Jump to content

Apple policy document admits withholding security fixes for devices not on the latest supported OSes

AlTech
By AlTech
in Tech News
 Share
Posted
2 hours ago, wanderingfool2 said:

Apple saying they might not do it is a major issue.  [Even if hypothetically they didn't]

Yes, I agree.

But there is a VERY big difference between "they might hypothetically do X" and "they are doing X". 

You have repeatedly said "they are doing X", and every single time I have asked for a source you have come back with "they might hypothetically be doing it".

I am once again asking for you to provide evidence of them actually doing it, not just evidence that they might be doing it.

 

By the way, "they sometimes delay updates for older OSes" is very different from "they don't update it at all", which is what you have been implying several times in this thread. That is another issue I've had with your posts.

 

 

What you have been saying or implying several times: "Apple doesn't patch older OSes at all".

What is actually happening: "Apple might not patch older OSes, but so far it seems like they always do, except sometimes with a slight delay".

 

Two very different things and the former is a significantly bigger issue than the latter. Which is why I am trying to clear up the confusion because a lot of people, including your earlier posts, seems to suggest that people believe the former is true. It isn't. It's the latter that is true. 

 

 

 

2 hours ago, wanderingfool2 said:

No, I'm not wrong in my previous posts.  I will state this.  Apple supports it.  It's foolish to say otherwise.  They are releasing some security patches and features, which means it's supported.

Just because you say something is supported does not mean it is supported.

Just because you feel like something means it is supported does not mean it is supported.

What matters is what the company says their support policy is.

 

Microsoft released the EthernalBlue patch for Windows XP in I believe 2019. Does that mean XP was supported until 2019? No it doesn't. It was not supported, yet it got a security update.

Getting updates != Is supported.

 

What is and isn't supported, how support is handled and what it entails varies from company to company, and product to product. 

 

 

2 hours ago, wanderingfool2 said:

It's a stupid comparison to try pointing to a different company and saying that they are "worse".  That doesn't excuse bad behavior of a company.  Again, Android is terrible when it comes to updates, but that doesn't excuse Apple from doing inexcusable stuff.

I completely agree that it is a stupid comparison. That is exactly why I have been trying to say it is stupid to compare Microsoft vs Apple in regards to support policies. Because their products are very different, their support cycles are completely different, their user expectations and behavior are very different, and the list goes on.

I completely agree that it is a ridiculously stupid comparison. So can you please stop making it?

 

Comparing Apple vs Microsoft in terms of policies is like comparing apples and oranges. It just doesn't work. They are way too different in very significant ways.

 

 

2 hours ago, wanderingfool2 said:

And I will keep telling you.  READ THE ARTICLE THAT YOU TOLD ME TO READ because you seem to not have read or understand it at all.  Here's a hint.  It's in that article. So stop with the stupid, no one is providing sources.  If you don't bother to read.

I have read it. You are just not providing a source for what I am asking.

I am asking you question A and you are responding with an answer to question B.

 

I am not asking for evidence that Apple might not release updates. I am asking for specific examples of them not releasing updates. "It has happened in the past" is not what I am asking for either, because that is not specific. I am asking for something along the lines of "the CVE with number XYZ was patched in iOS version X, but it was not patched in the earlier version".

That is what I am asking for.

I am not asking for a quote saying "Apple may do this". I am asking for evidence of it actually happening.

I am not asking for a quote saying "Apple has delayed an update in the past but we won't tell you which one". I am asking for specifically which security vulnerability they didn't patch, and I want examples of it not being patched at all since that is what many people are saying Apple does. People, including you, have at several points in this thread said that Apple doesn't patch security issues in older versions. "not patching" is not the same as "patched it a bit later". Not doing something, and doing something later, are two very different things.

 

 

 

2 hours ago, wanderingfool2 said:

Again, if Apple wants to claim that IOS 15 isn't support then they should be releasing information in regards to this.  If they are issuing updates for it, and haven't issued an EOL then YES it very much is considered supported.

I guess that depends on how you look at it.

You seem to be under the impression that something is supported until a public statement is made that it is no longer supported. That is not the case. Something is supported only when a company says it is supported.

Aproduct being supported is not something to take for granted. Support is always explicitly declared, not implicitly declared.

 

In the case of Apple, it seems like they make no statements about the support of their OSes. They only seem to make support statements regarding the hardware, and the hardware support seems to be contingent on you installing the latest version of the software.

We are once again back to this whole "I expect everything to work like with Microsoft" mentality. Apple's support does not work the same way it does with Microsoft. Microsoft's way of doing support is not the industry standard either by the way.

I feel like there is a lot of "baby duck syndrome" going on in this thread. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

IOS 15.02 fixed CVE-2021-30883 and came out on October 11, 2021.
IOS 14.8.1 fixed CVE-2021-30883 and came out on October 26, 2021.

which is this bug 
https://saaramar.github.io/IOMFB_integer_overflow_poc/

 

Now here is the thing though, ALL apple devices that can run IOS 14 can run IOS 15. there was never a reason anyone was still on IOS14 except for a handful of devs. Putting it in to a fix for ios 15 and all the testing and validation that requires was high priority. IOS 14 testing and validation could always wait because the real answer for normal end end users was not branching ios 14 but to update to ios 15.

