PSA: Why it's best to stay current with macOS.

[Colstan]

While perusing the release notes for the latest security patches for macOS, I noticed that @Cmaier's favorite CPU design tool, Vim, got two CVE entries in Big Sur, a whopping eight in Catalina, none of them overlapping. Meanwhile, Monterey 12.5 had no mention of Vim, so I assume that it is fully patched.

(Pictured - @Cmaier's emergency preparation tool for designing Opteron.)

This reminded me that not all macOS security updates are equal. While most folks here are aware of what I'm about to mention, it's important to remind less tech-savvy friends and family why they should stay on the latest version of macOS. We've all got a friend who has to be dragged kicking and screaming to do an operating system update. However, even though Apple is still releasing security patches for older versions of macOS, it doesn't mean that they are fully protected.

With macOS 12.5, Monterey received 50 security patches listed in Apple's release notes, on top of whatever unnamed bug fixes and stability improvements that Apple presumably included. Comparatively, the updates for Big Sur and Catalina only had 29 security patches. While some of that could be attributed to different software versions (such as the almighty Vim), much of it comes down to Apple not bothering to backport some of those fixes to earlier versions. Howard Oakley has been covering this for years and Apple's various methods for enticing users to upgrade to the latest version of macOS. Stating that a vulnerability is under "active exploit" is the most immediate and jarring method, but simply patching fewer flaws in older versions is another way of shepherding users toward the latest release.

At one point in time, back when the Mac operating system was marketed as OS X, it made sense to hang back a version or two, waiting for the release to mature. That no longer makes sense, now that Apple puts the vast majority of its engineering resources into the most current and upcoming versions of macOS. I try to keep my non-tech friends and family on the most recent non-beta version of macOS, because there are few good reasons to stay behind. If they are using Windows, strapped to the wheel of pain, then that is understandable, but most new macOS updates are painless.

For various reasons, I kept Mojave on my 2018 Mac mini for as long as it received security patches, but given how many of those security patches don't get backported to previous versions, it's wise to stay current. There's nothing wrong with waiting a few days to make sure that there are no serious widespread issues with a release, but the idea that it's best to hold off on the latest version is antiquated, at this point. The only exceptions are, of course, if you're using an older Mac that can't use the latest version, but we need to keep in mind that not every fix will make it to those systems that exist in the two-year security patch twilight zone.

 

[Cmaier]

While perusing the release notes for the latest security patches for macOS, I noticed that @Cmaier's favorite CPU design tool, Vim, got two CVE entries in Big Sur, a whopping eight in Catalina, none of them overlapping. Meanwhile, Monterey 12.5 had no mention of Vim, so I assume that it is fully patched.

(Pictured - @Cmaier's emergency preparation tool for designing Opteron.)

View attachment 16019

This reminded me that not all macOS security updates are equal. While most folks here are aware of what I'm about to mention, it's important to remind less tech-savvy friends and family why they should stay on the latest version of macOS. We've all got a friend who has to be dragged kicking and screaming to do an operating system update. However, even though Apple is still releasing security patches for older versions of macOS, it doesn't mean that they are fully protected.

With macOS 12.5, Monterey received 50 security patches listed in Apple's release notes, on top of whatever unnamed bug fixes and stability improvements that Apple presumably included. Comparatively, the updates for Big Sur and Catalina only had 29 security patches. While some of that could be attributed to different software versions (such as the almighty Vim), much of it comes down to Apple not bothering to backport some of those fixes to earlier versions. Howard Oakley has been covering this for years and Apple's various methods for enticing users to upgrade to the latest version of macOS. Stating that a vulnerability is under "active exploit" is the most immediate and jarring method, but simply patching fewer flaws in older versions is another way of shepherding users toward the latest release.

At one point in time, back when the Mac operating system was marketed as OS X, it made sense to hang back a version or two, waiting for the release to mature. That no longer makes sense, now that Apple puts the vast majority of its engineering resources into the most current and upcoming versions of macOS. I try to keep my non-tech friends and family on the most recent non-beta version of macOS, because there are few good reasons to stay behind. If they are using Windows, strapped to the wheel of pain, then that is understandable, but most new macOS updates are painless.

For various reasons, I kept Mojave on my 2018 Mac mini for as long as it received security patches, but given how many of those security patches don't get backported to previous versions, it's wise to stay current. There's nothing wrong with waiting a few days to make sure that there are no serious widespread issues with a release, but the idea that it's best to hold off on the latest version is antiquated, at this point. The only exceptions are, of course, if you're using an older Mac that can't use the latest version, but we need to keep in mind that not every fix will make it to those systems that exist in the two-year security patch twilight zone.

