Apple policy document admits withholding security fixes for devices not on the latest supported OSes

[tikker]

35 minutes ago, Just that Mario said:

How the update(s) are applied is very relevant. There have been updates for Windows in past that required you to download previous updates. If you can't be arsed to do that, then that's on you. You cannot realistically expect infinite support for everything. Software pretty much always goes forward in versions. Exclusive long term backwards compatibility and X version support is not a realistic expectation.

This entire topic seems to be nothing but sh*ttalking and making non-issue into a issue, because "ApPlE bAd" and because "what if...". Reality is that what if you want to use an specific old version of OS and refuse to update, but still want the latest specific update for your specific OS version you simply update your damn OS or f*ck off and go touch some grass? May be hard concept for some, but world doesn't revolve around you nor your specific needs and wants.

Not supporting something is fine, I don't see people argueing against that. However, if you don't support something then you don't say that you do. If you only partially support something, you should explicitely state partial support and at least state the caveats mentioning which security updates, for example, you cannot provide due to e.g. architectural reasons or others.

[wanderingfool2]

5 hours ago, Just that Mario said:

This entire topic seems to be nothing but sh*ttalking and making non-issue into a issue, because "ApPlE bAd" and because "what if...". Reality is that what if you want to use an specific old version of OS and refuse to update, but still want the latest specific update for your specific OS version you simply update your damn OS or f*ck off and go touch some grass? May be hard concept for some, but world doesn't revolve around you nor your specific needs and wants.

Let me guess, you backed up Apple on the antennagate issue by following their "your holding it wrong" and anyone who points out that it's a real problem is just doing "what ifs" on impossible ways of holding the phone.

 

The fact is people are saying what the issue and then people like you are coming in and not reading what people are posting and only grabbing tid-bits of what is said and claiming that it's perfectly okay (or people are stretching the truth).

 

To bring the MS analogy that you keep bungling up in understanding it's simple.  W10 EOL is 2025, where updates are provided.  W11 is the current gen Windows.  Would you think it's okay if they updated W10 but left out security updates that apply to both Windows 11 and Windows 10 but decided to only fix it in Windows 11?  That's what people are arguing Apple is effectively doing.  They claim to support 2 OS's during transitions, but they secretly don't provide all the security updates to the older one.  That is a big issue not fixing security updates (while still claiming to support the OS and while having the update doing the generic phrases fixed security updates.

 

In general its that Apple is being non-transparent in regards to their updates.

[DrMacintosh]

Apple Bad! The fact they they don't update literally every OS release with backports of security fixes even though those same devices more than likely could update their OS and get the patches proves it! Don't you know Apple slowed down iPhones?!  

[LAwLz]

7 hours ago, mr moose said:

How they are applied is moot. 

No it isn't. It is an extremely important aspect.

Not all questions are as simple as a yes or no. That especially applies to security related things.

 

Also, I do think that Microsoft are withholding security update for their OSes. Their method of versioning is completely different so it can't be compared, but it is true for both OSes that if you want to install the latest security updates you will also have to install what some call "feature updates". In practice, it is the same thing. The only difference is what Apple and Microsoft call their updates on paper.

Apple might increase the number from iOS 15 to iOS 16, and Microsoft might call it Windows build 22621.755 with experience pack 1000.22636.1000.0.

 

 

Something else that is also important to note is that roughly 90% of all iOS users are on the latest version of iOS for their device, the fully patched version.

So 90% of their users are fully patched even if we assume that they are withholding patches for older versions.

 

On Windows, less than 25% are on the latest version.

 

How anyone can say that isn't relevant is beyond me. One company is keeping 90% of their users fully patched and up to date, and the other would not even have 25% of their users fully patched if they did the things Apple are accused of (but we don't have any evidence of doing in practice). That obviously matters.

At the end of the day, what matters is keeping users secure. That is the only absolute most important thing in this discussion. One method of keeping their users safe does not necessarily work for a different company selling different products for different purposes. Not all companies can or should act precisely the same way.

 

Just because one company can keep 90% of their users safe by using one policy does not mean we shouldn't give another company a free pass to do the same if it would result in over 75% of their users being vulnerable. What matters is how close to 100% that number is.

 

 

 

By the way, to all the people who say things like this:

2 hours ago, wanderingfool2 said:

Would you think it's okay if they updated W10 but left out security updates that apply to both Windows 11 and Windows 10 but decided to only fix it in Windows 11?  That's what people are arguing Apple is effectively doing.

please read the news article. Because this is not what is happening.

 

Here is what the news topic actually says:

1) If you want the most secure version of an OS from Apple, you need to have the latest version.

 

2) The news here is that Apple has clarified that they MAY (it does not say they are) not make all security related adjustments to older versions of the OS. This does not specify security patches but rather it could also refer to new security features. If it is the latter, then it is EXACTLY how other OSes does it as well, including Windows. New security features does not always get backported to currently supported OSes. 

For example Smart App Control is a security feature in Windows 11 that Microsoft could implement in Windows 10 if they wanted, but chooses not to, even though Windows 10 is still supported. 

 

3) The article mentions that while some security patches have been slower to get pushed to older versions of Apple's OSes, they have still gotten them, just not as quickly. Sometimes it might have taken a month or two for the security patch to reach all older devices. 

 

4) The article specifically mentions that when a device have not been able to do a full upgrade to the latest OS, Apple have released additional updates to the old OS which do contain all the expected security related things.

