Apple published a document earlier this week that clarified its language and guidelines for software updates and upgrades. Although the majority of the information in the document isn’t new, Apple did make one update policy clarification that it hadn’t previously done: the company states that even though it releases security updates for multiple versions of macOS and iOS at once.
only devices running the most recent major operating system versions should anticipate being fully protected. Apple refers to major OS releases that can introduce significant new features and user interface changes as an “upgrade” throughout the text.
while smaller but more frequent fixes that are primarily delivered to correct bugs and handle security issues are referred to as “updates” throughout (though these can occasionally enable minor feature additions or improvements as well).
So an upgrade is going from iOS 15 to iOS 16 or from macOS 12 to macOS 13. An update is a move from iOS 16.0 to 16.1, macOS 12.5 to 12.6 or 12.6.1. According to the publication, “Not all known security problems are resolved in previous versions (for example, macOS 12), due to dependent on architecture and system modifications to any current version of macOS (for example, macOS 13).”
In other words, while older upgrades to Apple’s operating system will receive security-related updates, only the most current upgrades will get patches for any security issue Apple is aware of. Along with the recently launched macOS Ventura,
Apple now provides security updates for macOS 11 Big Sur and macOS 12 Monterey, and in the past, it has given security updates for earlier iOS versions for devices that can’t install the most recent patches. This supports a finding that independent security researchers have long suspected but that Apple has never made it public.
Joshua Long, the chief security analyst at Intego, has been tracking the CVEs fixed by various macOS and iOS updates for years. He has generally discovered that when bugs are fixed in the most recent OS versions, it can take months before they are fixed in older (but still ostensibly “supported” versions).
Because Apple discontinues support for older Mac and iDevice models in the majority of upgrades—a trend that has somewhat increased for older Intel Macs in recent years—this is important for Mac users (most Macs still receive six or seven years of upgrades, plus another two years of updates). This implies that a fresh batch of devices receives certain security upgrades each year but not all of them.
The most recent OS versions can be made to work on older hardware using software like the OpenCore Legacy Patcher, although doing so isn’t always easy and comes with its own set of restrictions and caveats. However, this generally won’t have a significant impact on how you decide whether to upgrade or cease using an older Mac.
Most users of current Big Sur or Monterey installations with current versions of Safari should be protected from the majority of high-priority attacks, especially if you also regularly update the other Mac software. Additionally, Apple’s documentation only verifies what has already been noticed and makes no changes to how it updates older software.
This is an improvement from when we encouraged Apple to be more forthright about their security communication. Make sure your software (and hardware) are fully updated and upgraded, nevertheless, if you think you’re being specifically targeted by attackers.