Missing from Apple’s rollout of go-to-fail SSL/TLS coding bug patches last week was a security update for OS X 10.6 Snow Leopard — the second time in three months that Snow Leopard was passed over, the other being in Apple’s last batch of security updates in December for Safari 6 and 7, but not for Safari 5.1.10 — the most recent version of the browser that supports OS X 10.6. That’s pretty strong indication that there will be no more updates for Version 10.6, which of course is now three generations back from the current OS X 10.9 Mavericks, and it’s not unusual for Apple to drop support for OS versions by that point. In fact only OS X 10.4 Tiger was supported longer than Snow Leopard after being superseded.
However, a significant difference is that Net Applications metrics show that at as of the end of January, 19 percent of all Macs in active service were still running OS X 10.6 Snow Leopard — more than are still using its successor, Lion (16 percent), and almost as many as are still using Mountain Lion, user share of which plummeted once the free upgrade to Mavericks arrived, and 42% of OS X users on 10.9. Also, Net Applications tracked a not-insignificant 4 percent still using OS X 10.5 Leopard — presumably mostly on Power PC hardware, and about 1 percent (such as my two old Power PC PowerBooks) still on OS X 10.4 Tiger. That means nearly one of four machines in the Mac installed base is still running 10.6, four and a half years after it was originally released, or even older OS X versions, representing literally millions of Mac users still running that middle-aged OS.
So, should Snow Leopard (et al.) holdouts be concerned about becoming hacker targets? Not necessarily. At least in the immediate sense, the good news is that OS X 10.6 is not vulnerable to the go-to-fail issue. The bad news is that there are probably by now many other security vulnerabilities in Snow Leopard that will likely be left unpatched in perpetuity, even though Apple is still selling OS X 10.6 on CD media ($19.95 on the Apple Store For example, Computerworld’s Gregg Keizer notesthat Tuesday’s tranche of updates patched 21 vulnerabilities in Lion, and 26 in Mountain Lion, so there are likely 20 or more left unpatched in now-orphaned Snow Leopard, and that metric can be expected to grow.
If that’s a concern, you can upgrade to 10.9 Mavericks from OS X 10.6, 10.7, or 10.8 for free, but with a major caveat that Macs built earlier than 2008, of which there are still plenty in service, are not supported by the current system.
Snow Leopard die-hards aren’t just lazy about upgrading or foot-dragging Luddites. Snow Leopard is a great-performing OS, and it’s the last OS X version that supports Rosetta emulation for running Carbon software applications that were ported to Intel from Power PC versions, rather than rewritten from scratch in Intel native code. I still have Snow Leopard on one of my late 2008 model MacBook’s HDD partitions. I mostly boot the MacBook from OS X 10.8 Mountain Lion these days, and my new MacBook Air has Mavericks, but I still prefer Snow Leopard in many respects. It’s not as iOSsified as subsequent OS X versions, and there are several Carbon apps I don’t want to lose access to.
For that matter, I still have two nearly 14-year-old Pismo PowerBooks in daily utility service running OS X 10.4 — the last Mac OS version that supports them. They’re not lightning fast, being maxed-out with 550 MHz G4 CPU upgrades, 1 GB of RAM, and their non-upgradable ATI RAGE 128 Mobile GPUs with 8 MB of video RAM, but they’re surprising tractable for light-duty tasking and surfing using Floodgap’s excellent TenFourFox Power PC port of Firefox. I rarely use the Safari build that goes with, which is probably as leaky as a basket security-wise, and even with 104Fox I don’t use them for online banking or other security critical tasking.
Back to OS X 10.6, Windows IT Pro’s Rod Trent chides Apple for cutting Snow Leopard loose after just four years, while Microsoft has supported Windows XP for 12 Years, with the plug to finally be pulled come April 8, Microsoft having given XP users ample lead notice. Trent notes that Apple, on the other hand, has quietly ended support for Snow Leopard with zero notice after delivering its last security patch for that system version in September 2013.
But does it really matter all that much? As noted, the “go-to-fail” bug never was an issue with Snow Leopard. Christopher Budd, a ten year veteran of the Microsoft Security Response Center (MSRC) now employed by Trend Micro, is of a mind that Apple’s “good enough” response to OS security threats is adequate. In a betanews blog, Budd observes that Apple is being held by its customers and the community to a lesser standard than Microsoft, Adobe or Oracle, and it’s his opinion that Apple’s not hustling to make changes “increasingly doesn’t matter.” “When we look at Apple, as the saying goes, where’s the outrage?” Budd observes, noting that it’s only to be found in the security research community, and that Apple has correctly calculated that it can do the bare minimum and its customers won’t penalize it, although IT pros read this as more evidence that Apple isn’t a reliable enterprise partner” and are typically unenthusiastic about having Apple hardware in their data centers, even though Apple still sells a server OS and server configurations for its Mac Pro and Mac mini lines.
Budd cites an unnamed higher-education services coordinator contending that Apple’s latest OS X software is “amateur” compared with previous offerings (a view shared by many Snow Leopard holdouts), noting that Apple is changing its desktop operating system to look and work like the mobile iOS. It also does tend to reveal where Apple’s priorities lie these days, and seeing that they patched the iOS version of the go-to-fail bug forthwith, but waited four days to get the OS X patches out. However, whether we like it or not, mobile operating systems are the future, and Budd thinks big security response processes that companies like Microsoft have are losing their relevance in lockstep with desktops and servers losing theirs, and their continued but diminished existence filling a necessary but legacy function.
He also observes that Apple merits credit for decisions it’s made that keep the iOS ecosystem relatively free of malware and high risk apps, noting that Trend Micro has catalogued 1.4 million such apps on Android, with 1 million of those first detected in 2013 alone, adding for context that it took Microsoft Windows 15 years to reach the one million pieces of malware mark.
Veteran Mac commentator David Morgenstern of ZNet’s The Apple Core notes that despite Apple’s four-day lag in patching the go-to-fail issue, Apple’s Mac platform and the iOS platform are still more secure than their Windows and Android counterparts and way underrepresented in the malware department.
Morgenstern observes that in the Kaspersky Labs’ 2013 security overview, the Mac is mentioned only once, and even in that lone instance, it’s for cross-platform malware, such as attacks through MS Word or Adobe PDF, with no mention of a specific new Mac or iOS malware incident, and the report otherwise entirely about Windows and Android. Over the past several years, the two commercial security programs that Morgenstern runs have yet catch a piece of Mac-specific malware, while every day he has to deal with Windows malware that gets flagged in his Windows virtual machine and his Mail folder. And the iOS is inherently more secure than even OS X because each application is restricted in the files and system resources it can access — a safeguard that can be activated in OS X as well beginning with version 10.7.
However, the day has probably arrived that OS X 10.6 should no longer be considered adequate for tasks where security is critical, such as online banking. Happily, most folks still using Snow Leopard for their workhorse OS, for access to legacy Carbon applications or just because we like it better, will have, or at least have access, to a newer Mac running OS X 10.7, 10.8, or Mavericks, or a mobile device running iOS 6 or iOS 7 — all of which have been security patched and updated. Best to use one of those machines when security matters.
No need for panic, but it’s best to exercise common sense security mindfulness, and acknowledge the reality that it’s more and more an iOS-centric Apple world