Like there is this weird assumption in this thread by some that IOS N+1 isnt the security patch for IOS N. For apple devices it is. you dont have servers running on this operating system that needs or wants LTSC versions of any OS. Updating is free so its not like windows of old where you had to pay for a vista or windows 7 license. the differences between major IOS revisions are like the differences between Major windows 10 builds. which is why I think some people are way to hung up on a number. 

If a user refuses to update the OS on a supported device, that is not really apples problem, because they gave you the solution/security patch already, that user is just refusing to download it because N+1.

More often then not, as soon as IOS N+1 is released, IOS N is a dead OS outside of specific instances. Sometimes the new N number is to just point out, from here forward X phone is no longer supported. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 minutes ago, starsmine said:

IOS 15.02 fixed CVE-2021-30883 and came out on October 11, 2021.
IOS 14.8.1 fixed CVE-2021-30883 and came out on October 26, 2021.

which is this bug 
https://saaramar.github.io/IOMFB_integer_overflow_poc/

 

Now here is the thing though, ALL apple devices that can run IOS 14 can run IOS 15. there was never a reason anyone was still on IOS14 except for a handful of devs. Putting it in to a fix for ios 15 and all the testing and validation that requires was high priority. IOS 14 testing and validation could always wait because the real answer for normal end end users was not branching ios 14 but to update to ios 15.

Like there is this weird assumption in this thread by some that IOS N+1 isnt the security patch for IOS N. For apple devices it is. you dont have servers running on this operating system that needs or wants LTSC versions of any OS. Updating is free so its not like windows of old where you had to pay for a vista or windows 7 license. the differences between major IOS revisions are like the differences between Major windows 10 builds. which is why I think some people are way to hung up on a number. 

If a user refuses to update the OS on a supported device, that is not really apples problem, because they gave you the solution/security patch already, that user is just refusing to download it because N+1.

More often then not, as soon as IOS N+1 is released, IOS N is a dead OS outside of specific instances. 

Completely agree.

But I also think that Apple should make this more clear. Correct me if I am wrong, but I think that if you are on iOS 15 and both iOS 15.1 and iOS 16 are available for your device, it will be the iOS 15.1 update that is displayed at the top, with iOS 16 being slightly further down the page.

 

I can totally see people staying on iOS 15 or longer because of this design, and if iOS 16 is better security wise then that is the version that should be encouraged, especially if the move from iOS 15 to iOS 16 isn't that jarring to users.

 

 

I do  want to note that this is a completely different argument than what the people I have argued with throughout the thread have been making.

 

I would also like to add that this hasn't really been an issue before because as far as I know (correct me if I am wrong), users didn't use to have the option to install for example iOS 15.1 if iOS 16 was available. The phone would always grab the latest version when checking for updates. I think the iOS 15 upgrade was the first one that let users choose.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 10/31/2022 at 1:47 AM, starsmine said:

updates? plural? they pushed ONE singular update to IOS 15 since IOS 16 came out, and it was a security update.

Two, actually. iOS 15.7 shipped all patches that iOS 16 gave, and iOS 15.7.1 shipped all patches that iOS 16.1 gave (with one exception, iOS 15.7.1 does not include the mitigation that prevents all use-after-free bugs). I believe this is due to the cryptex functions added in iOS 16 though I'm probably wrong.

"But why not add cryptex to iOS 15?" Because it would require reworking a fair bit of iOS 15.

 

Also, one thing to remember about iOS 12 is that Apple still released security updates regularly for it for two years.

elephants

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
8 hours ago, LAwLz said:

You have repeatedly said "they are doing X", and every single time I have asked for a source you have come back with "they might hypothetically be doing it".

I am once again asking for you to provide evidence of them actually doing it, not just evidence that they might be doing it.

Again, you don't get to call me misreading things and trying to argue when I have quoted literally where a security researcher says it

 

Since you don't bother reading and understanding I've bolded the guys name, the bit where they say updates come months after the fact (and yes, providing security updates months later I consider not patching a security issue, because I've quite clearly said that a security update isn't provided when they release one on the newer one).  You are arguing in completely bad faith here and being intentionally obtuse.

Quote

This confirms something that independent security researchers have been aware of for a while but that Apple hasn't publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly "supported") versions, when they're patched at all.

So there is the quote where a security researching has done it.  So much for all that "hypothetically" that you keep saying I am quoting.  It's stupid to try arguing again a quote of Apple saying they could do it and in the same article it says that Apple does it.  You keep asking for sources and you keep ignoring the fact that the article has all the information.

 

But since you can't be bothered to read and follow the clear link in the article.

CVE-2021-30869 [Known about at Apple since Feb] - Privilege escalation

macOS Big Sur update (Feb)
macOS Catalina update (Security update Sep one month after Google disclosed it to them)  Google "discovered" it because it was actively being used in the wild so they analyzed it.  Their failure to apply the same security patch lead to a zero-day.

 

8 hours ago, LAwLz said:

I feel like there is a lot of "baby duck syndrome" going on in this thread. 

 I think you are the one who has it.  What is comical is that you haven't even clued in that iOS is just the vessel of explaining how things are messed up, as this applies to all Apple OS's.