I ever tell the story of the original Opteron tape-out? I can’t remember every detail, but I remember this much. At the very last minute, I think it was my colleague Dhiraj who came to me with a needed fix. I can’t remember how we came to the conclusion that it could be fixed by moving one wire connection; my friend Cheryl may have been involved, or I may have figured it out using “Wanda,“ the GUI chip viewer I had written with my buddies Alan and Morgan. Anyway, in the end it came down to removing one piece of wire and adding another, maybe with a via.

But the chip had gone through all the final assembly steps, and running it back through the tools would take at least a half day or more. So I loaded the .def into gvim. (A .def Is a file format that represents the wire geometries. It’s technically human-readable, but there are a lot of undefined aspects to it so you have to understand how the downstream tools think. In particular, you replace coordinates with asterisks sometimes for reasons I won’t get into).

Anyway, I edited the file by hand, using Wanda to verify the coordinates, then ran the file through our DRC and LVS tools, and off the gdsii file went to the fab.

I remember that there was no one around other than me and Dhiraj, and I don’t think we told anyone what we were doing (other than maybe Cheryl). Even at the time I remember thinking: “i bet this isn’t how things work at Intel.”

 

[mac_in_tosh]

However, even though Apple is still releasing security patches for older versions of macOS, it doesn't mean that they are fully protected.

I usually wait until the newest Mac OS is released to install the one immediately before it to avoid the inevitable bugs and app incompatibilities. Right now I am still on Big Sur and assumed Apple was being diligent about security patches due to the large number of Big Sur installations still in use. So your post surprises me. Would you say that even immediately previous versions of Mac OS are not fully protected or would that refer to older versions that are still officially supported?

 

[Colstan]

I ever tell the story of the original Opteron tape-out?

This is the fourth time I've heard it, but the first time over here, so it's all good.

So I loaded the .def into gvim.

Hence my poorly worded Vim joke in the original post.

I enjoy hearing stories like this, because it's a reminder that these chips are built by actual human beings. While I don't go into the detail that you do, I've re-told your story in a way that non-tech people can properly digest. It helps them understand that it isn't magic and voodoo (perhaps a little spooky action at a distance) but still made by humans.

 

[Runs For Fun]

Yeah people really need to let go of the mentality that updates break everything all the time. There may have been some truth to that a long time ago, but it really just doesn't happen these days. I still see people two whole major iOS versions behind asking if it's safe to update to the latest. Blows my mind. And it's almost always because "I've heard there's lots of bugs" or "Apple are purposely going to slow down my phone every update"

 

[Colstan]

Would you say that even immediately previous versions of Mac OS are not fully protected or would that refer to older versions that are still officially supported?

It's demonstrably true that any version of macOS that is older than the most recent release has security vulnerabilities that won't be patched, and are missing security features only available in the latest version, as well. For instance, Monterey 12.5 is more secure than Big Sur with the latest security update. There are vulnerabilities, roughly 20 or so, that were patched in Monterey 12.5 that will never be patched in Big Sur or Catalina.

Dr. Howard Oakley has been covering Apple's software update patterns on his website for years now, and much of what I've stated is based upon his substantial research. I recommend following his website daily. For instance, just yesterday he pointed out that significant non-security related bugs still remain within Monterey, which will never be fixed within Monterey. Often times, those bugs are more difficult to fix than a simple patch, and hence they get put off until the next major version of macOS is released. That's been the case for years now.

The notion that an older version of macOS, once it has received it's final major update, is more stable than the current release is an antiquated belief. Now that Apple releases a new version of macOS every year, they put their full engineering efforts into the most current version, and the next upcoming release. As Dr. Oakley has demonstrated repeatedly, the most stable and secure version of macOS currently available is Monterey. Big Sur and Catalina are in maintenance mode, and will only receive some of the security patches that Monterey received. In fact, this may be the last patch for Catalina, with Big Sur remaining on life support for another year, if that. I stayed on Mojave for as long as it received security patches, but looking back that was likely a mistake, because it didn't receive multiple security patches. That has been the case with Catalina and Big Sur. Mojave also fell short of the supposed two-years of patches, without a clear indication from Apple of when support would end.

With modern macOS, it's far better to be on the latest non-beta version available. That's where Apple puts its engineering resources; you'll receive all security updates and fixes for non-security related bugs. Big Sur will always have those issues, regardless of how current you keep your system, so it's best to update as soon as Apple releases a major version of macOS. There's probably no harm in waiting a day or two, just in case of serious problems that weren't picked up in beta testing, but Apple clearly wants its users to stay current. The exception would be when Apple notes a security vulnerability is being actively exploited, so do the update ASAP, instead of waiting a couple of days.

