Connect with us


Apple clarifies security update policy: Only the latest OSes are fully patched




The default wallpaper for macOS 11 Big Sur.
Enlarge / The default wallpaper for macOS 11 Big Sur.


Earlier this week, Apple released a document clarifying its terminology and policies regarding software upgrades and updates. Much of the information in the document isn’t new, but the company has provided a clarification about its update policy that it hadn’t made explicit before: despite providing security updates for multiple versions of macOS and iOS at some point, Apple says only devices running the most recent major versions of the operating system should expect to be fully protected.

Throughout the document, Apple uses “upgrade” to refer to major operating system releases that may add significant new features and user interface changes and “update” to refer to smaller but more frequently released that primarily fix bugs and resolve security issues (although these may occasionally allow for minor feature additions or enhancements). So updating from iOS 15 to iOS 16 or macOS 12 to macOS 13 is a Upgrade. Updating from iOS 16.0 to 16.1 or from macOS 12.5 to 12.6 or 12.6.1 is a update.

“Due to architecture dependency and system changes in any current version of macOS (e.g., macOS 13),” the document states, “not all known security issues are fixed in previous releases (for example, macOS 12).”

In other words, while Apple will provide security-related updates for older versions of its operating systems, only the most recent updates will receive updates for every security issue that Apple has. is aware. Apple currently provides security updates for macOS 11 Big Sur and macOS 12 Monterey alongside the new macOS Ventura, and in the past it has released security updates for older versions of iOS for devices that cannot install the latest updates.

This confirms something that independent security researchers have been aware of for some time, but Apple has yet to express publicly. Intego’s Chief Security Analyst, Joshua Long, has tracked CVEs patched by various macOS and iOS updates for years and has generally found that bugs fixed in the latest versions of the OS can last. months before being patched in older (but still ostensibly “supported”) versions, when they’re patched at all.

This is relevant for Mac users because Apple is dropping support for older Mac and iDevice models in most upgrades, which has accelerated somewhat for older Intel Macs in recent years (most Macs receive another six or seven years of upgrades, plus another two years of updates). This means that every year there is a new batch of devices that still receive some security updates but not everything of them. Software like OpenCore Legacy Patcher can be used to get the latest versions of the operating system running on older hardware, but it’s not always a straightforward process and it has its own limitations and caveats.

That said, it probably shouldn’t drastically change your math for when to upgrade or stop using an older Mac. Most people running an up-to-date Big Sur or Monterey installation with an up-to-date Safari browser should be safe from most priority threats, especially if you also update the other apps on your Mac. And Apple’s documentation doesn’t change anything about how it updates old software; it only confirms something that had already been observed.

We’ve asked Apple to be more upfront about its security communication, and this is a step forward in that regard. But if you think you’re specifically targeted by attackers, you have another reason to make sure your software (and hardware) is fully updated and upgraded.