[PocketNerd]

Today in "corporations are not your friends"....

[wanderingfool2]

3 hours ago, LAwLz said:

please read the news article. Because this is not what is happening.

 

Here is what the news topic actually says:

1) If you want the most secure version of an OS from Apple, you need to have the latest version.

 

2) The news here is that Apple has clarified that they MAY (it does not say they are) not make all security related adjustments to older versions of the OS. This does not specify security patches but rather it could also refer to new security features. If it is the latter, then it is EXACTLY how other OSes does it as well, including Windows. New security features does not always get backported to currently supported OSes. 

For example Smart App Control is a security feature in Windows 11 that Microsoft could implement in Windows 10 if they wanted, but chooses not to, even though Windows 10 is still supported. 

 

Quote

Note: Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13), not all known security issues are addressed in previous versions (for example, macOS 12).

It's Apple hiding behind their vagueness of what they define as security issue.  So I am still saying, it's exactly like what I said.  The way Apple worded it, they are heavily implying that known vulnerabilities might not be patched.  It's like having Windows 10 and Windows 11 and finding a vulnerability and only patching it for a newer version, because it's too hard for the older version.  Apple hides behind the vagueness of security updates (where security researchers suspect they don't update for previous systems as well).

 

Sure it also may fit like the Smart App like you mentioned, but based on Apple article I would classify it as a feature of the upgrade and not classified towards update.  It all seems like Apple playing around with wording, but it's wrong to say the "latest" version

 

[RedRound2]

On 10/28/2022 at 12:47 PM, AluminiumTech said:

I'm not part of any fanboy club hating Apple. If any other company did this I would be just as unhappy with them. This isn't cool no matter who does it.

Then android? Its not even a secret at this point how poorly android phones are updated?

And again you misrepresent the issue at hand and its basically a nothing burger. Everyone owning an iDevice will either get the security patch in the next upgrade, or if it not eligible for upgrade, it will get in supplementary update. But please don't expect your iPhone 3G to get fixes from iOS 16

On 10/28/2022 at 12:47 PM, AluminiumTech said:

See above.

Not always. iOS 12 is an exception but not the rule. The only other examples were IOS 9 and IOS 10.

iOS 12 dropped a lot support for a lot of devices. iOS 16 also dropped support for many devices as well. Whichever vulnerability fixes are made for newer version that has dropper support for many devices, the patches are rolled out to the previous version as well. I dont know how many times I have to explain this

On 10/28/2022 at 12:47 PM, AluminiumTech said:

That's a gross misscharacterisation and I think you know it. The article is saying Apple doesn't fix all the issues they know about on older macOS and IOS versions that are supported because Apple isn't bothered.

Do you not understand English when I say these paths are available in the next OS upgrade. So unless you opt to stick with older version interntally, NO ONE WILL BE AFFECTED

On 10/28/2022 at 12:47 PM, AluminiumTech said:

Android security patches for different android versions don't secretly have fixes withheld from them and only given to the latest Android version if an issue affects multiple versions.

Secretly withheld? What.

Android patches dont even roll out to majority of the phones in timely manner. That just been known for a long time and people are okay with it. But the irony is isn't even a real issue, and is made to look like an issue that android has been having since beginning (another irony)

On 10/28/2022 at 2:33 PM, Sauron said:

The difference being that Google has at least been upfront about it. And if you are still getting patches and updates you can safely assume security updates are also in there for problems that are known and fixed on other versions. The problem with Apple here is the lack of transparency; if they had said upfront that older versions are just not fully supported and you should upgrade as soon as possible if you care at all about security updates then it would have been fine or at least understandable.

What is Google upfront about? None of the android manufacturers are upfront and very clear about updates, except for flagships.

 

What you claim about lack of Apple's transparency was common sense. It doesn't need to be mentioned to anyone that a huge iOS version update also includes latest security patches. I believe it is mentioned in the release notes as well.

On 10/28/2022 at 2:33 PM, Sauron said:

Yeah, and yet another example of you showing up to throw around the usual WELL WHAT ABOUT GOOGLE when it's pretty irrelevant to the discussion. Are you not capable of discussing a critique of Apple without jumping on the defensive and attacking their competition? It can simultaneously be true that Apple did something wrong here and that Google also does things that are wrong or bad. We're not talking about Google though.

The thing with exploits is that if they are known they usually get fixed. If there were obvious attack vectors they'd already have been addressed; it's the non-obvious that gets you.

Are you fucking blind? My first two paragraphs from original post were how this article was grossly skewed to make it seem something else. My last paragraph was just stating that this "something else" has been going on Google land since beginning and nobody cares. So even if this was a actual issue, the double standards when it comes to Apple is mind boggling.

[LAwLz]

16 hours ago, wanderingfool2 said:

It's Apple hiding behind their vagueness of what they define as security issue.  So I am still saying, it's exactly like what I said.  The way Apple worded it, they are heavily implying that known vulnerabilities might not be patched.  It's like having Windows 10 and Windows 11 and finding a vulnerability and only patching it for a newer version, because it's too hard for the older version.  Apple hides behind the vagueness of security updates (where security researchers suspect they don't update for previous systems as well).

 

Sure it also may fit like the Smart App like you mentioned, but based on Apple article I would classify it as a feature of the upgrade and not classified towards update.  It all seems like Apple playing around with wording, but it's wrong to say the "latest" version

But it's not what you said.