I think it's better to see macOS as a rolling release, rather than major versions that then receive long-term support. For instance, Ubuntu releases a new version every year, while supporting an LTS version for years, so that customers can choose a more stable release. Apple doesn't do this, they only put their engineering efforts behind the most current version (and upcoming versions). Think of the roughly two-year window of security patches for previous incarnations of macOS as nothing more than a courtesy for customers who can't, for whatever reason, run the latest version of macOS.

I usually wait until the newest Mac OS is released to install the one immediately before it to avoid the inevitable bugs and app incompatibilities.

I know it is counterintuitive to long-time Mac users, but once Ventura is released, it's best to upgrade to that as soon as possible. Catalina will no longer be supported at all, while Big Sur and Monterey will be in maintenance mode. They will no longer receive patches for significant bugs, which are often left unfixed in previous versions of macOS, and will also not receive some of the security patches that Ventura receives. If your goal is to stay safe, which is what we should all strive for, then the latest security features will be baked into Ventura, as well as patching all of the vulnerabilities that Apple is aware of. That won't be the case with Big Sur or Monterey. As I pointed out in my original post, Monterey 12.5 includes 21 security patches that Big Sur and Catalina didn't receive, and never will receive.

In the past, conventional wisdom is that macOS is more stable once it hits the final point release, in the case of Monterey being 12.5, but in fact, it's far better to be on Ventura 13.0 as soon as possible, for both security reasons and general bug fixes within the operating system. Apple is constantly pressuring its users to use the latest version, and that's not so that they can boast about uptake or other vapid reasons, but for concrete, practical reasons. While some apps will likely need updating, for most users, Ventura will be the most stable and secure version of macOS, which is by design.

 

[Runs For Fun]

For instance, Ubuntu releases a new version every year, while supporting an LTS version for years

Actually they release a new version every 6 months and an LTS release every 2 years.

 

[mac_in_tosh]

It's demonstrably true that any version of macOS that is older than the most recent release has security vulnerabilities that won't be patched, and are missing security features only available in the latest version, as well. For instance, Monterey 12.5 is more secure than Big Sur with the latest security update. There are vulnerabilities, roughly 20 or so, that were patched in Monterey 12.5 that will never be patched in Big Sur or Catalina.

I don't doubt you but it is surprising and even disappointing that Apple will not address known vulnerabilities in an OS that they are still claiming to support and which perhaps millions of people are using out of choice or necessity. To some people jumping on the latest OS is not an option as maybe their hardware doesn't meet the requirements or an important app they use is not ready for it.

 

[Colstan]

Actually they release a new version every 6 months and an LTS release every 2 years.

I stand corrected. It's been a while since I had my "Linux phase", which all Mac users seem to go through, at some point in time. The last time was when I briefly flirted with the apparently defunct elementary OS.

I don't doubt you but it is surprising and even disappointing that Apple will not address known vulnerabilities in an OS that they are still claiming to support and which perhaps millions of people are using out of choice or necessity. To some people jumping on the latest OS is not an option as maybe their hardware doesn't meet the requirements or an important app they use is not ready for it.

It's another way that Apple nudges their users toward the latest version of macOS. They never promised two years of additional support for older versions, that's just something that they provide to those users. To my knowledge, they never codified that into an official policy, and could drop support at any time. Given that the Catalina and Big Sur security updates received only 60% of the security patches fixed in Monterey, it would probably be better just to drop support for old versions entirely, rather than to exist in this zombie state.

 

[mac_in_tosh]

It's another way that Apple nudges their users toward the latest version of macOS.

Since we're discussing Apple support, I have a related question. I have the latest Airport Extreme Base Station but Apple got out of the router business a few years ago. Is Apple still claiming to support this device, given that there's nothing newer from them to upgrade to? It's been a while since there have been any updates.

 

[Cmaier]

Since we're discussing Apple support, I have a related question. I have the latest Airport Extreme Base Station but Apple got out of the router business a few years ago. Is Apple still claiming to support this device, given that there's nothing newer from them to upgrade to? It's been a while since there have been any updates.

Apple has put the airports in its “obsolete” category. So no hardware repairs, and very limited software updates. The writing has been on the wall for awhile with those - they disbanded the team, after all.

As for nothing to upgrade to, Apple has been suggesting various products for years, including certain linksys routers.

Personally I use Synology’s routers, though I still use one AirPort Extreme in my garage for some ring cameras.

 

[Roller]

It's demonstrably true that any version of macOS that is older than the most recent release has security vulnerabilities that won't be patched, and are missing security features only available in the latest version, as well. For instance, Monterey 12.5 is more secure than Big Sur with the latest security update. There are vulnerabilities, roughly 20 or so, that were patched in Monterey 12.5 that will never be patched in Big Sur or Catalina.

