Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Security Update 2015-001 (Mountain Lion and Mavericks)

For users of OS X 10.8 Mountain Lion and 10.9 Mavericks, Apple has released Security Update 2015-001 with a number of security fixes matching those in the OS X Yosemite 10.10.2 Update (see “Apple Releases OS X 10.10.2, iOS 8.1.3, and Apple TV 7.0.3,” 27 January 2015). These fixes address vulnerabilities in App Store logging, Bluetooth, command-line utilities, font handling, graphics drivers, PDF handling, Spotlight, and more. Unfortunately, the security update does not include a fix for the Thunderstrike attack, leaving Macs running older operating systems vulnerable (see “Thunderstrike Proof-of-Concept Attack Serious, but Limited,” 9 January 2015). However, the update does include Safari 6.2.3 for Mountain Lion and Safari 7.1.3 for Mavericks, both of which fix multiple memory corruption issues in WebKit that could allow a malicious Web site to execute code. Security Update 2015-001 is available via Software Update or via direct download from Apple’s Support Downloads Web site. (Free. For 10.8 Mountain Lion, 177.4 MB; for 10.9 Mavericks, 62.3 MB.)

 

Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <https://www.backblaze.com/tb>
 

Comments about Security Update 2015-001 (Mountain Lion and Mavericks)
(Comments are closed.)

James Reynolds  2015-01-28 15:31
As far as I can remember Apple has always released security updates for 3 OS versions. Right now that's 10.10, 10.9, and 10.8. Before the yearly update cycle that meant that Apple released security updates for OS'es that were 4-6 years old. With the yearly update cycle the oldest OS that Apple releases security updates right now is only 2.5 years old (10.8 was released in July 2012).

I have not heard anyone talk about this. Is this an issue for anyone besides me?
Adam Engst  An apple icon for a TidBITS Staffer 2015-01-28 16:12
Apple's being consistent, as you note, and yes, that does mean that operating systems that are less old are now not seeing security updates. But realistically, years isn't really a good way of measuring operating system lifespan - no one should be using Lion (hardware permitting, of course) because Lion was lousy. Similarly, people shouldn't be using Leopard because Snow Leopard was so much better. I'd far rather see a security update for Snow Leopard than for Lion.
James Reynolds  2015-01-29 14:21
I agree about the OS versions.

10.6 is actually the version I'm upset is no longer under support. It was released at the end of Aug, 2009. It is 5 years and 5 months old. If they were on a 2 year update cycle the latest OS would be 10.8 and 10.6 would still be receiving OS updates.

Everyone made a big fuss when Microsoft quit supporting Windows XP. When Apple quit supporting 10.1 or 10.2 (I can't remember which) there was a lot of discussion about how long Apple should support old OS'es and 3 OS'es seemed ok because it meant 6 years or so, which was reasonable to everyone I knew.

But the yearly update cycle has changed that and I'm surprised nobody is talking about this at all. It used to be that some institutions would wait a year before updating to the latest OS. But now an OS is only good for a year.

I'm trying to figure out why nobody is complaining and maybe it's because the OS'es are free. If we paid $130 for the OS maybe we'd expect to get some milage for our dollars. But by paying nothing we have no expectations? I'm sure Apple gave the OS away freely to encourage everyone to update sooner, but when you buy a computer, does that mean you're committed to upgrade the OS after 3 years to keep it secure?
Don't worry, you're not alone. This is absolutely an issue for me.

I'm on Mavericks myself and frankly I'm pissed Apple didn't feel it was necessary to issue the security update for Thunderstrike to anybody but Yosemite users.

From
https://trmm.net/Thunderstrike_FAQ#Is_Thunderstrike_fixed_in_10.10.2.3F

"All pre-Yosemite machines remain vulnerable to Thunderstrike unless Apple releases firmware updates for them as well."

So Apple, is this some sleazy way to force people into upgrading to Yosemite? If tactics like this are what's required to get people to update, that pretty much says all about quality and reliability of Yosemite.

How about some focus on stability and usability instead of just the wizz-bang fashion stuff, Tim?
Edward Wood  2015-02-03 19:59
I'm on Mavericks too and no way will I update to Yosemite until Apple kills ALL the bugs. I for one am sick and tired of half-assed annual updates.

I can't help but believe that at least some of Yosemite's bugs were found during the public beta, and ignored so that the release schedule could be met.

Apples hardware may be the greatest but the software quality has been going downhill even before the annual updates started, and since Snow Leopard has only gotten worse. Hardware may bring in the big profits, but if the software quality continues to go downhill, a lot of people are going to rethink there commitment to Apple hardware.
I hear you.

I think another Snow Leopard-style update for OS X would be quite appropriate. Focus on stability, reliability, and making the OS as lean as possible. There's more than enough features in there already. How about emphasizing usability and quality over adding the next whizz-bang feature nobody will remember ten years down the road?

What puzzles me is how Apple's QA/QC can let so many bugs make their way into the shipping release when at the same time Apple has all kinds of developer releases and public betas and there are probably more people playing with pre-release versions than ever before. Is the quality of their feedback so poor? Can Apple not manage the feedback coming from all these "testers"? Is getting a certain feature set out on day X more important than making sure the final release works well? Lately, this has started to feel an awful lot like putting quantity ahead of quality.