You have chosen to interpret in bad faith and are arguing that is the truth, yet we have zero evidence of them actually doing what you claim that they do.

 

A "security issue" might be "this version of the software that exists in both versions of the OS is vulnerable", but it might also be "we have developed a new feature to combat a new type of threat, and that new function only exists in the newest version of the OS". I am not sure why you are so hellbent on the first interpretation being the correct one when we don't know which one it might be, and so far it seems to be the latter one.

 

Also, can you please link to the security researchers that are saying "they don't update for previous systems"? Because the original article explicitly contradicts this. They say they do update the older version, just that those versions sometimes have to wait a bit longer to get the applicable security patches.

[wanderingfool2]

9 hours ago, LAwLz said:

But it's not what you said.

You have chosen to interpret in bad faith and are arguing that is the truth, yet we have zero evidence of them actually doing what you claim that they do.

 

A "security issue" might be "this version of the software that exists in both versions of the OS is vulnerable", but it might also be "we have developed a new feature to combat a new type of threat, and that new function only exists in the newest version of the OS". I am not sure why you are so hellbent on the first interpretation being the correct one when we don't know which one it might be, and so far it seems to be the latter one.

 

Also, can you please link to the security researchers that are saying "they don't update for previous systems"? Because the original article explicitly contradicts this. They say they do update the older version, just that those versions sometimes have to wait a bit longer to get the applicable security patches.

lol, you went on trying to claim I didn't read the article and now trying to say that I didn't say something.  The simple fact is I DID say effectively what I said in the previous post as well.  So better work on your reading comprehension.

 

The wording is quite clear that Apple chooses not to always update security issues on older IOS's that are still supported (and receive some security patches).  It's not arguing in bad faith, I quoted where Apple spells it out quite clearly and you are the one with your head in the sand and arguing in bad faith.  Look at the line I bolded in yours, the bit bolded is exactly everything that is wrong with what Apple is doing and matches my example almost exactly.  At this point you are the one arguing in bad faith.

 

Windows 10 gets a patch, but doesn't include a security fix that was already fixed in Windows 11.

 

But since you linked to ask me to "please read the news article" then maybe you should get your eyes checked as from the specific article

Quote

This confirms something that independent security researchers have been aware of for a while but that Apple hasn't publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly "supported") versions, when they're patched at all.

If you can't figure out that this is exactly what everyone is arguing is a stupid policy by Apple (AS IT IS A SUPPORT OS where they leave a vulnerability unpatched) then you obviously don't know much about security.  People can look up the CVE, look at patches from new iOS and use that information to create an attack vector for the supposedly supported older version.

 

Again, this doesn't really  happen on Windows.  Lag behind in updates happens on Android, but the general consensus is that Android is less secure and people know that.  Apple positions themselves on security (and in cases like this sometimes security through obscurity). 

[starsmine]

Apple out here supporting smart phones from 2015, but apple the villain. Ok.
IOS16 gets priority and runs on iphone8 and newer, and then when it can, pushes security fixes to 6s and 7 which are running an os  which hey I get? I used the 6s until December 2021 where I upgraded to a 12.

Also, no, windows does not go around updating old OS unless the security issue is significant. Once we got past standard support, not every security issue found in windows 10 was immediately pushed onto windows 7.

Apple afaik has made no claims to continue supporting IOS15 either, 16 came out 48 days ago, 16 got all its updates, then 15 got what may be its last update ever 3 days ago. If you are on 15 with an 8 or newer, you the user are in the wrong. Generally once a major revision comes out, the older OS gets no more updates. They are withholding nothing from operating systems that they support.

[wanderingfool2]

1 hour ago, starsmine said:

Apple out here supporting smart phones from 2015, but apple the villain. Ok.
IOS16 gets priority and runs on iphone8 and newer, and then when it can, pushes security fixes to 6s and 7 which are running an os  which hey I get? I used the 6s until December 2021 where I upgraded to a 12.

Also, no, windows does not go around updating old OS unless the security issue is significant. Once we got past standard support, not every security issue found in windows 10 was immediately pushed onto windows 7.

Apple afaik has made no claims to continue supporting IOS15 either, 16 came out 48 days ago, 16 got all its updates, then 15 got what may be its last update ever 3 days ago. If you are on 15 with an 8 or newer, you the user are in the wrong. Generally once a major revision comes out, the older OS gets no more updates. They are withholding nothing from operating systems that they support.

Apple is getting called out because they are "supporting" IOS versions by providing updates and such to them, but not actually providing all the security updates that might be applicable (and the fact that they finally released this document that lays it out).

 

With Windows, security updates were pretty much released at the same time for supported version...and yes IOS 15 is supported still (they keep pushing updates).  If the claim is as soon as they release IOS 16 that IOS 15 falls out of support then they should be clear about that, but they still issues "updates" which are vague enough that most people think they are still getting the relevant patches.

 

It's no different how people call out Android and their horrible updating OS situation.  Just because a competitor has a terrible system doesn't excuse them for doing something stupid as well. 

