Apple Clarifies Security Update Policy: Only the Latest OSes are Fully Patched
upstart writes:
New document confirms what security researchers have observed for a few years:
Earlier this week, Apple released a document clarifying its terminology and policies around software upgrades and updates. Most of the information in the document isn't new, but the company did provide one clarification about its update policy that it hadn't made explicit before: Despite providing security updates for multiple versions of macOS and iOS at any given time, Apple says that only devices running the most recent major operating system versions should expect to be fully protected.
Throughout the document, Apple uses "upgrade" to refer to major OS releases that can add big new features and user interface changes and "update" to refer to smaller but more frequently released patches that mostly fix bugs and address security problems (though these can occasionally enable minor feature additions or improvements as well). So updating from iOS 15 to iOS 16 or macOS 12 to macOS 13 is an upgrade. Updating from iOS 16.0 to 16.1 or macOS 12.5 to 12.6 or 12.6.1 is an update.
"Because of dependency on architecture and system changes to any current version of macOS (for example, macOS 13)," the document reads, "not all known security issues are addressed in previous versions (for example, macOS 12)."
[...] This confirms something that independent security researchers have been aware of for a while but that Apple hasn't publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly "supported") versions, when they're patched at all.
Read more of this story at SoylentNews.