While Apple’s OS X operating system is often praised for its security and the speed with which users adopt newer versions, it’s no stranger to security vulnerabilities, and users may not upgrade as hastily as you might think.
At Duo Labs, we’re always interested in how quickly users adopt software updates. That’s why we recently looked at our population of Mac users and the distribution of OS X versions. Here’s the synopsis of our research, as well as recommendations for securing the Macs that access your corporate data.
Our Findings
From a sample of 100k devices, we found that more than half (54%) of Macs in use today are running either an unsupported operating system (< 10.9) or are not fully patched (including versions 10.9.5, 10.10.5, or 10.11.3). Additionally, 66% of all Macs are not running the latest major version, 10.11. The most popular OS X version is 10.10.5, with 27% of our Mac user base. The latest, fully patched OS, 10.11.3, represents only 9% of the total.
Our data also showed that 21% of Macs are running an unpatched version of the latest OS. Those unpatched versions are vulnerable to at least 88 vulnerabilities that Apple has fixed since the initial release of OS X El Capitan.
We were also surprised to find that unsupported hardware isn’t keeping users from upgrading, since the OS X system requirements haven’t changed (much) since OS X 10.8 Mountain Lion, released more than three years ago on July 25, 2012. This means that more than 96% of unpatched Macs could upgrade to the latest version (10.11.3), but haven’t. Also, major OS X upgrades have been available as free upgrades from the Mac App Store since OS X Mavericks, released on October 22, 2013.
As OS X continues to gain market share, by virtue of the iOS “halo effect,” it becomes a bigger target for attackers. It wasn’t long ago that Mac users would confidently say they don’t need to worry about viruses, spyware or malware. But recently, we’ve seen evidence that this belief was unfounded, even if we suspected it was before. Major OS X security vulnerabilities have been uncovered over the last few years, including rootpipe, goto fail, and others with less catchy names.
Many Macs Still Vulnerable to Known Vulnerabilities
It’s now more important than ever for IT administrators to secure their Mac endpoints. It’s also important to educate users on the importance of software updates as BYOD adoption increases, since it only takes one vulnerable device to put your organization at risk of a potential compromise. Gaining endpoint visibility into the types of risky devices accessing your network can help you establish data-driven policies to secure your company. Prompting your users to update with notifications and blocking outdated users from accessing company apps is another way to protect against a data breach.
To make matters worse, there’s still a significant percentage of Macs in use that haven’t been patched for major vulnerabilities, some of which are being actively exploited in the wild, such as the DYLD_PRINT_TO_FILE vulnerability.
In addition to security patches, OS X El Capitan introduced important security features, such as System Integrity Protection (aka rootless), which prevents important system processes, files, and folders from being modified, even by the root user. This is important because it limits the damage that can be done to system files by malware, while the change is transparent to the vast majority of OS X users.
We hope that publishing this data will encourage organizations to start the conversation about OS X client security, both for corporate-owned devices and BYOD. Even the most Windows-centric companies often have their C-level executives accessing corporate data from shiny new MacBooks.
Practical Steps to Encourage Users to Upgrade Their Macs
Here’s a few practical steps you can take to help your users upgrade their personal Macs. Of course, for corporate-owned devices, we recommend upgrading to the latest version as soon as possible.
If you can’t upgrade to the latest major version because a business critical app doesn’t support it, at least make sure the Macs are running with the latest patches applied and are on a supported OS. A few other tips include:
Educate your users on the importance of applying security updates. Remember, it only takes one bad Apple to compromise your company security and put you at risk for data breach.
Back up your computer! You should already be doing this, but it’s especially important before upgrading the software on your computer.
Take advantage of the “deferred updates” feature in newer OS X versions. When you get the notification to upgrade, click “Try tonight” or “Try in one hour” instead of skipping it entirely.
Offer tips on how to clear up disk space before an upgrade. There are Mac apps that will help with this. Just make sure you don’t delete the Library folder - hint, it’s not for books.
Learn more about the state of Apple security in Identifying Bad Apples: Getting to the Core of iOS Vulnerabilities.