PSA: Why it's best to stay current with macOS.

Colstan

Site Champ
Posts
822
Reaction score
1,124
It’s pretty easy to skip articles that you aren’t interested in. Public service announcements can’t hurt.
The thread wasn't getting many responses, so I assumed I was doing it in a vacuum. I have since been corrected and shall continue. Everybody patch and soak it in!
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
You spoke, I listened. Back by popular demand, it's time for your annual reminder to update to the latest security patches! Apple has released updates for iOS, iPadOS, watchOS, fridgeOS, and macOS. With the release of Ventura 13.4.1, Apple continues to favor the latest version of macOS over the previous two releases.

The number of fixes for this update:

Ventura: 2
Monterey: 1
Big Sur: 1

Ventura is receiving 50% more patches, as is tradition!

These patches are of particular note, because Apple says that they are being actively exploited. A kernel exploit impacts all recent versions of macOS. Whether Monterey or Big Sur are impacted by the WebKit issue is uncertain, or if there may be a separate Safari update at a later point in time is unknown. If at all possible, run the latest version of macOS, to have full protection from both exploits. So, stay safe, patch your devices, and take your digital vitamins to keep infections away.
 

Roller

Elite Member
Posts
1,479
Reaction score
2,890
You spoke, I listened. Back by popular demand, it's time for your annual reminder to update to the latest security patches! Apple has released updates for iOS, iPadOS, watchOS, fridgeOS, and macOS. With the release of Ventura 13.4.1, Apple continues to favor the latest version of macOS over the previous two releases.

The number of fixes for this update:

Ventura: 2
Monterey: 1
Big Sur: 1

Ventura is receiving 50% more patches, as is tradition!

These patches are of particular note, because Apple says that they are being actively exploited. A kernel exploit impacts all recent versions of macOS. Whether Monterey or Big Sur are impacted by the WebKit issue is uncertain, or if there may be a separate Safari update at a later point in time is unknown. If at all possible, run the latest version of macOS, to have full protection from both exploits. So, stay safe, patch your devices, and take your digital vitamins to keep infections away.
Thanks. The big conundrum will come when Apple releases Sonoma in the fall. My experience with major macOS updates hasn't been stellar, so I usually wait until x.2 or later. I would hope Apple will keep Ventura patched for at least a few months, especially if there are vulnerabilities in active exploit, but we'll see.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
Thanks. The big conundrum will come when Apple releases Sonoma in the fall. My experience with major macOS updates hasn't been stellar, so I usually wait until x.2 or later. I would hope Apple will keep Ventura patched for at least a few months, especially if there are vulnerabilities in active exploit, but we'll see.
Always glad to help.

Sonoma is going to be very important for Mac security. Probably as important as when Apple implemented System Integrity Protection (SIP) or XProtect. With macOS Sonoma, they'll be using behavioral detection for the first time, under the technology umbrella called "Bastion". Instead of just static blocklists and traditional scans with XProtect's Yara database and XProtect Remediator, Bastion will be proactive instead of reactive in preventing malware. The best security is stopping the infection in the first place, and Bastion may provide such protection, even if the malware is unknown to Apple's engineers. The esteemed Dr. Howard Oakley has an article about it.
 

theorist9

Site Champ
Posts
638
Reaction score
598
Thanks. The big conundrum will come when Apple releases Sonoma in the fall. My experience with major macOS updates hasn't been stellar, so I usually wait until x.2 or later. I would hope Apple will keep Ventura patched for at least a few months, especially if there are vulnerabilities in active exploit, but we'll see.
@Colstan: Does Apple reduce the quality of security support on the older OS as soon as the new OS comes out, or does it wait a few months, in acknowledgement of the fact that new OS's have growing pains, and many folks need to wait a few months for the kinks to be worked out before they can use the new OS in a production environment? I ask because you follow this much more closely than I. [Yes, support continues for a couple more years, but I'm referring to the reduction in the quality of support on older, but still supported, OS's.]
Sonoma is going to be very important for Mac security. Probably as important as when Apple implemented System Integrity Protection (SIP) or XProtect. With macOS Sonoma, they'll be using behavioral detection for the first time, under the technology umbrella called "Bastion". Instead of just static blocklists and traditional scans with XProtect's Yara database and XProtect Remediator, Bastion will be proactive instead of reactive in preventing malware. The best security is stopping the infection in the first place, and Bastion may provide such protection, even if the malware is unknown to Apple's engineers. The esteemed Dr. Howard Oakley has an article about it.
That's interesting--checking for suspicious/malicious behavior rather than just known malicious code. I'll look forward to seeing how well they're able to pull this off.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
@Colstan: Does Apple reduce the quality of security support on the older OS as soon as the new OS comes out, or does it wait a few months, in acknowledgement of the fact that new OS's have growing pains, and many folks need to wait a few months for the kinks to be worked out before they can use the new OS in a production environment?
In Apple's collective hive mind, legacy software does them no good, and their judgement shall be swift and final. Generally speaking, once a version of macOS is replaced with the fresh version, it immediately loses about 50% of the patches compared to the latest release. So, if historical patterns hold, after Sonoma goes gold, Ventura will receive about half the security fixes during the next bug fix, with Monterey receiving less. In fact, this trend has been getting consistently worse as time has gone on. For instance, Mojave got about 70% of patches after Catalina hit, and that percentage has been dropping for years now.