[Blademaster91]

On 10/27/2022 at 8:16 PM, hishnash said:

That is not what this is saying, it is saying that apple is not going to ship sec updates for every os version in the past. If you look at the sec updates history os versions were they are the latest version for older hardware tend to get sec updates quite often, but os updates were all the hardware that supports them has newer versions do not get sec updates but that point released (16.0 does not get a 16.0.1 sec update if 16.1 is already out) or major released like iOS 13 since every device that supports this also supports iOS 14 (and 15).

This news is that security fixes don't get applied to older devices, like say if you're still on iOS 15 you aren't going to get all of the patches like iOS 16 would, and apple is not being transparent with what updates are available for older OS versions. It doesn't make any sense for apple to say they support older OS versions, yet not put all the security fixes on older OS versions, it seems like apple is doing this so they say they support older versions of iOS and mac OS.

 

On 10/27/2022 at 9:28 PM, BlueChinchillaEatingDorito said:

Me looking at my Galaxy A5 2017 that hasn't gotten a security patch since... last year. Or my workplaces fleet of Galaxy S8/S9s that have been forcefully disabled on our network due to not receiving updates. Again... are we going to address that or just keep beating the dead horse of "Apple bad"? I'm just saying. There are far more unsecured Android handsets out in the wild and yet that always get brushed under the rug because of this ongoing narrative.

 

Edit:

And don't get me started on ChromeBooks and ChromeBoxes. For what is supposedly an extremely lightweight OS that is essentially just a Chrome browser... there is literally no excuse for those to be out of support after 4 years. It's a bloody web-browser. It's not like the same core hardware within these devices aren't running Windows or Linux somewhere else which supports the latest version of Chrome. 

And yet another example of someone going "BUT GOOGLE" when that doesn't even apply here, every time news comes up about apple people have to come in and deflect away from the topic to defend their favorite company.

Also I think a low end phone getting 4 years of updates is decent, its definitely better than most lower end phones, and if you want to keep using an old Android phone you could install Lineage OS.

As for chomebooks, i think those should be supported for more than 4 years, although other competitors doing sh*tty things doesn't excuse apple to be misleading with OS support and not providing the same updates.

On 10/28/2022 at 7:44 AM, Dracarris said:

That is as well factually wrong for the same reasons. Every device will receive security patches for the respectively last supported OS.

"Dropped OS support" only means new macOS generations won't be available for said devices, the old generations will still receive security updates.

 

Also, it looks like you forgot to reply to me (twice) in the other thread where you claimed phones are built to break and be replaced after 2 years.

 

Except this news article says otherwise, devices running older version of iOS or mac OS aren't getting the same security updates even though they could be. For example if you're on iOS 15 or mac OS 12 you aren't going to get the same patches as you would on iOS 16 or mac OS 13, which isn't good, especially for those on older mac books that can't be updated to mac OS 13.

But on Windows, the older versions get the same updates, Windows 10 gets the same updates as Windows 11, and Microsoft officially supports their OS for 10 years, apple dropped support for the 2016 macs after 6 years, thats probably ancient to mac users but its unacceptable for an expensive system that is supposed to be a "premium" experience.

And for the whole non-repairable phone topic, not sure if you're looking for some gotcha here but its really obvious, batteries in phones usually start to noticeably degrade after 2 years, and most people aren't going to go to the trouble of having someone replace it.

[starsmine]

1 hour ago, wanderingfool2 said:

and yes IOS 15 is supported still (they keep pushing updates).  If the claim is as soon as they release IOS 16 that IOS 15 falls out of support then they should be clear about that, but they still issues "updates" which are vague enough that most people think they are still getting the relevant patches.

updates? plural? they pushed ONE singular update to IOS 15 since IOS 16 came out, and it was a security update.
When major IOS revisions come out, it is uncommon that old versions get updates outside of rare security fixes. 

People keep saying windows gets updates... YES on supported operating systems. Windows 7 Isnt geting any updates anymore, Windows Vista isnt getting updates anymore.
on rare occasions when a CVE exists that is damaging, they may go back to and push an update, I recall them doing that for xp/vista/7 a while ago.

Apple has done this as well, They did it for IOS12.

[mr moose]

So the only way we can defend apple not applying known security fixes to devices that apples supporter base would lead you to believe are still supported, is to take a subjective user experience and make out like it is an absolute without exception and then claim it is fine for apple but not for MS (not that they even do it).

 

 

[LAwLz]

7 hours ago, wanderingfool2 said:

The wording is quite clear that Apple chooses not to always update security issues on older IOS's that are still supported (and receive some security patches). 

Source on Apple not releasing security updates and it not being similar to what Microsoft does when they withhold new security features from older versions (like they do with Smart App Control)?

I know they sometimes post updates later for older versions, but that is very different from not not posting at all, which is what is being implied by you and several other people in this thread.

 

 

 

7 hours ago, wanderingfool2 said:

Windows 10 gets a patch, but doesn't include a security fix that was already fixed in Windows 11.

Windows 10 patches also doesn't include some security updates that exist for Windows 11. I have already given an example of this, which is Smart App Control.

Smart App Control is a pretty good example because it is in fact:

1) Security related.

2) Was not launched with Windows 11 but rather is included in a patch.

3) Is a security feature that will not be made available to Windows 10, despite it technically being possible.

 

There are plenty more examples but I will try and stick to one to avoid confusion.

 

 

 

7 hours ago, wanderingfool2 said:

If you can't figure out that this is exactly what everyone is arguing is a stupid policy by Apple (AS IT IS A SUPPORT OS where they leave a vulnerability unpatched) then you obviously don't know much about security.  People can look up the CVE, look at patches from new iOS and use that information to create an attack vector for the supposedly supported older version.

