An inconvenient truth about Apple security updates

Friday 30 September 2022, 14:30 - 15:00 Red room

Joshua Long (Intego)

Apple's ostensible policy about Mac operating system updates is that security issues get patched for the current (n) and two previous (n-1 and n-2) major macOS releases. This can be convenient because, in theory, it means that Macs can stay on an older macOS version for a couple years, for example if your organization's software isn't supported yet on the latest OS, or if the current OS isn't compatible with your older Apple hardware.

But is it really true that, by virtue of still getting security updates, older versions of macOS are just as safe as the latest version? Few are aware that Apple doesn't patch every security vulnerability present in the two previous macOS versions—and, surprisingly, that even goes for 'actively exploited' (in-the-wild) vulnerabilities.

And what about Apple's recent commitment to continuing to support the 'n-1' iOS and iPadOS versions 'for a period of time'? Is Apple keeping its promise?

In this presentation we'll examine how safe or unsafe it is to stay on older versions of macOS, iOS, and iPadOS, and whether or not organizations should upgrade quickly to each major new OS release. We will also consider potential vulnerability mitigation strategies, including unconventional approaches.

Joshua Long Joshua Long (@theJoshMeister) is the Chief Security Analyst at Intego. A renowned security researcher, writer, and public speaker, Josh has conducted cybersecurity research and battled cyber threats for more than 20 years. Josh has earned a master's degree in IT concentrating in Internet Security, and has taken doctorate-level coursework in information security. Apple has publicly acknowledged Josh for discovering an Apple ID password validation vulnerability. Josh's security research is often featured by major tech and mainstream news outlets worldwide. @theJoshMeister

Back to VB2022 Programme page

Other VB2022 papers