I can't say what Apple will do in the future, just that I think they want to move Mac users to the latest release, and this is one way to do that. Keep in mind that Apple never promised two years of security support for legacy macOS versions, that's something that they do, but there is no guarantee of that moving forward.
 

mac_in_tosh

Site Champ
Posts
678
Reaction score
1,306
I'm curious about something - I use both Mac and Windows systems. On the latter, there are fairly frequent security updates (I forget the specific term used), not so on the Mac even with the current OS. Why is that?
 

Roller

Elite Member
Posts
1,479
Reaction score
2,890
In Apple's collective hive mind, legacy software does them no good, and their judgement shall be swift and final. Generally speaking, once a version of macOS is replaced with the fresh version, it immediately loses about 50% of the patches compared to the latest release. So, if historical patterns hold, after Sonoma goes gold, Ventura will receive about half the security fixes during the next bug fix, with Monterey receiving less. In fact, this trend has been getting consistently worse as time has gone on. For instance, Mojave got about 70% of patches after Catalina hit, and that percentage has been dropping for years now.

I can't say what Apple will do in the future, just that I think they want to move Mac users to the latest release, and this is one way to do that. Keep in mind that Apple never promised two years of security support for legacy macOS versions, that's something that they do, but there is no guarantee of that moving forward.
I wonder how effective that is given that many, perhaps most, macOS users aren't aware of the differences in security support between the current and prior versions. But if the behavioral detection approach in Sonoma works, this is a feature Apple should highlight in their messaging to users when it prepares to ship. Personally, I would have liked to see a release that just focused on bug fixes, stability, and security, but it seems that isn't happening this time around.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
I'm curious about something - I use both Mac and Windows systems. On the latter, there are fairly frequent security updates (I forget the specific term used), not so on the Mac even with the current OS. Why is that?
I think Apple is most concerned with active exploits. That's why they developed Rapid Security Response. They've only used it once thus far, for a WebKit vulnerability. This most recent patch would have likely been one, except that RSR doesn't currently work with patches to the kernel. It's an evolving process. For the other patches, if an exploit isn't an active threat, then generally Apple will lump the remaining fixes in with the next point release. There have been a few exceptions where they've pushed out a patch for an exploit that wasn't an active threat, but that's rare. Not all exploits are equal.

But if the behavioral detection approach in Sonoma works, this is a feature Apple should highlight in their messaging to users when it prepares to ship.
Apple doesn't highlight their security features to the general public because they don't want to be associated with traditional anti-virus. XProtect Remediator is much more similar to PC malware scanners than Apple would like to admit. However, unlike Windows anti-virus, it doesn't scan all files at all times. It waits until the computer is idle, when the user isn't doing anything, then runs its scans, at various intervals, depending on what it is looking for. Otherwise, the only other time XProtect does a scan is when a program is first launched or modified.

Personally, I would have liked to see a release that just focused on bug fixes, stability, and security, but it seems that isn't happening this time around.
We're never going to get another Snow Leopard release. Apple is a much bigger company now and marketing needs to push new features to the general public. Compared to past releases, Sonoma has few changes. Other than the reincarnation of Dashboard through widgets on the desktop, and a few Safari tweaks, there's not much of note. I watched an exhaustive video on Sonoma, and it includes many quality of life issues, tweaks to the interface, and small changes such as a switch to turn off mouse acceleration, something gamers have wanted for years. I expect minor fixes under the hood, and perhaps big ones like Bastion, that Apple will never publicly disclose.
 

theorist9

Site Champ
Posts
638
Reaction score
598
You spoke, I listened. Back by popular demand, it's time for your annual reminder to update to the latest security patches! Apple has released updates for iOS, iPadOS, watchOS, fridgeOS, and macOS. With the release of Ventura 13.4.1, Apple continues to favor the latest version of macOS over the previous two releases.

The number of fixes for this update:

Ventura: 2
Monterey: 1
Big Sur: 1

Ventura is receiving 50% more patches, as is tradition!

