions were they are the latest version for older hardware tend to get sec updates quite often, but os updates were all the hardware that supports them has newer versions do not get sec updates but that point released (16.0 does not get a 16.0.1 sec update if 16.1 is already out) or major released like iOS 13 since every device that supports this also supports iOS 14 (and 15). 

 

[BlueChinchillaEatingDorito]

On 10/27/2022 at 5:15 PM, Blademaster91 said:

So if someone is using an older device and can't upgrade to the latest mac or iphone they won't get the same patches as the latest OS version, that just seems so typical of apple, instead of clearly stating what the updates contain they f*&k their consumers over by not fully patching the previous OS versions.

Me looking at my Galaxy A5 2017 that hasn't gotten a security patch since... last year. Or my workplaces fleet of Galaxy S8/S9s that have been forcefully disabled on our network due to not receiving updates. Again... are we going to address that or just keep beating the dead horse of "Apple bad"? I'm just saying. There are far more unsecured Android handsets out in the wild and yet that always get brushed under the rug because of this ongoing narrative.

 

Edit:

And don't get me started on ChromeBooks and ChromeBoxes. For what is supposedly an extremely lightweight OS that is essentially just a Chrome browser... there is literally no excuse for those to be out of support after 4 years. It's a bloody web-browser. It's not like the same core hardware within these devices aren't running Windows or Linux somewhere else which supports the latest version of Chrome. 

[Roswell]

2 hours ago, Arika S said:

 

 

So you're saying that a device that the last supported OS is iOS15 will get all security updates, but a device that can upgrade to iOS16, but decides to stay on iO15 doesn't get those exact same security updates that the older device gets?

 

that's some bullshit.

 

Imagine if Microsoft did that.

"oh, your computer can upgrade to Windows 11, but you're still on Windows 10? you don't get any updates or patches you have to upgrade!"

 

You realize they’re still supporting Catalina, which covered machines released 10 years ago, right?
 

You’re honestly suggesting they go back and start supporting OS X Lion that came on those machines…

 

Except OS X Lion supports Macs from 2008. You’re sitting there with a straight face whining about how Apple no longer supports 2008 Core 2 Duo machines. Lol.

Support has to end somewhere.

 

[Arika]

9 minutes ago, Roswell said:

You realize they’re still supporting Catalina, which covered machines released 10 years ago, right?
 

You’re honestly suggesting they go back and start supporting OS X Lion that came on those machines…

 

Except OS X Lion supports Macs from 2008. You’re sitting there with a straight face whining about how Apple no longer supports 2008 Core 2 Duo machines. Lol.

Support has to end somewhere.

 

read what i wrote again, and also what the person i'm replying to wrote, that's not what i'm saying at all.

[AlTech]

19 minutes ago, Roswell said:

You realize they’re still supporting Catalina, which covered machines released 10 years ago, right?
 

Actually the release of macOS 13 means that macOS Catalina's support is discontinued barring any seriously bad security issue.

19 minutes ago, Roswell said:

 

You’re honestly suggesting they go back and start supporting OS X Lion that came on those machines…

 

Except OS X Lion supports Macs from 2008. You’re sitting there with a straight face whining about how Apple no longer supports 2008 Core 2 Duo machines. Lol.

Support has to end somewhere.

 

Sure but giving macOS 11 and macOS 12 proper security fixes for issues and not withholding fixes whilst they're supported should be how they're handling supported OSes.

[AlTech]

2 hours ago, rikitikitavi said:

Who says?

History. Apple's done this with IOS and macOS. macOS Catalina and Big Sur didn't receive all the fixes that it should have because Apple chose not.

2 hours ago, rikitikitavi said:

So... again, doesn't mean much - 15.8 might get a certain security patch, while 14.x won't, because no one cares for 14.x, since the last (cutoff point) iOS was 12 (5S and 6)

That's a separate issue but that's not what this topic is about.

[WhitetailAni]

2 hours ago, AluminiumTech said:

And will IOS 15 get all the fixes that 16 gets in the next year or two? Probably not even if a lot of the bugs affecting 15 will affect 16.

Well, let's look at iOS 12. 

Spoiler

For those curious, Peace is the iOS 12 codename and Yukon is the iOS 13 codename.

Do you know what Apple did? They fixed bugs in both iOS 12 and 13. And then fixes from 14 too. And even fixes from 15. iOS 15.7 patched the same things as iOS 16.0, iOS 15.7.1 (not yet released, we have an RC) is likely to patch the same things as 16.1.

 

They still patch Big Sur and Monterey. macOS 11.7.1 and 12.6.1 were released a few days ago.

 

Also, another thing you have to remember. Exploitation of modern-day iOS and macOS is really flippin' hard.

Want to pwn iOS 16? Good luck. You have to get:
1. kernel exploit that can NOT be a use-after-free type bug (iOS 16 broke using these entirely).
2. PAC or PPL bypass
3. amfi taskport
4. LaunchConstraints patch
5. sandbox escape
6. KTRR bypass
7. optional, but recommended: KPP patch

If you want to make it deployable from Safari, you'll have to find a useful WebKit exploit too. WebKit vulns are plenty, useful ones are not.

 

macOS is somewhat easier as it's not as locked down, but in its default state it's not easy to get malware on a Mac. Gatekeeper is very good at its job of preventing malicious software from being run, and the drive to create malware for macOS isn't there as it's A. much more difficult B. smaller userbase.

[RedRound2]

Another example of pathetic iHateApple fanboy club threads going on around in this forum.

 

One, all devices that are eligible for major upgrades automatically get security patches with the upgrades. Which might I remind of all of you typically stretches from anywhere between 4-7 years. For the last two versions of iOS I believe, Apple hasn't made it mandatory to people to immediately update to latest iOS until .1 or .2 release. So security patches also roll out for previous versions

 

If say some devices are not eligible for the upgrade, Apple has always rolled out major security updates for those previous versions like iOS 12. People have cited examples here.

 

Again, a nothing burger article that just says that Apple can't always patch every single thing in every Apple device since Apple was founded. It has to be written for legal purposes, but of course the fnadom takes it and runs with it like there's no tomorrow.

 

Also, the alternative that nobody seems to dare utter here.  People are jumping straight to windows even though Android is more comparable here. You think all the billions of android phones, mostly lying in the mid to low tier phones are getting updates regularly? Heck, hasn't google said they will only support 3 years of security patches? The irony and double standard are quite mind-blowing here.