I can't actually find any support cycle documentation for iOS. Are we even sure Apple classifies iOS 15 as "supported"?

And I do know a lot about security. It is a very big part of my job. I know how CVE's work. But security is not black and white. Just because something has a CVE does not mean everyone is vulnerable and it has to be fixed instantly or else the world goes under.

There are a lot of "ifs" in your posts and so far there have not been a single example provided of this actually being a real issue. Do you have any links to a known CVEs that was not fixed by Apple in an older version of iOS that resulted in a significant attack happening? 

I feel like you are talking a lot about theoretical issues while I try and bring the discussion to reality.

[LAwLz]

46 minutes ago, mr moose said:

So the only way we can defend apple not applying known security fixes to devices that apples supporter base would lead you to believe are still supported, is to take a subjective user experience and make out like it is an absolute without exception and then claim it is fine for apple but not for MS (not that they even do it).

I don't think you understand what this topic is about.

 

This entire topic exists because Apple has some vague wording that is open to interpretation about how they support older versions of their OSes.

In practice, the only thing we have to point to is that sometimes, older versions of the OS gets security updates a bit slower than the newer version of the OS. That's it. So far, we have zero evidence of Apple actually not posting security updates at all to older versions of the OS, just that it has sometimes happened a bit later.

 

If we decide to read the policy in the worst possible way, then the exact same thing applies to Microsoft.

Microsoft also withhold security updates from older versions of Windows, even those still under support. Microsoft recently published an update to Windows 11 that lets it analyze the behavior of a program and block it if it seems to be malicious. That security update will not be published to Windows 10. It is exclusive to Windows 11. This most likely falls under a similar policy from Microsoft where they say they do not have to provide all security updates to older versions of Windows if they don't feel like it, because of complications with implementing the update in older versions.

 

So that is one way of interpreting this news article.

Is adding a new feature an "update" or are updates just changes to existing software components? It is 100% a question of interpretation. You can choose to interpret it a certain way, and whichever way you choose determines if Apple and Microsoft are guilty of doing the same thing.

 

 

But as I said earlier:

On 10/29/2022 at 8:33 PM, LAwLz said:

At the end of the day, what matters is keeping users secure. That is the only absolute most important thing in this discussion. One method of keeping their users safe does not necessarily work for a different company selling different products for different purposes. Not all companies can or should act precisely the same way.

 

Just because one company can keep 90% of their users safe by using one policy does not mean we shouldn't give another company a free pass to do the same if it would result in over 75% of their users being vulnerable. What matters is how close to 100% that number is.

 

[mr moose]

2 minutes ago, LAwLz said:

I don't think you understand what this topic is about.

 

This entire topic exists because Apple has some vague wording that is open to interpretation about how they support older versions of their OSes.

In practice, the only thing we have to point to is that sometimes, older versions of the OS gets security updates a bit slower than the newer version of the OS. That's it. So far, we have zero evidence of Apple actually not posting security updates at all to older versions of the OS, just that it has sometimes happened a bit later.

 

If we decide to read the policy in the worst possible way, then the exact same thing applies to Microsoft.

Microsoft also withhold security updates from older versions of Windows, even those still under support. Microsoft recently published an update to Windows 11 that lets it analyze the behavior of a program and block it if it seems to be malicious. That security update will not be published to Windows 10. It is exclusive to Windows 11. This most likely falls under a similar policy from Microsoft where they say they do not have to provide all security updates to older versions of Windows if they don't feel like it, because of complications with implementing the update in older versions.

 

So that is one way of interpreting this news article.

Is adding a new feature an "update" or are updates just changes to existing software components? It is 100% a question of interpretation. You can choose to interpret it a certain way, and whichever way you choose determines if Apple and Microsoft are guilty of doing the same thing.

 

 

But as I said earlier:

 

There is a difference between security features and security updates.  Fixing a security hole is something that any supported device should get regardless of who makes it or how many newer versions there are.  That's what consumers are lead to believe when they are told that it is supported.  Features on the other hand I don't really care if apple don't give you new features on an older OS, security or otherwise.  I never expected MS to release defender for ME or 98SE for example,  I don't expect apple to release new features to old versions either,  want the new features then upgrade to the new OS version.

 

This article reads to me (and a clearly quite a few others) that it is security patches and updates that are being withheld not features. It is even claimed in the article that apple said "that only devices running the most recent major operating system versions should expect to be fully protected".  That reads to me like they know they are not patching older OS versions with all the security patches. 

[LAwLz]

7 minutes ago, mr moose said:

There is a difference between security features and security updates. 

According to you. Are you sure both Apple and Microsoft agree on that, and that both use the same definitions and interpretations as you? Because what you think doesn't really matter. What matters is what the ones writing these policies and follows them think.

 

9 minutes ago, mr moose said:

That's what consumers are lead to believe when they are told that it is supported.

Are they really told that it is supported? Again, I couldn't find any official statement from Apple regarding that.

 

9 minutes ago, mr moose said:

This article reads to me (and a clearly quite a few others) that it is security patches and updates that are being withheld not features.

Yes, it seems like a lot of people interpret it that way, but maybe we should take a minute and think about if that is how it should be interpreted. Maybe multiple people are misinterpreting it incorrectly?