Dr. Howard Oakley has been covering Apple's software update patterns on his website for years now, and much of what I've stated is based upon his substantial research. I recommend following his website daily. For instance, just yesterday he pointed out that significant non-security related bugs still remain within Monterey, which will never be fixed within Monterey. Often times, those bugs are more difficult to fix than a simple patch, and hence they get put off until the next major version of macOS is released. That's been the case for years now.

The notion that an older version of macOS, once it has received it's final major update, is more stable than the current release is an antiquated belief. Now that Apple releases a new version of macOS every year, they put their full engineering efforts into the most current version, and the next upcoming release. As Dr. Oakley has demonstrated repeatedly, the most stable and secure version of macOS currently available is Monterey. Big Sur and Catalina are in maintenance mode, and will only receive some of the security patches that Monterey received. In fact, this may be the last patch for Catalina, with Big Sur remaining on life support for another year, if that. I stayed on Mojave for as long as it received security patches, but looking back that was likely a mistake, because it didn't receive multiple security patches. That has been the case with Catalina and Big Sur. Mojave also fell short of the supposed two-years of patches, without a clear indication from Apple of when support would end.

With modern macOS, it's far better to be on the latest non-beta version available. That's where Apple puts its engineering resources; you'll receive all security updates and fixes for non-security related bugs. Big Sur will always have those issues, regardless of how current you keep your system, so it's best to update as soon as Apple releases a major version of macOS. There's probably no harm in waiting a day or two, just in case of serious problems that weren't picked up in beta testing, but Apple clearly wants its users to stay current. The exception would be when Apple notes a security vulnerability is being actively exploited, so do the update ASAP, instead of waiting a couple of days.

I think it's better to see macOS as a rolling release, rather than major versions that then receive long-term support. For instance, Ubuntu releases a new version every year, while supporting an LTS version for years, so that customers can choose a more stable release. Apple doesn't do this, they only put their engineering efforts behind the most current version (and upcoming versions). Think of the roughly two-year window of security patches for previous incarnations of macOS as nothing more than a courtesy for customers who can't, for whatever reason, run the latest version of macOS.


I know it is counterintuitive to long-time Mac users, but once Ventura is released, it's best to upgrade to that as soon as possible. Catalina will no longer be supported at all, while Big Sur and Monterey will be in maintenance mode. They will no longer receive patches for significant bugs, which are often left unfixed in previous versions of macOS, and will also not receive some of the security patches that Ventura receives. If your goal is to stay safe, which is what we should all strive for, then the latest security features will be baked into Ventura, as well as patching all of the vulnerabilities that Apple is aware of. That won't be the case with Big Sur or Monterey. As I pointed out in my original post, Monterey 12.5 includes 21 security patches that Big Sur and Catalina didn't receive, and never will receive.

In the past, conventional wisdom is that macOS is more stable once it hits the final point release, in the case of Monterey being 12.5, but in fact, it's far better to be on Ventura 13.0 as soon as possible, for both security reasons and general bug fixes within the operating system. Apple is constantly pressuring its users to use the latest version, and that's not so that they can boast about uptake or other vapid reasons, but for concrete, practical reasons. While some apps will likely need updating, for most users, Ventura will be the most stable and secure version of macOS, which is by design.

I'd be more inclined to install major macOS versions immediately after release if my recent experience wasn't so poor. Each time I upgraded quickly, bugs and incompatibilities with software I rely on daily kept me from getting work done until around the 2nd point update. It's possible some of this was the fault of third-party developers, but that didn't make the situation any better. I wish Apple put more engineering resources into correcting known bugs and issues instead of messing with the UI and making some functions harder to find.

 

[Colstan]

I'd be more inclined to install major macOS versions immediately after release if my recent experience wasn't so poor. Each time I upgraded quickly, bugs and incompatibilities with software I rely on daily kept me from getting work done until around the 2nd point update. It's possible some of this was the fault of third-party developers, but that didn't make the situation any better. I wish Apple put more engineering resources into correcting known bugs and issues instead of messing with the UI and making some functions harder to find.

I completely understand and don't disagree with you. I stayed on Mojave until Apple stopped providing security patches, partial as they were. Apple disagrees with this strategy and wants all users on the latest version of macOS, full stop. I don't recall the exact details, but when I contacted Apple support about an issue I was having with my 2018 Mac mini, they told me to upgrade to Big Sur, the latest version at that time, before they could assist me.

Assuredly, there will be problems with any new version of an OS update, but that is the case with every version available, new and old. There are significant flaws that don't get fixed until the next release, usually due to the engineering effort involved. I'd much prefer a release schedule more along the lines of OS X before the push for new features every year, but Apple also disagrees with that. As far as third-party software is concerned, Apple's response would be that is what beta releases are for, even though complex applications may require more than five or six months to be fully tested.