 

Do you seriously think it's acceptable to release a security update for one OS and not the other (talking about individual ones so people still think they are getting security updates as some are patched).  At about the one month mark of them releasing a new OS, they issue an iOS update as well (but fail to include security fixes they know exist)...despite there on average being a 23% adoption rate at the 3 week mark.  Even making it 6 weeks with the trend it would be maybe 50%.  That implies that any security update they fail to fix would put 50% at risk by not providing updates in a timely manner.

 

Things only get worse when you look at the MacOS side of things, as you now at least a full year of overlapping support.

 

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I've learned two things from this thread: I'm exceedingly glad I don't have an Apple device anymore, if only because I doubt I could figure out OS versions vs security update eligibility.

 

The second thing: Apple is really polarizing. Like, really really polarizing.

 

I personally do not support Apple, and never will, and I will always encourage others to consider alternatives to Apple, whenever asked for advice, but I won't be a jerk and force someone to not use Apple devices.

 

As for the topic... I'm not really sure here: Is Apple withholding security fixes as a tactic to strong arm people into buying newer devices, even though they already have the fixes, or are they just entirely not supporting older devices, since they're past support dates?

"Don't fall down the hole!" ~James, 2022

 

"If you have a monitor, look at that monitor with your eyeballs." ~ Jake, 2022

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Sarra said:

As for the topic... I'm not really sure here: Is Apple withholding security fixes as a tactic to strong arm people into buying newer devices, even though they already have the fixes, or are they just entirely not supporting older devices, since they're past support dates?

Two important things to understand regarding this topic.

1) When people say "Apple are not updating older OSes", what they actually mean is that the updates for the older OS such as iOS 15 may be delayed compared to iOS 16. Both platforms seems to be getting the same updates, just at different times.

 

2) These news seems to apply primarily to devices that are able to upgrade to the newest OS. So this seems to only affect people who willingly choose to not upgrade to the latest OS their hardware supports. In other words, it is not related to trying to force people to buy newer devices, since their device is already supported. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 hours ago, wanderingfool2 said:

Again, you don't get to call me misreading things and trying to argue when I have quoted literally where a security researcher says it

But you are clearly misreading several posts here because you still haven't answered my question where I ask for examples of it happening.

Again, just saying "it happens" is not the same as giving evidence of it happening. Apple saying "it might happen" is not the same as evidence of it happening either. Surely you must understand the difference between these three things. Right?

 

 

3 hours ago, wanderingfool2 said:

Since you don't bother reading and understanding I've bolded the guys name, the bit where they say updates come months after the fact (and yes, providing security updates months later I consider not patching a security issue, because I've quite clearly said that a security update isn't provided when they release one on the newer one).  You are arguing in completely bad faith here and being intentionally obtuse.

Dude, I am not the one being obtuse. All I have tried to do is make you stop being obtuse.

If I say "Microsoft did not patch Ethernal Blue", how do you think people would interpret that?

Do you think that they:

1) Read it and think the security issue still exists and that it was never patched.

or:

2) They understand that when I say "they didn't patch it" I actually mean they did patch it, but not during a limited time span that I was thinking of but never conveyed.

 

Do you not understand how "they didn't patch it" and "they patched it but not as quickly" are two very different things? And how saying the former instead of the latter is misleading?

 

 

3 hours ago, wanderingfool2 said:

But since you can't be bothered to read and follow the clear link in the article.

CVE-2021-30869 [Known about at Apple since Feb] - Privilege escalation

macOS Big Sur update (Feb)
macOS Catalina update (Security update Sep one month after Google disclosed it to them)  Google "discovered" it because it was actively being used in the wild so they analyzed it.  Their failure to apply the same security patch lead to a zero-day.

Thank you for finally posting an example. The type of example I have asked for several times.

By the way I did read the article. But the example you provided was not in the article. The article contained a link to another article which contained a link to the security update you mentioned.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 minutes ago, LAwLz said:

Thank you for finally posting an example. The type of example I have asked for several times.

By the way I did read the article. But the example you provided was not in the article. The article contained a link to another article which contained a link to the security update you mentioned.

Again, all relevant information was in the original article.  Yes, you can get specific CVE's if you follow the links in the article, but if you actually read the article and UNDERSTOOD it you wouldn't have to ask for a source.  The fact is I quoted multiple times the bit with the security research and told you to read the article.  It shouldn't have me to specifically show you that you can click on the link where it goes into more detailed analysis on it (when the summary was available in the original article)

 

19 minutes ago, LAwLz said:

Dude, I am not the one being obtuse. All I have tried to do is make you stop being obtuse.

If I say "Microsoft did not patch Ethernal Blue", how do you think people would interpret that?

Do you think that they:

1) Read it and think the security issue still exists and that it was never patched.

or:

2) They understand that when I say "they didn't patch it" I actually mean they did patch it, but not during a limited time span that I was thinking of but never conveyed.

 

Do you not understand how "they didn't patch it" and "they patched it but not as quickly" are two very different things? And how saying the former instead of the latter is misleading?

Yes you are being obtuse and arguing in bad faith.  Apple only fixed a security issue after Google alerted them to it being used in the wild.  They had over 200 days to fix it, and again only patched it once it was being exploited.

