Half of All Macs Will Lack Access to Security Updates by Summer
Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.
Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will -- baring a change in a decade-old habit -- stop serving patches to OS X 10.6, or Snow Leopard.
Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed "n," then "n-2" support ends at the debut of "n."
In other words, patches are provided only to the newest OS X and the one immediately preceding it.
The company has practiced this since OS X's birth: The second iteration, 10.1 -- dubbed Puma -- received its final security update in January 2004, three months after the appearance of OS X 10.4, or Panther.
More recently, Apple snuffed out support for OS X 10.5, aka Leopard, when 10.7, or Lion, shipped. The former got its last security update in June 2011, a month before the latter was released.
If Apple continues this policy, Snow Leopard users will stop seeing patches about the time Mountain Lion ships. Apple has not set a hard date for OS X 10.8's debut, although it has pegged "late summer."
But Snow Leopard currently accounts for 41.5% of all versions of OS X, according to Web metrics company Net Applications' latest statistics. Assuming Snow Leopard's share continues to drop at the average pace of the last six months, it will still power 34.4% of all Macs in August or 32.6% in September.
With earlier editions included, that means 48.4% of all Macs will be without security updates if Apple stops serving Snow Leopard in August. If it continues patching until September, the number sans fixes drops to 45.9%.
Some security professionals see those numbers as too high, and Apple's support lifespan too short.
"[OS X] 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support [Emphasis in origin]," Robin Stevens, part of the University of Oxford's network security team, said in a blog post last month.
"[Apple has] been complacent in terms of their attitude to security and support, especially when compared to their chief competitor [Microsoft]," Stevens added. "By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result."
Stevens wanted Apple to commit to a support lifetime of at least five years.
Other experts don't see Apple's support practice as the biggest problem, but instead tagged the company's notorious silence.
OS X's average support lifetime measures 35 months, but if the short-lived Cheetah is dropped from the mix, the number climbs to 41 months.
"The average seems to be about three years," said Andrew Storms, director of security operations for nCircle Security, talking about the length of time Apple provides security updates for a given edition of OS X. "That's not bad if you compare it to hardware amortization. But really, the bigger issue is that no one really knows. Apple doesn't communicate how long it will support a version or a roadmap for future releases."
John Pescatore, a Gartner analyst, agreed, citing Apple's lack of a roadmap as the biggest sticking point for companies that increasingly must manage Macs alongside Windows PCs. "That's not enterprise friendly," he said.
Apple's opacity stands in contrast to Microsoft, which has long clearly laid out its support lifecycle, and regularly reminds users when an edition of Windows or Office is nearing its end.
"When they decide to release a new OS X, if you're behind two [versions], you're DOA or SOL, take your pick," said Storms. "But we never see those blogs from Apple that we do from Microsoft reminding that you need to upgrade [to keep receiving security updates]."
Pescatore didn't have a problem with Apple's support lifecycle, calling it "in the middle" between Microsoft's 10-year policy for Windows and the constantly-updating cloud services like Google Apps or Microsoft's Office 365.
More to the point, Apple's shorter support stretch is how things are quickly leaning, said Pescatore, ticking off the typical two-year turnover of smartphones and businesses taking to the cloud because of continuous updates.
Customers, including IT managers, better get used to it.
"In the real world, IT is going to have less and less control over the OS," said Pescatore. "IT really doesn't want to operate that way -- they'll try to fight it -- but they're going to have to learn how. Fighting the trend is going to be impossible."
Even though the recent Flashback malware campaign has demonstrated that unsupported Leopard Macs were infected at a rate almost double its market share, Pescatore said the move to shorter support lifespans will continue. And customers will adopt. If they can't, the market will provide solutions -- as it has before for Windows -- to keep Macs safer.
And most users can upgrade when Apple releases a new operating system, Pescatore and Stevens noted.
While Apple has yet to define the migration path for Snow Leopard users, it has dropped hints that they may be able to upgrade to Mountain Lion: Snow Leopard machines can be boosted to Mountain Lion's developers preview.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about mac os in Computerworld's Mac OS Topic Center.