I can see both sides of the argument, I agree with your thoughts on the matter, but the fact remains that Apple only patches 100% of security flaws in the latest version and tends to only fix major bugs in the same fashion. Once an older version of macOS is displaced, security patches are fractional, while general fixes are non-existent. As the saying goes, you go to battle with the army you have, not the one you might want.

 

[Roller]

I completely understand and don't disagree with you. I stayed on Mojave until Apple stopped providing security patches, partial as they were. Apple disagrees with this strategy and wants all users on the latest version of macOS, full stop. I don't recall the exact details, but when I contacted Apple support about an issue I was having with my 2018 Mac mini, they told me to upgrade to Big Sur, the latest version at that time, before they could assist me.

Assuredly, there will be problems with any new version of an OS update, but that is the case with every version available, new and old. There are significant flaws that don't get fixed until the next release, usually due to the engineering effort involved. I'd much prefer a release schedule more along the lines of OS X before the push for new features every year, but Apple also disagrees with that. As far as third-party software is concerned, Apple's response would be that is what beta releases are for, even though complex applications may require more than five or six months to be fully tested.

I can see both sides of the argument, I agree with your thoughts on the matter, but the fact remains that Apple only patches 100% of security flaws in the latest version and tends to only fix major bugs in the same fashion. Once an older version of macOS is displaced, security patches are fractional, while general fixes are non-existent. As the saying goes, you go to battle with the army you have, not the one you might want.

I wonder what the transition to Apple silicon, when it’s complete and Intel Macs are no longer supported a few years later, will do to macOS release schedules and reliability. I hope it’ll be easier to address bugs and security holes more quickly and effectively.

With Ventura, I’m going to look at initial reports and, if things seem OK, consider upgrading when 13.1 is released. Over the past two years, reaching the .1 milestone has taken about 4-7 weeks.

 

[Colstan]

I wonder what the transition to Apple silicon, when it’s complete and Intel Macs are no longer supported a few years later, will do to macOS release schedules and reliability. I hope it’ll be easier to address bugs and security holes more quickly and effectively.

While Apple's budget may appear unlimited, their engineering talent is not. I think they want to move to Apple Silicon as fast as possible so that they don't have to support two architectures. Keep in mind that x86 comes with a whole host of security issues from Intel's HyperThreading, plus they have to maintain T2 support, AMD drivers, UEFI updates, microcode from Intel, among a whole host of other issues that are unique to the x86 platform. Apple Silicon will simplify that process, not just because the Mac will be on a single platform, but because much of that work is already duplicated with iOS.

I've seen a lot of Intel Mac users who are holding out hope for long-term support, but I suspect Apple is going to sweep x86 under the rug and into the dustbin of history as quickly as possible. Some Mac Pro owners think they are going to get new Intel versions of macOS for another decade, plus AMD 7000-series drivers, etc. I'm sure they'll get that, and a free pony, too. I say all this as someone currently using a 2018 Intel Mac mini as my primary system, but I lived through the PPC-to-Intel transition, and Apple's judgement was swift and final.

With Ventura, I’m going to look at initial reports and, if things seem OK, consider upgrading when 13.1 is released. Over the past two years, reaching the .1 milestone has taken about 4-7 weeks.

It's best to do whatever makes you feel comfortable with your system. Ever since I gave up Mojave, I've hopped right onto the latest version of macOS as they were released, and haven't had any issues, but that's just my experience. In fact, I had significant issues with Mojave in its dying days, which furthered my belief that Apple doesn't give two flips about older versions of macOS.

When I say serious, Safari wouldn't work on later versions of Mojave, and crashed upon simply opening the application. That wasn't just me, but everyone who applied that specific security update. The fix was to install the Big Sur beta firmware, then reinstall Mojave, or switch to another browser. It was a mess that I don't intend on repeating. During its death throes, Mojave was constantly breaking with each successive security patch. Security updates seem simple enough on the surface, but touch just about every part of macOS. Apple isn't breaking updates on purpose, but the testing they do on security patches for old versions of macOS appear to be somewhere between bare minimum and non-existent.

 

[sgtaylor5]

While Apple's budget may appear unlimited, their engineering talent is not. I think they want to move to Apple Silicon as fast as possible so that they don't have to support two architectures. Keep in mind that x86 comes with a whole host of security issues from Intel's HyperThreading, plus they have to maintain T2 support, AMD drivers, UEFI updates, microcode from Intel, among a whole host of other issues that are unique to the x86 platform. Apple Silicon will simplify that process, not just because the Mac will be on a single platform, but because much of that work is already duplicated with iOS.

I've seen a lot of Intel Mac users who are holding out hope for long-term support, but I suspect Apple is going to sweep x86 under the rug and into the dustbin of history as quickly as possible. Some Mac Pro owners think they are going to get new Intel versions of macOS for another decade, plus AMD 7000-series drivers, etc. I'm sure they'll get that, and a free pony, too. I say all this as someone currently using a 2018 Intel Mac mini as my primary system, but I lived through the PPC-to-Intel transition, and Apple's judgement was swift and final.