 

Do you not read with context sensitive?  Aside from the fact some might remain unpatched (e.g. if the zero day didn't happen after they stopped supporting the OS do you really think they would have issued a patch).   If you release a security update and don't update the other OS which has the vulnerability until much later then yea that's by definition leaving it unpatched (it's context sensitive, implying that during the timeframe it's unpatched).  I never said they never eventually patched it, although they likely are examples of that, during a 2 month window they are leaving it unpatched...stop being so pedantic about the semantics.  You are the only one I've seen here who seems to have completely misunderstood the article in question.

 

If Microsoft chose to patch Windows 10 and then release a patch for Windows 7 later on, then updated Eternal Blue 200 days later, yea I very much would be calling Microsoft withholding patches or leaving a vulnerability unpatched.  Again use context sensitive when  you read.  Saying leaving a vulnerability unpatched doesn't mean it's for ever and always unpatched.  It just means that it was left unpatched, even if it was later patched.  e.g. EternalBlue if it was known about for years (which I do suspect MS might have known about it, but no real proof unless we have another NSA info leak), in this context if I were talking about leaving vulnerabilities unpatched, I would say it would be an example because if it's known about for an extended time with ample opportunities to fix it it should be considered leaving it unpatched.  It doesn't matter that it was eventually patched, especially when it's only patched when a zero-day happens.

 

You are trying to argue that it's all about semantics, and that people are wrong...but you seem to fail to grasp how ridiculously stupid Apple policy is (and the fact that they have tried hiding it by not officially mentioning it).

 

The tl;dr If they know about a vulnerability, patch it in one and wait months for patching it in another that is considered leaving it unpatched when I have talked about it.

 

So here's the thing, try quoting me where I say it was NEVER patched originally.

 

I'll leave this at this point again.  It's inexcusable for a company like Apple which tries to pretend they are security minded by advertising such and perpetuating the more secure stereo type to decide not to patch security holes they know about that they are actively patching in another.  They are leaving vulnerabilities unpatched.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, LAwLz said:

Two important things to understand regarding this topic.

1) When people say "Apple are not updating older OSes", what they actually mean is that the updates for the older OS such as iOS 15 may be delayed compared to iOS 16. Both platforms seems to be getting the same updates, just at different times.

Interesting. Android tends to be really slow for feature updates, but security fixes tend to get pushed rapidly. Linux is the same. Windows is more like... "F*** you, you'll get security fixes WHEN WE SAY, no other time, EVER, even if you're in hour 65 of a 66 hour long render project D:<"

 

2 hours ago, LAwLz said:

2) These news seems to apply primarily to devices that are able to upgrade to the newest OS. So this seems to only affect people who willingly choose to not upgrade to the latest OS their hardware supports. In other words, it is not related to trying to force people to buy newer devices, since their device is already supported.

This thread sorta feels like a Nothing-Burger. I mean, in some ways, but not in others? I used to rock a Nexus, so I could get security updates and feature updates rapidly, instead of Samsung, which seemed to take forever and a day to get anything shipped. Now, I'm running a Samsung phone, and it's like... Android 13 launches, but it takes 6 months for my phone to get it. I'm not expecting it, but seriously, if it takes that long to get it, I'd rather just keep getting security updates for Android 12 and forget 13.

"Don't fall down the hole!" ~James, 2022

 

"If you have a monitor, look at that monitor with your eyeballs." ~ Jake, 2022

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Sarra said:

This thread sorta feels like a Nothing-Burger. I mean, in some ways, but not in others?

Well it's not really nothing.  It puts quite a bit of systems at a higher risk.  As the example that the policy allowed for essentially a zero day to occur.

 

The whole logic that is about this thread is that if you know a security flaw exists, and you are still updating the system it is fundamentally wrong to withhold the update from "older" OS'es that are still being update with security updates...which did lead to at least one demonstrable instance being exploited in a wild.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, wanderingfool2 said:

Well it's not really nothing.  It puts quite a bit of systems at a higher risk.  As the example that the policy allowed for essentially a zero day to occur.

 

The whole logic that is about this thread is that if you know a security flaw exists, and you are still updating the system it is fundamentally wrong to withhold the update from "older" OS'es that are still being update with security updates...which did lead to at least one demonstrable instance being exploited in a wild.

I get that, and I agree with it, but the reality is that you're talking about a trillion dollar company (Apple) and other multi-billion and trillion dollar companies (Alphabet, Microsoft, Samsung, etc) and their partners (Verizon, T-Mobile/Sprint, AT&T in the US, not familiar with carriers elsewhere in the world), so there is going to be concerns for them beyond preventing zero day exploits. There's also a lot of hubris involved, and general corporate stupidity.

 

Maybe I'm just cynical, but I can't see a trillion dollar company giving too much of a crap about fixing exploits on currently supported-but not brand new hardware, in the same way as they would care about current generation hardware software security. The only thing I can think of that would genuinely motivate a company like Apple, or Alphabet, or Microsoft, is if they get hit by fines by governments, and not 'chump change' amounts. But, again, it's the territory of bureaucracy, and I can't see the United States government, nor the EU, slapping, say, Google, with a 300 million dollar/Euro fine for not fixing a zero-day in a timely manner.

