Mavericks and Security

Apple’s Yosemite is expected to be released in mid- to late October, and with all the hype, is looking to be quite the upgrade from Mavericks. The weeks following the release of new software or operating systems is always a bit rocky, however. Even though new software is thoroughly tested, it is unlikely to find each and every bug or incompatibility can be found before the release. Regardless, a lot of Mac users are very eager to upgrade, but should we just yet?

Taking a look at the hiccups and timeline of the Mavericks release can provide a context of what could go wrong. This is by no means a predictor of what will go wrong, just a guideline of the risks with jumping on the bandwagon the second the software is released. The risks range from slight nuances to major security issues.

In the first weeks that Mavericks was released, one major issue caused a lot of headache for users; the new Mavericks and Western Digital (WD) external hard drives had some compatibility issues. The problem was very specific, occurred most often when the external hard drive was used with WD’s proprietary software, that is the back-up data software that was provided when the drive was purchased. The results, however, were countless drives whose data had been lost and corrupted. A month later, WD released software that addressed the issue, although a number drives were unfortunately permanently corrupted1.

The first major update for Mavericks was released in mid-December of 2013. This fixed a lot of little nuances from the “dot zero” release. The most anticipated being the fix for Gmail and iMail2, making the two work together more streamlined. With this release, some code was overlooked that created a significant security risk for users. A security check in server authenticity while connecting to the server was missing. This allowed a man-in-the-middle attack to happen. This means that information sent from the computer through the network is intercepted and viewable by an attacker, who is looking for sensitive information like bank accounts and passwords. The patch, found in the 10.9.2 update, was not released until February of 2014 3.

Man-in-the-middle vulnerabilities are very serious, and the patch addressing it, among other things, was released in February 2014. With it, a few security holes again. The most serious having been the logging of Apple credentials via iBooks, which wasn’t patched until 10.9.44.

This patch for Mavericks addressed small code inconsistencies (which essentially all patches do) and thankfully left no major bugs–except the credentials access through iBooks was still not addressed5.

This update did not see any major security bugs and finally fixed the credentials access through iBooks.

The supposed last non-security update for Mavericks was released on the 17th of September of this year, around the same time the Shellshock bug was gaining media attention (even though the shellshock vulnerability has been accessible for years). The Shellshock bug allows unauthorized users to remotely issue commands on the exposed computer. Although Apple was aware of the bug in mid September, the patch for specifically this vulnerability wasn’t released until two weeks later, which received a lot of criticism from security experts; even now only two components of Shellshock have been addressed5.

What does this mean for Yosemite? It would be wise to hold out a week or two before downloading the initial dot zero release. This same bugs as Mavericks won’t happen exactly, but because Apple can’t test for each and every thing before release, other variants are expected. It is worth noting, however, that Apple allowed a public beta of Yosemite, which will certainly minimize the amount of things that will come up. Regardless if you decide to wait or dive in right away, always make a back-up.