If that is the case then the issue might be the way the policy is worded, but that is a very different conversation compared to "Apple are willingly letting devices be vulnerable because they don't care!"

 

 

12 minutes ago, mr moose said:

It is even claimed in the article that apple said "that only devices running the most recent major operating system versions should expect to be fully protected".  That reads to me like they know they are not patching older OS versions with all the security patches. 

Yes that is one way to interpret it. Another way to interpret it might be "only the latest major OS version has all the newest security features that helps protect your device".

If we for example take Windows 10 vs Windows 11 as an example, Windows 11 has some exclusive features that protects the OS from certainty types of attacks. As a result, it would be absolutely true and correct to say that only Windows 11 users should expect to be fully protected. Some attacks that Windows 10 is vulnerable to is not an issue on Windows 11.

 

 

Anyway, I still think that when it comes to security the important thing is keeping people safe. That is what matters. Theoretical issues can be interesting to talk about, but if people are protected in practice then I don't see any reason to change things. Would it be better if iOS 15 got all the stuff iOS 16 got? Yes. But if almost everyone jumps on iOS 16 instantly then in practice it doesn't matter, since people are protected anyway. That is where I think the comparison between Windows and iOS breaks down. What works for Apple might not work for Microsoft.

What we should judge the companies based on should be "how many users are they protecting and from what are they protected". Not "let's compare wordings in a piece of paper".

[mr moose]

4 minutes ago, LAwLz said:

According to you. Are you sure both Apple and Microsoft agree on that, and that both use the same definitions and interpretations as you? Because what you think doesn't really matter. What matters is what the ones writing these policies and follows them think.

 

Are they really told that it is supported? Again, I couldn't find any official statement from Apple regarding that.

 

Yes, it seems like a lot of people interpret it that way, but maybe we should take a minute and think about if that is how it should be interpreted. Maybe multiple people are misinterpreting it incorrectly?

If that is the case then the issue might be the way the policy is worded, but that is a very different conversation compared to "Apple are willingly letting devices be vulnerable because they don't care!"

 

 

Yes that is one way to interpret it. Another way to interpret it might be "only the latest major OS version has all the newest security features that helps protect your device".

If we for example take Windows 10 vs Windows 11 as an example, Windows 11 has some exclusive features that protects the OS from certainty types of attacks. As a result, it would be absolutely true and correct to say that only Windows 11 users should expect to be fully protected. Some attacks that Windows 10 is vulnerable to is not an issue on Windows 11.

 

 

Anyway, I still think that when it comes to security the important thing is keeping people safe. That is what matters. Theoretical issues can be interesting to talk about, but if people are protected in practice then I don't see any reason to change things. Would it be better if iOS 15 got all the stuff iOS 16 got? Yes. But if almost everyone jumps on iOS 16 instantly then in practice it doesn't matter, since people are protected anyway. That is where I think the comparison between Windows and iOS breaks down. What works for Apple might not work for Microsoft.

What we should judge the companies based on should be "how many users are they protecting and from what are they protected". Not "let's compare wordings in a piece of paper".

So your turning this into a game of semantics?   It's pretty simple, when apple or MS use the words security and support in the same paragraph with reference to a product, it is more reasonable to assume you are receiving complete security with said  support than it is to stop and question the motive of the guys writing the policy.  Hell even their ads will leave you believing that no one can mine your data if you use an iphone. But we all know that isn't the case.

 

 

I'm going to say it is way more reasonable to assume the average consumer believes they are receiving all the necessary security updates on their device because that is what marketing infers.  Semantics be damned.  If we don't hold companies accountable to what is right and let them play semantics then we just open the doors to more shit experiences. 

 

 

 

 

[LAwLz]

21 minutes ago, mr moose said:

So your turning this into a game of semantics? 

Yes, because this entire thread is about semantics.

The entire thread is based on "Apple said X and this is how we interpret it". I am questioning if people are interpreting it correctly, and how much of an actual impact this has on their products.

This entire news topic is literally about which word Apple has chosen to use in their policy. Of course semantics is relevant.

 

 

23 minutes ago, mr moose said:

It's pretty simple, when apple or MS use the words security and support in the same paragraph with reference to a product, it is more reasonable to assume you are receiving complete security with said  support than it is to stop and question the motive of the guys writing the policy.

In that case Microsoft are just as guilty as Apple, because Microsoft also withhold security related updates from older versions of Windows.

Windows 10 did not get the update that included Smart App Control for example. Windows 10 users do not have "complete security" because it is missing security features that Windows 11 has gotten in updates.

 

 

24 minutes ago, mr moose said:

I'm going to say it is way more reasonable to assume the average consumer believes they are receiving all the necessary security updates on their device because that is what marketing infers. 

As long as they keep installing the latest software that is made available, this is the case. Both for Microsoft and Apple.

 

26 minutes ago, mr moose said:

If we don't hold companies accountable to what is right and let them play semantics then we just open the doors to more shit experiences. 

But I am holding them accountable. Their current policy works really well. What matters is how many people are vulnerable, and in that regard Apple is far and away the market leader.

Do you agree that at the end of the day what matters is how many people are running an OS with known vulnerabilities? If Apple are able to achieve a higher percentage of fully protected customers than let's say Microsoft, does it really matter which precise wording they have in their policy?