 

Me, personally, I don't like daily driving an older phone that's not current getting security updates. I watched someone faceroll my old Nexus 6, and all I could do was power it off, then factory reset it, but I had no confidence that someone wouldn't just faceroll it again. Then again, I installed Microsoft Server 2003 on a computer (back in 2003), and someone got in and hosed the system... Over my 24k dialup connection. o.x

"Don't fall down the hole!" ~James, 2022

 

"If you have a monitor, look at that monitor with your eyeballs." ~ Jake, 2022

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
9 hours ago, wanderingfool2 said:

-snip-

I think this whole conversation can boil down to you wanting to say "they didn't patch it" while I think that is misleading and it would be more accurate to say "they patched it later".

Can you at least agree that your way of saying this can be misleading and my way of saying it is far more accurate and less likely to give off the wrong idea? 

 

There is a thing called "lying through omission", and I strongly feel that you were guilty of that in previous posts, hence why I replied to you.

Quote
  • Lying by omission, also known as a continuing misrepresentation or quote mining, occurs when an important fact is left out in order to foster a misconception. Lying by omission includes the failure to correct pre-existing misconceptions. For example, when the seller of a car declares it has been serviced regularly, but does not mention that a fault was reported during the last service, the seller lies by omission. It may be compared to dissimulation. An omission is when a person tells most of the truth, but leaves out a few key facts that therefore, completely obscures the truth.

 

In this case, you were leaving out the fact that they did patch it, but that it happened at a later date.

 

 

There are also several other things I object to, such as you saying that the OSes are supported even though that is not how Apple seem to structure their support cycles, but these replies are getting so long I feel like it's best to focus on my biggest objection.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
5 hours ago, wanderingfool2 said:

Well it's not really nothing.  It puts quite a bit of systems at a higher risk.  As the example that the policy allowed for essentially a zero day to occur.

 

The whole logic that is about this thread is that if you know a security flaw exists, and you are still updating the system it is fundamentally wrong to withhold the update from "older" OS'es that are still being update with security updates...which did lead to at least one demonstrable instance being exploited in a wild.

The only systems at risk are the systems users refuse to patch with the exception of hardware that is no longer supported by the newest OS. 
You had an example of Mac OS 10.15-> Mac OS 11.

The only VALID complaints are people who used 
a Mid 2012 - Early 2013 Macbook air
a Mid 2012 - Mid 2013 Macbook pro
a Late 2012 - mid 2014 Mac mini
a Late 2012 - mid 2014 iMac

 

As they had their support dropped on that transition.... in Late 2020 so they could not upgrade to Mac OS11. And its not that they did not get the patches, its that going through and validating the security patches became low priority so was not completed at the same time as it was on MacOS11, you were still getting security patches on those old machines through this summer. THEY STILL GET THE PATCHES. but they are not going to delay patching the OS that matters a single day to validate it running on an old OS.

So yea it feels bad for the 6.33 year old Mac mini and IMac

if you had any newer macs, like a Mac pro from late 2013 on, you were fine, the security patch was MacOS 11. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
18 minutes ago, starsmine said:

if you had any newer macs, like a Mac pro from late 2013 on, you were fine, the security patch was MacOS 11. 

I hope you are aware people have chosen not to upgrade to the latest major OS or reverted back to the previous due to the performance not being acceptable. It's become less common now since Apple started putting SSDs in basically everything and increased the minimum memory sold, however that's only very recent comparatively speaking.

 

Additionally I've held back hundreds of Mac devices from the latest version of the OS since when you have a managed environment simply upgrading them isn't possible and/or a smart thing to do as Apple's track record of not massively breaking things to do with device management is extremely, extremely poor.

 

There are many legitimate to personal reason why anyone may choose not to be on the latest major version of Mac OS or iOS and it is simply inexcusable to not release security patches for all supported operating systems at the same time in a timely manor. Saying to do so will cause delays is simply false or corporate ineptitude or worse.

 

Apple's support model may be different but that's still not an excuse for doing a substandard job that they can afford to do, should do, and we should ALL expect them to do.

 

The above simply is not unfair criticism, neither is it company bashing or whatever. It is the minimum expectation we should have. Everything else Apple does good, or better does not make this a non issue. Good can coexist with the bad.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
7 hours ago, LAwLz said:

I think this whole conversation can boil down to you wanting to say "they didn't patch it" while I think that is misleading and it would be more accurate to say "they patched it later".

Can you at least agree that your way of saying this can be misleading and my way of saying it is far more accurate and less likely to give off the wrong idea? 

 

There is a thing called "lying through omission", and I strongly feel that you were guilty of that in previous posts, hence why I replied to you.

Your whole claim is about semantics, yet you are the only one who interprets things wrongly here (as is evident from your multiple "I want sources" when it's laying there right in front of your eyes).  The whole thing I'm saying is they are "leaving things unpatched when they release security updates".  That's factually true, stop trying to play mental gymnastics by trying to assume it's never patched.  If you think that's misleading learn english, because that is exactly what they are doing.  The whole line "they patched it later" is factually false as well (even in the strictest sense).  Here's a hint for you, if they knew about a security issue, and didn't patch it on the last update the OS receives it becomes now unpatched forever.