That, I totally understand. That's the same as Microsoft wanting everyone to get to Windows 10/11, so they don't need to support their older versions.

Still, I just got a 2017 MBA (8/128 where 75 is free), because I wanted to help a client out, it was essentially free, I know my workload, and using an M1 MBA on my workload would be like hitting a fly with a sledgehammer. I really resent being told (at the other place, not here) that I need a much faster and more expensive system than I really need (16/512), or I'm not really serious about staying current. If I had the money, I just would have bought an M1 base model at the time. and even then, it would have been broadly faster than the new M2. By that I mean, no surprises like the SSD write speed being lower on the M2 on the base model.

 

[Colstan]

Still, I just got a 2017 MBA (8/128 where 75 is free), because I wanted to help a client out, it was essentially free, I know my workload, and using an M1 MBA on my workload would be like hitting a fly with a sledgehammer. I really resent being told (at the other place, not here) that I need a much faster and more expensive system than I really need (16/512), or I'm not really serious about staying current. If I had the money, I just would have bought an M1 base model at the time. and even then, it would have been broadly faster than the new M2. By that I mean, no surprises like the SSD write speed being lower on the M2 on the base model.

I hear you. I'm going to keep my 2018 Mac mini going for as long as I can and I don't need anyone to explain to me why I should switch right now when it's doing its job just fine. I invested a lot into RAM upgrades, eGPU, etc. That's much more than the $700 I originally put into it. My philosophy is to use what you have until you absolutely need to replace it, then buy the best you can reasonably afford, and enjoy the hell out of it. That's what I plan with my eventual move to Apple Silicon.

Even though I'm not in the target market for the Mac Pro, I spent some time babysitting in that forum over at the other place, and they're absolutely livid about the latest Apple Silicon rumors for their favorite product. One solution I heard was for Apple to continue to release Xeon Mac Pros to "make professionals happy". There seem to be a subset of individuals that just can't accept that Apple is moving on not just from Intel products, but also Intel's design philosophy, and any suggestion that they plan for an alternative future is sharply denounced. (That, and half the time I bring up @Cmaier the post gets deleted for "discussing moderation".)

As far as Apple's thinking is concerned, here is another reason that they absolutely need to move the base over to Apple Silicon, for security reasons. UEFI has been Swiss cheese for years now, it was obvious it would be a security nightmare when it was announced, and the sooner Apple moves the Mac to iBoot, the better for all of us users. Of course, there are the wise guys in the comments section that point out "all computers have vulnerabilities". Everyone knows it, they can stop trotting out the straw men, give them a rest. The point is that Apple can reduce the attack surface by moving to their own solutions.

 

[Colstan]

Apple has just released a new security patch for Monterey, along with iOS, covering the same vulnerabilities. On my 2018 Intel Mac mini, the new update designated 12.5.1 (21G83) weighed in at 1.18GB and took about an hour to install. There are two notable things about this security patch. First, it addresses only two vulnerabilities, whereas Apple usually releases updates with dozens of security patches. Second, Apple claims that these exploits, one in the kernel and the other in WebKit, are being actively exploited. The fixes were complex enough to update both the Intel BridgeOS firmware, as well as Safari. (It's notable that unlike Intel Macs, the Apple Silicon iBoot firmware was not updated.) You can see more details over at Mr. Macintosh's blog post on the update. Obviously, if Apple is aware of these vulnerabilities being actively exploited, and you are running Monterey, then it's a good idea to patch as soon as possible.

This does bring me back to the original premise of my post from last month. As I mentioned, having followed Dr. Howard Oakley's blog for years now, he has highlighted how Apple will often only patch important bugs and security patches within the latest shipping version of macOS. For non-security issues, sometimes Apple won't fix those until the next major version, but at least they don't impact personal security. However, Apple will often fail to backport major security patches to older versions of macOS.

It's not clear if these latest vulnerabilities fixed in 12.5.1 impact Big Sur and Catalina users, whether Apple will eventually release a patch for those versions, or if they will ignore the issue and not bother. Apple's unofficial two-year support for security patches has often been in a grey area which has never been completely defined by the company. For instance, Mojave stopped receiving patches months before the two-year window was closed. In another instance, Big Sur received a security patch 234 days before it was fixed in Catalina.

What are the chances that these two exploits, one for the Kernel (CVE-2022-32894) and the other for WebKit (CVE-2022-32893), impact Monterey and only Monterey? As I pointed out in a previous post, concerning the security patches in 12.5, Big Sur received only 60% of the patches for the vulnerabilities found in Monterey. Plus, this exact same scenario played out in April, with Monterey receiving two "in the wild" vulnerability patches, while Big Sur and Catalina still remain unpatched to these flaws which Apple believes to be under active exploitation.