[leadeater]

2 hours ago, LAwLz said:

Windows 10 patches also doesn't include some security updates that exist for Windows 11. I have already given an example of this, which is Smart App Control.

Smart App Control is not a security update, it's a new operating system feature.

 

Even if it were added to Windows 10 it would be categorized as a Feature Update not a Security Update.

 

At least when it comes to Windows patch management these update types and classifications do matter since automated patch management cycles are often configured to only automatically approve Security Updates.

 

I know you in a past post described it more like this so what I would suggest is to not call it a Security Update because it isn't and wouldn't be.

 

Also if I may say if an operating system is still under official support, not in Extended Support, not in some kind of End Of Life status, then a delay in releasing a Security Update isn't acceptable. Even then every Windows operating systems under these statuses all receive the same Security Updates at the same time.

 

So I'd have to say Apple's supported operating system statuses are a bit wishy washy if they aren't at least able to hold the same standard as Microsoft.

 

Also the other problem here is that if someone just prefers XYZ version of Mac OS or iOS and choose not to update to the latest major version then it's rather unfair to withhold and significantly delay security updates to them. What about all those people that preferred Windows 7 and stayed on Windows 7 while it was supported instead of upgrading to Windows 10. It's acceptable that Apple is allowed to 'remove' choice and preference on what you 'should' use even though every choice is a supported choice? 

 

Anyway I don't find what Apple is or has been doing as particularly egregious but it's still deserving of some criticism. 

 

Edit:

Also someone correct me if I'm wrong but Apple doesn't have operating system support lifecycles because their support is based off hardware devices. There is a generally understood norm based on past outcomes of support but the reason there is not written and fixed support matrix of the operating systems specifically is because everything is struck on device support only. Could be wrong though but that's my understanding of how Apple does support. Not counting exceptions like iOS 12 webkit.

[Dracarris]

6 hours ago, Blademaster91 said:

Except this news article says otherwise, devices running older version of iOS or mac OS aren't getting the same security updates even though they could be. For example if you're on iOS 15 or mac OS 12 you aren't going to get the same patches as you would on iOS 16 or mac OS 13, which isn't good, especially for those on older mac books that can't be updated to mac OS 13.

You still don't get it. Every device will get full security patches on the last available OS for that device. That's currently mostly iOS16, 15, and 12. Only if you could upgrade to a newer supported OS on a given device you would possibly miss out on some updates. Possibly, some.

6 hours ago, Blademaster91 said:

But on Windows, the older versions get the same updates, Windows 10 gets the same updates as Windows 11, and Microsoft officially supports their OS for 10 years, apple dropped support for the 2016 macs after 6 years, thats probably ancient to mac users but its unacceptable for an expensive system that is supposed to be a "premium" experience.

Because Windows 10 and 11 are totally comarapable to macOS which gets a major release every single year. For a long stretch MS had to exactly support one major OS version, which was Windows 10. No go ahead and count how many macOS releases are currently supported by Apple.

6 hours ago, Blademaster91 said:

And for the whole non-repairable phone topic, not sure if you're looking for some gotcha here but its really obvious, batteries in phones usually start to noticeably degrade after 2 years, and most people aren't going to go to the trouble of having someone replace it.

Aaaaah there we have it again: The famous:

Quote

most people

from Mr. Blademaster. Source, dude trust me?

I can ask you for the millionth time on this forum to come up with any proof for that bold statement and you will fail to do so for the millionth time.

But sure

Quote

most people

will go: "Oi mate, I bought this 1000$ phone two years ago. Now the battery seems to start degrading a bit. Let me throw it into landfill and buy a new 1000$ phone because that makes so much sense. Going to a repair store or selling the phone 2nd hand? No mate, why would I do that?"

This whole narrative of yours makes zero sense. In the other thread I gave you numerous examples for phones that were in usage for much longer than 2 years with their original battery and even more so after a swap.

 

The average Joe isn't as utterly stupid as you think or want them to be. The possibility of going to a repair shop and having your battery replaced for 30-50$ is not exactly a secret anymore or sth only tech insiders know. The latter can do these things even at home, both for themselves and friends and family. Things you like to deny to stay within your narrative.

[leadeater]

17 minutes ago, Dracarris said:

For a long stretch MS had to exactly support one major OS version, which was Windows 10. No go ahead and count how many macOS releases are currently supported by Apple.

What? No?

 

Quote

What are the coverage dates for the three Windows 7 ESU SKUs?
Windows 7 Extended Security Updates 2020: January 14, 2020 - January 12, 2021
Windows 7 Extended Security Updates 2021: January 13, 2021 - January 11, 2022
Windows 7 Extended Security Updates 2022: January 12, 2022 - January 10, 2023

 

Quote

Windows 8.1 reached the end of Mainstream Support on January 9, 2018, and will reach end of Extended Support on January 10, 2023.

 

Windows Server 2008 R2

 

Windows Server 2012 R2

 

This is also without getting in to the complicated matters of things like Windows 7 Embedded etc which can have different, longer dates.

[LAwLz]

1 hour ago, leadeater said:

Smart App Control is not a security update, it's a new operating system feature.

This is why it is such a bad idea to try and compare the language from different companies and trying to draw parallels. Different companies may classify things differently. This is especially true when it comes to rather vague things which is what Apple uses in this case.