 

7 hours ago, LAwLz said:

In this case, you were leaving out the fact that they did patch it, but that it happened at a later date.

And now you are lying through admission, because this whole topic is about them releasing a security updating and leaving it unpatched in it.  It doesn't matter whether or not they it's patched later...again, it's mental gymnastics that you are doing by dropping the context.  There is no point in saying that they MIGHT patch it later.  It's factually true to say that when they release a security update they leave some systems unpatched.  It's not misleading as that's literally what people are mad about.

 

5 hours ago, RedRound2 said:

And seriously, this article is just complaining about some wordings Apple used despite the fact that their devices literally gets all the updates and security patches the longest.

It's not wording.  If you bother to read, you can see Apple's decision has already lead to a zero day before.  It's factually wrong saying "gets all the [...] security patches", as they don't, that's the whole point of this article to try knocking some sense into people like you who hold Apple on some sort of high horse that they can never do wrong.

 

It doesn't matter if they support devices longer than most (they have less devices to deal with), and frankly it's only true in the phone market (Crown goes to Linux and Windows for device support).

 

8 hours ago, starsmine said:

they are not going to delay patching the OS that matters a single day to validate it running on an old OS.

They have so limited amount of devices it can run on.  They are already running tests with the security patches they already chose to update.  So testing it should never be issue (as they are already running tests for the new update...so adding in a security patch doesn't really add much to testing).  There's actually a large chunk of testing that is also automated (or at least it should be with a company that size that specializes in actually writing the OS).

 

8 hours ago, starsmine said:

So yea it feels bad for the 6.33 year old Mac mini and IMac

if you had any newer macs, like a Mac pro from late 2013 on, you were fine, the security patch was MacOS 11. 

Even by Apples definition MacOS 10 to 11 would be a upgrade not a patch.  With MacOS, while not specifically stated they perform updates for 2 years.

 

 

That security patch where they left a zero day occurred roughly 3 months after Big Sur's release...so let's look at the adoption rate of Catalina [Not Big Sur's but we can safely assume similar adoption rate]

1st month October (release month) 15.6%

2nd month Nov - 27.4%

3rd month Dec - 32.7% [this is when the patch "released" based on the 3 month for Big Sur, if Big Sur followed the same adoption rate]

4th month Jan - 37.7%

5th month Feb - 40.8%

6th month Mar - 44.19%

7th month April - 48%

8th month May - 50.9% [Approx time that the other patch deployed]

 

I didn't use Big Sur's adoption rate because the metrics people use to track OS versions misidentified Sur as Catalina so the sites weren't able to track it initially (it dumped into Catalina's stats...but the first 8 months of Catalina's stats are valid since Sur hadn't been released yet).

 

Anyways, the point is it does affect a ton of people.  Even being generous and using the 8th month, that's still roughly 50% who would be vulnerable.  The more realistic case though, they left 68% of their userbase vulnerable to attack.  Even when they eventually patched it [because it had become a zero day that was reported by Google], there was roughly the 50% who were affected at that time.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 hours ago, wanderingfool2 said:

It's not wording.  If you bother to read, you can see Apple's decision has already lead to a zero day before.  It's factually wrong saying "gets all the [...] security patches", as they don't, that's the whole point of this article to try knocking some sense into people like you who hold Apple on some sort of high horse that they can never do wrong.

I'm sorry, do you for some reason think all iOS updates are bulletproof from the get-go? Are you complaining about a flaw found on some iOS device that was later patched. As Lawlz kept pointing it out to you, they do update major iOS version that dropped support for many devices. iOS 12, iOS 9 are example. iOS 14 doesn't get those updates, because all devices running iOS 14 gets iOS 15 with those patches.

 

Also, no stop thinking for some reason I think Apple on a high horse. Time and time again I have expressed frustrations with Apple again and again. But this forum has an inherent hate towards Apple (which can just be seen by the number of Apple threads that get made in the Tech news section - and its always negative).

11 hours ago, wanderingfool2 said:

It doesn't matter if they support devices longer than most (they have less devices to deal with), and frankly it's only true in the phone market (Crown goes to Linux and Windows for device support).

Number of devices isn't an excuse anymore. Security patches are not UI changes and features. It's not like they have separate code bases for each and every device. Same thing with Windows and Linux. Android however, it is just the manufacturer sheer incompetence and lack of interest to provide any updates. And frankly the entire update system there is pretty much broken.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
35 minutes ago, RedRound2 said:

Number of devices isn't an excuse anymore. Security patches are not UI changes and features. It's not like they have separate code bases for each and every device. Same thing with Windows and Linux. Android however, it is just the manufacturer sheer incompetence and lack of interest to provide any updates. And frankly the entire update system there is pretty much broken.

The number of different types of devices makes a whole lot of difference when it comes to running validation of new updates.  You have to ensure that it doesn't have any ripple down effects (and different devices will have different calls to the internal API's).