These patches are of particular note, because Apple says that they are being actively exploited. A kernel exploit impacts all recent versions of macOS. Whether Monterey or Big Sur are impacted by the WebKit issue is uncertain, or if there may be a separate Safari update at a later point in time is unknown. If at all possible, run the latest version of macOS, to have full protection from both exploits. So, stay safe, patch your devices, and take your digital vitamins to keep infections away.
I looked into this, and from what I can see Monterey and Big Sur are getting the same security updates as Ventura (at least this time).

A nice little victory for those of us who like to wait until the later in the release cycle to update to a new OS!

One of the two updates is for Safari, and the difference is that both of the Ventura updates are packaged with the OS (hence "2") while, with Monterey and Big Sur, the Safari update is packaged separately. Thus if you look at the number of patches in the OS package alone, you can be misled into thinking they're different. Was it Howard that was saying this?

Here are the details:

VENTURA ON THE LEFT; MONTEREY ON THE RIGHT (BIG SUR IS THE SAME AS MONTEREY)
1687487956136.png
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
I looked into this, and from what I can see Monterey and Big Sur are getting the same security updates as Ventura (at least this time).
Both patches, all two of them, yes.

A nice little victory for those of us who like to wait until the later in the release cycle to update to a new OS!
As one of my good friends says: "Celebrate the small victories that the day brings".

One of the two updates is for Safari, and the difference is that both of the Ventura updates are packaged with the OS (hence "2") while, with Monterey and Big Sur, the Safari update is packaged separately.
The answer to this is quite simple. Yesterday, when Apple posted the release notes for the new patches, they didn't list the Safari update for Monterey and Big Sur until the next day. That's why I didn't include it in my original post. I did see it appear earlier today, but figured most users who are stuck on legacy macOS would discover it on their own. If it hadn't been for the delay, then I would have included it in my post about the latest patches.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
For anyone still using legacy macOS, there's something wonky going on with the latest Safari update.

wonky.jpg


Also, Safari 16.5.1 for Monterey and Big Sur is being listed as deprecated.

deprecated.jpg


Exactly what this entails, I'm not sure, but it implies that Apple will no longer be updating this version of Safari for legacy macOS.

This thread has basically turned into a reminder for folks to update, which is fine, I like doing it as long as it is useful. However, let me explain the original genesis of this discussion. I used to think that Apple would patch all versions of macOS in equal measure. At one point, they did. I stayed on Mojave as long as I could, including reasons such as how later versions looked on my previous standard definition monitor, and simply not liking the new Big Sur interface. I've since gotten a "Retina" LG UltraFine and gotten used to the new paint job. (I tried Mojave a few months ago and it felt old and dated.)

The impetus for this thread was one of the security updates to Mojave. Apple had to pull it because it was causing so many problems. The performance degradation was widespread. Apple's engineers clearly didn't test it. They slapped the patches together and called it a day.

That's why I started this thread, because they are not fully patching older versions, nor testing them properly. Apple has made it clear that they want everyone on the latest version, full stop. macOS has become more like a rolling Linux release. This ain't old-timey OS X anymore, each version isn't its own species of feline. Old versions have unpatched issues. The Finder memory leak is still present in Monterey, Apple fixed it in Ventura.

Which brings me around to this thread. Long after I started it, Apple finally acknowledged that older versions of macOS are inherently insecure. As I have repeatedly stated, if you are on legacy macOS, you are vulnerable.

I would never presume to tell others what to do with their computing devices. That's none of my business, and not my problem, if something goes sideways. When to update is up to the individual. What I am saying is that legacy macOS, even as recent as Monterey, contains both long-standing bugs, and a significant number of vulnerabilities have accumulated; at this point hundreds of exploits remain unpatched.

This is an issue that is entirely of Apple's own making. Even if they never fix the old bugs, they should at least be consistent about security support. They should either release full patches for prior versions of macOS, or just not do it at all, instead of half-assing it.
 

Roller

Elite Member
Posts
1,479
Reaction score
2,890
Apple doesn't highlight their security features to the general public because they don't want to be associated with traditional anti-virus. XProtect Remediator is much more similar to PC malware scanners than Apple would like to admit. However, unlike Windows anti-virus, it doesn't scan all files at all times. It waits until the computer is idle, when the user isn't doing anything, then runs its scans, at various intervals, depending on what it is looking for. Otherwise, the only other time XProtect does a scan is when a program is first launched or modified.