Why exactly Apple continues to provide two-years of unofficial patches for older versions of macOS, yet only some of those fixes make it to earlier versions, is unclear. Dr. Oakley has some thoughts on Apple's reasons for this. What is clear is that if you are a Mac user and want to be certain that all of the latest security fixes are applied, then it's imperative to be on the latest release version of macOS.

Howard has also pointed out why there are non-security related reasons to update to the latest version of macOS. In the past, it was a common belief that it's best to wait for a few point releases before a new version of macOS is stable, in the case of Monterey, that would be perhaps 12.2 or 12.3. According to Howard and his excellent research, that conventional wisdom is no longer valid. He posits that the last remaining Finder memory leak may never be fixed in Monterey, leaving that work for future releases. Apple has a history of not patching major flaws until the next version of macOS.

macOS has a track record of leaving well-known bugs in final major releases when more extensive work is required to fix them. Among those was failure in the DAS/CTS dispatching system which caused automatic Time Machine backups to fail in Sierra, APFS support for Fusion Drives in High Sierra, and painfully slow Time Machine backups in Catalina. Each of those was only fixed in the next major release of macOS. Of course I hope I’m wrong, and this memory leak gets fixed in 12.5, but the chances are falling.

I realize that there are entirely valid reasons for wanting to stay with an older version of macOS, but in terms of security and stability, Apple has made it clear that they want Mac users on the latest version available, full stop, and they do so in a not at all subtle fashion. Aside from displaying blinking lights and dire warnings messages, the company couldn't make it more obvious. Whether this is a good or bad thing is dependent upon the individual user, but the company's stance on the issue is clear.

 

[Arkitect]

That, I totally understand. That's the same as Microsoft wanting everyone to get to Windows 10/11, so they don't need to support their older versions.

Still, I just got a 2017 MBA (8/128 where 75 is free), because I wanted to help a client out, it was essentially free, I know my workload, and using an M1 MBA on my workload would be like hitting a fly with a sledgehammer. I really resent being told (at the other place, not here) that I need a much faster and more expensive system than I really need (16/512), or I'm not really serious about staying current. If I had the money, I just would have bought an M1 base model at the time. and even then, it would have been broadly faster than the new M2. By that I mean, no surprises like the SSD write speed being lower on the M2 on the base model.

Ha!
Yes, the "Other Place" where everyone apparently has bottomless pockets and zillion dollar credit lines.

I hear you. I'm going to keep my 2018 Mac mini going for as long as I can and I don't need anyone to explain to me why I should switch right now when it's doing its job just fine. I invested a lot into RAM upgrades, eGPU, etc. That's much more than the $700 I originally put into it. My philosophy is to use what you have until you absolutely need to replace it, then buy the best you can reasonably afford, and enjoy the hell out of it. That's what I plan with my eventual move to Apple Silicon.

I'm on a 2018 Mini as well and certainly plan to make use of it as long as possible… Software wise I'm mostly OK to go Silicon when the time is right — right now it is just McNeel (Rhino 3D) being cagey about their Silicon plans.

Apart from the Bluetooth issues which I have just resigned myself to, all is well.

Apple has just released a new security patch for Monterey, along with iOS, covering the same vulnerabilities. On my 2018 Intel Mac mini, the new update designated 12.5.1 (21G83) weighed in at 1.18GB and took about an hour to install. There are two notable things about this security patch. First, it addresses only two vulnerabilities, whereas Apple usually releases updates with dozens of security patches. Second, Apple claims that these exploits, one in the kernel and the other in WebKit, are being actively exploited. The fixes were complex enough to update both the Intel BridgeOS firmware, as well as Safari. (It's notable that unlike Intel Macs, the Apple Silicon iBoot firmware was not updated.) You can see more details over at Mr. Macintosh's blog post on the update. Obviously, if Apple is aware of these vulnerabilities being actively exploited, and you are running Monterey, then it's a good idea to patch as soon as possible.

This does bring me back to the original premise of my post from last month. As I mentioned, having followed Dr. Howard Oakley's blog for years now, he has highlighted how Apple will often only patch important bugs and security patches within the latest shipping version of macOS. For non-security issues, sometimes Apple won't fix those until the next major version, but at least they don't impact personal security. However, Apple will often fail to backport major security patches to older versions of macOS.

It's not clear if these latest vulnerabilities fixed in 12.5.1 impact Big Sur and Catalina users, whether Apple will eventually release a patch for those versions, or if they will ignore the issue and not bother. Apple's unofficial two-year support for security patches has often been in a grey area which has never been completely defined by the company. For instance, Mojave stopped receiving patches months before the two-year window was closed. In another instance, Big Sur received a security patch 234 days before it was fixed in Catalina.