 

36 minutes ago, RedRound2 said:

I'm sorry, do you for some reason think all iOS updates are bulletproof from the get-go? Are you complaining about a flaw found on some iOS device that was later patched. As Lawlz kept pointing it out to you, they do update major iOS version that dropped support for many devices. iOS 12, iOS 9 are example. iOS 14 doesn't get those updates, because all devices running iOS 14 gets iOS 15 with those patches.

I never said updates are bulletproof.  It's stupid though to somehow think that patching a security update in one OS and providing "security updates" to another OS but neglecting to.

 

Going to ignore the zero day that happened then?  What's your magical justification behind that, like do you seriously think it's acceptable that Apple pushed a security fix for Big Sur, and neglected to fix it on Catalina despite the fact that likely over 60% of the user base not on Big Sur? [They only fixed the Catalina one because Google reported it to them, and Google only reported it because they detected it being used to exploit systems].

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
19 minutes ago, wanderingfool2 said:

The number of different types of devices makes a whole lot of difference when it comes to running validation of new updates.  You have to ensure that it doesn't have any ripple down effects (and different devices will have different calls to the internal API's).

Oh, so Microsoft and Linux are definitely running validation of every permutation of hardware in and around the world, right?

And its a pretty shitty code base when you have too many vastly different API calls between devices for core level operating system. I would understand the case when phones and laptops were changing so much YoY, but definitely should not be the case for at least the past 5 years when most of the difference s between a low range and flagship phone are just the pure hardware specifications

19 minutes ago, wanderingfool2 said:

I never said updates are bulletproof.  It's stupid though to somehow think that patching a security update in one OS and providing "security updates" to another OS but neglecting to.

19 minutes ago, wanderingfool2 said:

Going to ignore the zero day that happened then?  What's your magical justification behind that, like do you seriously think it's acceptable that Apple pushed a security fix for Big Sur, and neglected to fix it on Catalina despite the fact that likely over 60% of the user base not on Big Sur? [They only fixed the Catalina one because Google reported it to them, and Google only reported it because they detected it being used to exploit systems].

They said it will take them some time to roll out to previous versions. And its not a pattern where they always roll out to the previous version late. iOS 15.7 came out the same time as iOS 16. and 15.7.1 came out the same time as iOS 16.1. On Macs, Safari security updates always release the same time on current and previous versions.

There may be many reasons why there is sometimes a delay rolling out a security update for previous version. As you said, validation or maybe the older OS implements that particular feature differently making it a whole new task to patch it in the first place.

 

Also tbc, difference between Apple's and Android case - Android phones running latest software don't get timely updates. While for Apple, its the delay is usually caused in older technically outdated OS (which btw only happens atleast 4-5 years ownership of the device as opposed to 1 year on android)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
9 minutes ago, RedRound2 said:

Oh, so Microsoft and Linux are definitely running validation of every permutation of hardware in and around the world, right?

And its a pretty shitty code base when you have too many vastly different API calls between devices for core level operating system. I would understand the case when phones and laptops were changing so much YoY, but definitely should not be the case for at least the past 5 years when most of the difference s between a low range and flagship phone are just the pure hardware specifications

Hardware and the backend code that deals with the hardware definitely calls the API's in different ways.  They don't do all permutations, but they likely do test it on many different platforms (and even then you sometimes get the infinite reboot cycles, instabilities, etc that occur with specific hardware).

 

11 minutes ago, RedRound2 said:

They said it will take them some time to roll out to previous versions. And its not a pattern where they always roll out to the previous version late. iOS 15.7 came out the same time as iOS 16. and 15.7.1 came out the same time as iOS 16.1. On Macs, Safari security updates always release the same time on current and previous versions.

There may be many reasons why there is sometimes a delay rolling out a security update for previous version. As you said, validation or maybe the older OS implements that particular feature differently making it a whole new task to patch it in the first place.

Here's a hint, it's not justifiable as a company policy to release a security update that puts the majority of your users at a higher risk.  (Patching a vulnerability that you know exists in other versions that you support is a massive security policy blunder).

 

Again, how are you trying to even justifying them releasing a patch 230 days past the time it was first patched.  They only patched it as well because Google essentially forced their hand.  This sort of thing is not something that should ever happen really (or they better have extremely good cause to).  The fact that they fixed it in like 30 days of being alerted of it being used in the wild though to me says they just didn't want to bother with it.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, RedRound2 said:

Also tbc, difference between Apple's and Android case - Android phones running latest software don't get timely updates. While for Apple, its the delay is usually caused in older technically outdated OS (which btw only happens atleast 4-5 years ownership of the device as opposed to 1 year on android)

Apple doing better in some areas, better than other market options, doesn't excuse the areas they could and should do better. Like I have said before, good and bad can coexist. There is almost always room for improvement, nothing is perfect, no person or company.

 

Unless there is an official end of life statement from Apple and absolutely zero updates, patches or whatever are going to a particular operating system version then all versions should get security patches at the same time. Sometimes not being able to achieve that target, within a month, is understandable. Consistently not achieving this or having a literal policy to not do it simply isn't acceptable.

