Americas

  • United States

Asia

Message to IT: Yes, you should install Apple security updates

opinion
Oct 04, 20235 mins
AppleIT ManagementOperating Systems

Over half the Macs in use today may not yet have installed the latest security software upgrades, warns a Qualys survey. You should take stock of your deployments.

man lock security

While it’s not universally the case, many businesses actively using Macs for work may not be paying enough attention to ensuring those devices are secured, according to cloud security provider Qualys, which estimates that just over half of Macs remain unprotected by recent security patches.

Don’t be a victim-in-waiting

The data doesn’t just reflect business use of Macs but also underscores why Apple’s work in security matters so much. The company must know that a good chunk of its users aren’t installing security patches, and this really, really needs to change.

The data is revealing. Take two vulnerability-related patches, both shipped for Macs, iPhones, iPads, and other Apple products in July:

  • CVE-2023-38606: Qualys estimates this has been patched by 36.92% of devices, leaving around 63% unpatched.
  • CVE-2023-37450: It is patched by 52.58% of devices, leaving around half still exposed.

The first thing, then, if you are reading this: take a quick break and check to ensure all your Macs, your company’s Macs and your friends’ and parents’ Macs have been updated with the latest security protections.

As the data suggests, there’s an uncomfortable probability they may not have done so yet — and some of the attacks out there are extraordinarily dangerous.

I shared a few words with Eran Livne, Sr. Director of Product Management at Qualys, to gather a little background on these claims.

Why are these devices not being patched?

“Traditionally, compared to Windows end user devices, Macs were not allowed in many customer environments. For the ones that did allow these devices, Macs were considered safe(r). Consequently, IT and Security Operations (SecOps) teams invested less in Mac compared to Windows. As such, it was not a surprise that Mac was considered by many security and IT vendors not to be ‘top priority.’ This limited the number of Mac solutions and the quality of those solutions too. 

“In recent years, the landscape has changed, and most organizations now do allow Macs in their environment — and more and more vulnerabilities are being discovered related to Macs. Since Mac devices were considered end user devices and there was limited support from IT/SecOps teams for Mac, the workflows and vulnerability management for Mac devices are not as advanced as other parts of the business. Patching on Mac was viewed as an end user responsibility, which limited its effectiveness.”

As every Appleholic reader knows, the enterprise landscape is changing very fast. Needless to say, Qualys does offer its own patch solution for Macs.

So, what should Mac users do?

The most obvious step any Mac user should take is to upgrade their systems.

Livne stressed that Mac users should always make sure that auto-update is enabled and should install macOS updates as they appear. Mac users should also make certain they keep all their apps updated, as apps can be routes for vulnerability and attack, too. This is also why you should only ever download apps from legitimate App Stores.

For enterprises, the advice is similar.

Those businesses who like to verify updates before permitting installation across their fleets should expedite that process, particularly as Qualys suggests that over 95% of the time, installation of a security patch will generate no problems at all.

Alternatively, a staggered approach in which updates are installed across a test group of company devices first and then subsequently distributed more widely if no problems are encountered may be appropriate.

Business users should also choose Mac management tools that integrate with existing workflows. The idea here is to empower your tech support crews to prioritize Mac software patches. (Both the traditional IT/SecoPs teams that emerged in Windows and the more unified device management approach of Mac MDM.)

This may seem like obvious stuff, but it is also possible that the sluggardliness in installing Mac software upgrades reflects two things:

  • Institutional prejudice from some Windows-based tech support crews, who against all the evidence continue to deny the Mac as a true peer on their fleets
  • The well-deserved but sometimes dangerous idea that Macs are more secure

While the latter is correct, being more secure is not the same as being completely secure, and with dozens of vulnerabilities identified in macOS each month, refusal to install software patches on the grounds of either preconception does Mac users and businesses using Macs no good at all.

Apple’s hard-working security teams are not publishing these security and software patches for fun — they are designed to protect everyone. And as Apple enterprise deployment continues to experience rapid growth, it is becoming increasingly important that those devices are adequately secured.

How to check for updates

Apple publishes and regularly updates a list of software patches released across its systems on its website. In September the company released security updates for macOS Monterey, macOS Ventura, macOS Sonoma, and macOS Big Sur, operating systems shipped since 2020. In general, older versions of Apple’s operating systems are not supported, which is usually tolerable, given that even Sonoma supports Macs going back to 2018.

However, if you are using an older Mac that is running an operating system that is no longer receiving software updates, then you are placing your data at risk. If you run your business on these systems, you are risking your business. And, in all cases, you also become a viable target for sophisticated attackers hoping to use your weak security as a stepping stone to penetrate the security of friends, family, and business partners.

But the big takeaway from the latest Qualys data is that there remains a hard core of Mac users/admins who aren’t yet taking security as seriously as they should. We have to hope they, or their business, won’t eventually learn of their error the hard way.

Now update your systems.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.