If Windows XP is the dinosaur in the room, then OS X Snow Leopard — despite being named after a predator — is more like a sitting duck. The four and a half year old operating system lives on 20% of the world's Macs, yet it no longer receives security updates from Cupertino. How long will it be before criminals sniff out this target and start directing their attention to over-confident Mac users?
The overconfidence stems from the popular belief that Macs aren't vulnerable to security threats. Yet, while Mac has been targeted far less than Windows, threats do exist, and attackers have been getting increasingly aggressive in going after OS X. Apple has responded with some updates and security features designed to reduce the attack surface, and some patches for serious vulnerabilities, but of course these only apply to supported versions of OS X. Snow Leopard, for example, did not receive the recent patch for the now widely-known "gotofail" bug. As additional vulnerabilities are discovered and more developer signing certificates are stolen, Snow Leopard will become more and more susceptible to malicious activity.
For IT professionals, especially those in schools and other organizations with very limited IT budgets, this is cause for concern. In the short term, what do you do with older Macs running Snow Leopard? Upgrade, replace, or install AV software and hope for the best? (Hint: Even working for a vendor of Mac AV software, I don't recommend the latter. You want a patched system plus antivirus, not one or the other.) In the longer term, is it worth investing in computers without confidence that they'll receive security updates through their entire life cycle?
This also creates a dilemma for Tim Cook and company. To date, Apple has responded reactively to security incidents, even while positioning its products as the more secure choice. If 20% of Mac users start experiencing security incidents, the shine will come off the Apple pretty quickly. On the other hand, continuing to maintain several OS releases is expensive and distracting for a software company. Plus, too much focus on reactively patching old systems will send a clear message that security really is a problem for Macs, and that's something the company doesn't want. The best option may be to create incentives and marketing campaigns designed to drive Snow Leopard users to upgrade to a more recent OS version. Unlike Microsoft, though, Apple would be wise to avoid using security as the selling point for the upgrade if it wants to maintain its image of being a safer OS.Maxim Weinstein, CISSP, is a technologist and educator with a passion for information security. He works in product marketing at Sophos, where he specializes in server protection solutions. He is also a board member and former executive director of StopBadware. Maxim lives ... View Full Bio