Is an update that increases security by adding a new feature a security update? Do you need to install that update in order to, in the eyes of the company providing it, have "full protection"?

 

Again, this is why it is a dumb idea to try and compare the language Apple uses with the language Microsoft uses. Their policy, products and terminology are just so drastically different than we just end up in a bunch of arguments regarding semantics.

 

In Microsoft's language, it might be called a "feature update", but are we 100% sure the same applies to Apple's language?

When Apple says "fully protected", are we sure that Microsoft and Apple classifies the same things as "fully protected"? What if by "fully protected" Apple means having access to all security features? What if Microsoft classifies you ask "fully protected" even though you lack some security features?

 

 

 

1 hour ago, leadeater said:

So I'd have to say Apple's supported operating system statuses are a bit wishy washy if they aren't at least able to hold the same standard as Microsoft.

What standards are we holding Microsoft to exactly?

Releasing the same security updates (which we define as patches to existing software components but not patches that introduce new features) to all compatible devices at the same time?

Because that feels like something very different from what the people I have been having debates with throughout this thread have been saying. 

 

Would you say an appropriate solution to this whole debate would be for Apple to simply delay the security updates to the newest OS until it is finished for the older OS? Because that is essentially what Microsoft does, except Microsoft's update system is a lot more flexible so it doesn't take them as long to apply one fix to a different version of the OS. 

 

1 hour ago, leadeater said:

Anyway I don't find what Apple is or has been doing as particularly egregious but it's still deserving of some criticism. 

I also think it deserves some criticism. But I think the amount of criticism from some people, and the way people have argued it shows a lack of understanding of the subject and actually distracts from the core issue.

I am not sure if English has a saying for this, but in Swedish we have a word called "fultolka". It basically means "deliberately trying to find a negative way of interpreting something", and I feel like a lot of people are doing that in this thread, and in threads on this forum in general. I've heard some people say "like the devil reading the bible" but I am not sure that conveys the same meaning.

 

Is Apple's policy good? No, I think it is bad.

Does this mean Apple has now confessed to being evil and willingly withholding security updates for older devices and a ton of people are vulnerable? No it doesn't. I have repeatedly asked for sources that proves that Apple are actually doing what people are accusing them of doing, and so far there have been 0 instances brought up.

What a piece of paper might say is important, but what actually matters is actions. And so far, Apple's actions have proven to be really good in terms of security. Maybe not perfect, but not that far from it either. 

 

Security issues in an OS only matters if people actually run that OS, and for the most part people are running the OS version that has full protection, at least when it comes to iOS.

As soon as we start talking about the actual practical implications of this, the whole conversation basically dies and then it goes back to a bunch of "what ifs" which is kind of annoying.

 

1 hour ago, leadeater said:

Edit:

Also someone correct me if I'm wrong but Apple doesn't have operating system support lifecycles because their support is based off hardware devices. There is a generally understood norm based on past outcomes of support but the reason there is not written and fixed support matrix of the operating systems specifically is because everything is struck on device support only. Could be wrong though but that's my understanding of how Apple does support. Not counting exceptions like iOS 12 webkit.

This seems to be the case. I tried looking up which iOS versions are "supported" by Apple since a lot of people claim that Apple officially supports version X, Y and Z, but so far I haven't been able to find anything that indicates that their support cycle is anything close to the one Microsoft has. Which, again, makes the whole comparison stupid.

You can't compare apples and oranges and then be mad when they aren't exactly the same in certain ways. Apple vs Microsoft comparisons are stupid when it comes to wording in their update/upgrade policies.

They use different terminology when referring to things which makes any attempt to compare wording meaningless.

They deliver updates differently.

Their users behave differently and thus need different "rules".

Their OS lifecycle is completely different and therefore any attempt to copy/paste one to the other would fail.

[leadeater]

29 minutes ago, LAwLz said:

Would you say an appropriate solution to this whole debate would be for Apple to simply delay the security updates to the newest OS until it is finished for the older OS?

The acceptable solution would be able to do what Microsoft does, anything serious and disclosed patched within a month for every supported operating system. I get that is could be debatable whether or not Microsoft delays updates due to older supported operating systems but at least when a vulnerability goes public anything supported gets updates at the same time. When a vulnerability becomes known to Microsoft, however this becomes known, it is certainly not always patched within a month which is why I mention it's going to be difficult to say whether or not delays to the latest operating system happen due to the older ones. It's likely this has happened but anything more than this is getting really speculative.

 

Does this happen with Apple as consistently as Microsoft? I don't really follow things like iOS security updates much at all so I couldn't comment on specific deficiencies there other than to point back to articles like here and comments from people more in the know quoted in them.

 

Either way as it stands for this story and what's been claimed Microsoft is doing a better job than Apple from the point of public disclosure of vulnerabilities. Does Microsoft actually really matter specifically? Not really. It's a good comparison but regardless if something is "supported" and a vulnerability is disclosed then it should get equal treatment and time frame for every supported device no exceptions. Anything less is a deficiency, surely you'd have to agree. How much it really matters?  

 

Apple's support model is fundamentally different, Microsoft is based on software and like I mentioned in my edit I believe Apple's is based on devices.

 

Edit:

Also Microsoft support status requirement for Windows 10 Feature Releases is garbage and I hate it. You can be left out of support quickly and easily, and without knowing it. Prior to Windows 10 21H2 that could happen in as little as 1 year, wtf.