We're never going to get another Snow Leopard release. Apple is a much bigger company now and marketing needs to push new features to the general public. Compared to past releases, Sonoma has few changes. Other than the reincarnation of Dashboard through widgets on the desktop, and a few Safari tweaks, there's not much of note. I watched an exhaustive video on Sonoma, and it includes many quality of life issues, tweaks to the interface, and small changes such as a switch to turn off mouse acceleration, something gamers have wanted for years. I expect minor fixes under the hood, and perhaps big ones like Bastion, that Apple will never publicly disclose.
IMO, it's a mistake for Apple not to highlight security features, which go hand-in-hand with privacy protections, which they do publicize often. They don't have to provide the technical details - most people wouldn't understand them anyway - but they should say something about security, which is on everyone's mind these days.

TBH, I haven't seen many compelling new user-facing features in macOS in years. So many changes seem to be implemented for no good reason, and it keeps getting harder to remember how to do things with each update. From what I've seen of Sonoma, though, there are a few improvements to look forward to, like desktop widgets, as you pointed out. On the other hand, iOS 17 looks like a solid update with lots of useful improvements.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
Hear ye, hear ye! To whom it may concern, hot off the presses, we have a new Apple security patch! This time, it's a single fix, for a WebKit vulnerability that Apple's security team classifies as being actively exploited. It's a Rapid Security Response (RSR), which has been released for iOS and iPadOS 16.5.1 and Ventura 13.4.1. Concerning macOS, Monterey and Big Sur do not support RSR, hence assuming they are impacted by this vulnerability, will therefore require a separate patch, typically in the form of a Safari update. Exactly when or if Apple plans to release a fix for older macOS versions isn't currently known.

The new RSR will update iOS and iPadOS to version 16.5.1 (a) and macOS Ventura to 13.4.1 (a), with the "(a)" denoting the application of the patch. This RSR weighed in at a whopping 6.8MB for my Intel Mac mini. One of the primary benefits of RSR is the ability to significantly reduce download sizes.

If you are running an Apple operating system that supports RSR, then I would suggest downloading this patch, as "Apple is aware of a report that this issue may have been actively exploited", and therefore considered a priority update.
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
Shortly after the release of the RSR update for macOS Ventura, Apple has now followed up with Safari 16.5.2 as a standalone update to patch the WebKit vulnerability in Monterey and Big Sur. Notably, Safari is updated to version 16.5.2 (a) on Ventura after applying the RSR, likely as a way to differentiate the different patching methods, despite addressing the same vulnerability.
 

Citysnaps

Elite Member
Staff Member
Site Donor
Posts
3,766
Reaction score
9,161
Main Camera
iPhone
Hear ye, hear ye! To whom it may concern, hot off the presses, we have a new Apple security patch! This time, it's a single fix, for a WebKit vulnerability that Apple's security team classifies as being actively exploited. It's a Rapid Security Response (RSR), which has been released for iOS and iPadOS 16.5.1 and Ventura 13.4.1. Concerning macOS, Monterey and Big Sur do not support RSR, hence assuming they are impacted by this vulnerability, will therefore require a separate patch, typically in the form of a Safari update. Exactly when or if Apple plans to release a fix for older macOS versions isn't currently known.

The new RSR will update iOS and iPadOS to version 16.5.1 (a) and macOS Ventura to 13.4.1 (a), with the "(a)" denoting the application of the patch. This RSR weighed in at a whopping 6.8MB for my Intel Mac mini. One of the primary benefits of RSR is the ability to significantly reduce download sizes.

If you are running an Apple operating system that supports RSR, then I would suggest downloading this patch, as "Apple is aware of a report that this issue may have been actively exploited", and therefore considered a priority update.

Thanks!

I installed 13.4.1 on my MBP and that went well.

One thing I noticed is when launching Facebook I get this notice, which then launches m.facebook.com. I believe that's the mobile version of Facebook. It shows up as a very narrow version that doesn't get resized as I make the Safari window larger.

Any thoughts on that?

Screenshot 2023-07-10 at 2.09.33 PM.png
 

Colstan

Site Champ
Posts
822
Reaction score
1,124
One thing I noticed is when launching Facebook I get this notice, which then launches m.facebook.com. I believe that's the mobile version of Facebook. It shows up as a very narrow version that doesn't get resized as I make the Safari window larger.
I did some digging, and it appears to be a common complaint over at MacRumors concerning the latest security patch. I don't use Facebook, so I can't comment personally, but one user claims to have a fix by changing the user agent, rather than forgoing the patch, which is kinda important.

Protip:
Enable "Show Develop menu in menu bar" from Safari Settings under Advanced tab, then from the Develop menu change the user agent to Chrome macOS and it will work again.

Addendum: It may have something to do with the parenthesis "(a)" for the Safari version number.

Also note that if you don't want to change your user agent to Firefox or Chrome, you can select "Other" at the very bottom and just remove the offending "(a)" from the actual agent identifier.
 
Top Bottom
1 2