What are the chances that these two exploits, one for the Kernel (CVE-2022-32894) and the other for WebKit (CVE-2022-32893), impact Monterey and only Monterey? As I pointed out in a previous post, concerning the security patches in 12.5, Big Sur received only 60% of the patches for the vulnerabilities found in Monterey. Plus, this exact same scenario played out in April, with Monterey receiving two "in the wild" vulnerability patches, while Big Sur and Catalina still remain unpatched to these flaws which Apple believes to be under active exploitation.

Why exactly Apple continues to provide two-years of unofficial patches for older versions of macOS, yet only some of those fixes make it to earlier versions, is unclear. Dr. Oakley has some thoughts on Apple's reasons for this. What is clear is that if you are a Mac user and want to be certain that all of the latest security fixes are applied, then it's imperative to be on the latest release version of macOS.

Howard has also pointed out why there are non-security related reasons to update to the latest version of macOS. In the past, it was a common belief that it's best to wait for a few point releases before a new version of macOS is stable, in the case of Monterey, that would be perhaps 12.2 or 12.3. According to Howard and his excellent research, that conventional wisdom is no longer valid. He posits that the last remaining Finder memory leak may never be fixed in Monterey, leaving that work for future releases. Apple has a history of not patching major flaws until the next version of macOS.



I realize that there are entirely valid reasons for wanting to stay with an older version of macOS, but in terms of security and stability, Apple has made it clear that they want Mac users on the latest version available, full stop, and they do so in a not at all subtle fashion. Aside from displaying blinking lights and dire warnings messages, the company couldn't make it more obvious. Whether this is a good or bad thing is dependent upon the individual user, but the company's stance on the issue is clear.

Thanks for the details about what was patched up in yesterday's update (took about 20 minutes this morning).
The bit about these exploits being actively exploited was enough to make me update straight away… not that I am paranoid or anything… but…

 

[DT]

I hear you. I'm going to keep my 2018 Mac mini going for as long as I can and I don't need anyone to explain to me why I should switch right now when it's doing its job just fine. I invested a lot into RAM upgrades, eGPU, etc. That's much more than the $700 I originally put into it. My philosophy is to use what you have until you absolutely need to replace it, then buy the best you can reasonably afford, and enjoy the hell out of it. That's what I plan with my eventual move to Apple Silicon.

I'm on a 2018 Mini as well and certainly plan to make use of it as long as possible… Software wise I'm mostly OK to go Silicon when the time is right — right now it is just McNeel (Rhino 3D) being cagey about their Silicon plans.

Just chiming in as another 2018 Mini owner, i7/32/512 (OEM config), still under AC+ coverage until November of this year. Mine has been pretty great, it's my primary person/general purpose machine and my dev/work machine by way of Parallels/VMs. That latter requirement is why I've stayed on an Intel based machine. In the next few months I'm contemplating either: determining a way to do the same work on an M based notebook (possibly some mix of native/VM/Containers/Cloud) , or possibly pick up a stout Windows notebook specifically for development and my Mini will just keep running for my Mac/personal needs on another desk

I was always tempted to do something about the lackluster GPU performance, but didn't want to fiddle around with an eGPU (and introduce another issue point). That was probably more to accommodate 4K displays for text vs. something like gaming/3D modeling. I currently run 2 Dell U2518, that's a 25" QHD display, which are terrific, and the Mini iGPU does fine with that resolution (I specifically went QHD knowing 4Ks could be laggy).

Apart from the Bluetooth issues which I have just resigned myself to, all is well.

I spent a couple months with the BT issue, mouse with random disconnects, you know the drill, it was unacceptable, and Apple didn't seem concerned, so a little research and I found the solution. This BT adapter for $15:

https://www.amazon.com/gp/product/B007GFX0PY/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&psc=1

That product uses a CSR8510 based chip which has native MacOS drivers. Then this VRAM setting:

sudo nvram SkipIOBluetoothHostControllerUARTTransport=%01

Disables the onboard BT, even through a power cycle, and the USB BT dongle becomes the single active, default BT interface.

I did this 2+ years ago, and have almost no BT issues (I might have a stray mouse issue once a month if that). Some people plugged the dongle directly into the USB-A port on the Mini, but some people to isolate is a little more use an extension cable, or run it off a USB-C port with an adapter cable, plug it into a hub - and in my case, since I used a wired KB with 2 USB ports, I plug it into one of those so it's like 2 feet from the machine, and right next to my mouse.

Seriously, give it a try, I think you'll be incredible pleased at the reduction of BT issues (to almost none), especially for under $20