 

So to make myself clear, it's irrelevant what anyone else is doing or not doing. I am able to point to a specific thing that is happening that should be better and there is even an above example of the issue which places it outside of just theory crafting. A preventable security incident, wide scale, happened only because of a company policy and intentional disregard for security.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
On 11/3/2022 at 11:40 AM, wanderingfool2 said:

Hardware and the backend code that deals with the hardware definitely calls the API's in different ways.  They don't do all permutations, but they likely do test it on many different platforms (and even then you sometimes get the infinite reboot cycles, instabilities, etc that occur with specific hardware).

 

Here's a hint, it's not justifiable as a company policy to release a security update that puts the majority of your users at a higher risk.  (Patching a vulnerability that you know exists in other versions that you support is a massive security policy blunder).

 

Again, how are you trying to even justifying them releasing a patch 230 days past the time it was first patched.  They only patched it as well because Google essentially forced their hand.  This sort of thing is not something that should ever happen really (or they better have extremely good cause to).  The fact that they fixed it in like 30 days of being alerted of it being used in the wild though to me says they just didn't want to bother with it.

Majority? In what context? Which devices? Who are these people? Most people running Apple devices are always on the latest version.

 

When you go about ranting that it shouldn't be a company's policy to "withhold updates", I guess you are okay with 95% of the android market

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
23 hours ago, leadeater said:

Apple doing better in some areas, better than other market options, doesn't excuse the areas they could and should do better. Like I have said before, good and bad can coexist. There is almost always room for improvement, nothing is perfect, no person or company.

Never said it was an excuse that they could do. But I have yet to see any pattern where they intentionally hold or delay updates. Its written like that in a legal document, so that they can perform like that minimally while overdelivering most of the time. They do not want someone filing a lawsuit tomorrow just because a security patch was delayed by a couple of days in the older platform.

 

As a company, it is understandable that their first priority to patch will be the latest version of the OS which most people are running. They cannot delay the iOS 16 patch because they haven;t finished iOS 12 and iOS 9 patch (which probably less than 5% of users are using)

23 hours ago, leadeater said:

Unless there is an official end of life statement from Apple and absolutely zero updates, patches or whatever are going to a particular operating system version then all versions should get security patches at the same time. Sometimes not being able to achieve that target, within a month, is understandable. Consistently not achieving this or having a literal policy to not do it simply isn't acceptable.

Apple does deem EOL status for hardware's. Its safe to assume to assume that the latest software it is able to run is also EOL. They don't need to do specifically for their OS because only they use their OS

23 hours ago, leadeater said:

So to make myself clear, it's irrelevant what anyone else is doing or not doing. I am able to point to a specific thing that is happening that should be better and there is even an above example of the issue which places it outside of just theory crafting. A preventable security incident, wide scale, happened only because of a company policy and intentional disregard for security.

It is. But all I ever did was point out the irony of this forum. If people complained about others equally, I would not have any issues. But the same people complaining about verbiage here are totally fine with the alternatives. Credit should be given where credit is due. IF they need to improve a constructive conversation can happen. But look at the initial comments on this thread.

 

Never used android's lack of updates as a justification. Just pointed out to those people who are passionately complaining about this issue. I just wanted to see their passion on android's side as well.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 hours ago, RedRound2 said:

 

Never used android's lack of updates as a justification. Just pointed out to those people who are passionately complaining about this issue. I just wanted to see their passion on android's side as well.

You seem to be operating on the premise that the people who don't like some of the stuff apple do will for some reason defend google/android for exactly the same thing.   I don't know if you only read the apple threads and assume that about this forum, but the hate android receives for it's lack of support and nearly all other issues is pretty much unanimous on these forums.

 

I mean hell, have you actually read any thread regarding update issues on any other OS?

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
6 hours ago, RedRound2 said:

Never said it was an excuse that they could do

Well your posts only ever seem to be making excuses and deflections and pointing at the deficiencies of other market options and not ever really agreed that there is a problem when there actually has been one in real life because of this.

 

6 hours ago, RedRound2 said:

As a company, it is understandable that their first priority to patch will be the latest version of the OS which most people are running. They cannot delay the iOS 16 patch because they haven;t finished iOS 12 and iOS 9 patch (which probably less than 5% of users are using)

This is just flawed assessment. They can achieve all of them at the same time if they so wish. Apple is literally saying they do not wish to do this, it's company policy to not put in that effort. They might achieve it but the official policy is to not have to do so, this is wrong.

 

Also the majority may not be running the latest, it's quite clear that is not that case and will be so repeatedly base on point in time of assessment and OS release dates etc. Adoption is not 100% from day 1.

 

And it effects more than just iOS 16, 12 & 9 etc because people could be running any version in between basically. Not everyone actually want to upgrade to the latest or wants to do so when they want to, not when Apple wants them to. So while Apple is releasing updates of any kind for any iOS version, or Mac OS, then the expectation is that they are releasing the same security updates in the same time frames. It's only now that they have put it on paper and made it clear that this is not the case.

 

If your device is running a non supported version of an OS then it should tell you so. Choosing to not be supported is fine so long as it's a choice.

 

6 hours ago, RedRound2 said:

Credit should be given where credit is due

I do not and nobody has to give credit when talking about a problem. Doing so almost always comes off as deflection of the issue. Because again for all the good Apple is doing it has no bearing on the bad that could be better.

 

Apple could cure cancer, they still need to improve their policy around security patches.

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×