It's official—Apple has stopped releasing security updates for Macs with PowerPC G4 or G5 processors. Macs purchased as recently as 5 years ago are now left exposed to known security vulnerabilities.
Yesterday, Apple released Security Update 2011-005 to fix the DigiNotar issue (which I have covered extensively on this site). The update was only released for Mac OS X v10.6 "Snow Leopard" and Mac OS X v10.7 "Lion," both of which can only run on Intel-based Macs.
Until yesterday, Apple had been releasing security updates for Mac OS X v10.5 Leopard, the final version of the Mac operating system that is compatible with G4 and G5 processors. Prior to Apple's transition to the Intel architecture in 2006, all Macs had been based on the IBM/Motorola PowerPC G4 and G5 processors.
Apple began converting its entire line of Macs to Intel processors in January 2006 with the MacBook Pro (which replaced the PowerBook G4) and the iMac, followed by the Mac mini in February, the MacBook (which replaced the iBook) in May, the Mac Pro (which replaced the Power Macintosh G5) in August, and finally the Xserve in November 2006.
Those who purchased a pre-Intel Xserve in October 2006 have only owned them for 4 years and 11 months, and those who purchased a Power Macintosh G5 in July 2006 have only owned them for a little over 5 years. Most of these machines are still running perfectly fine, but Apple has completely cut them off from being able to receive critical security updates ever again.
This poses a problem for some businesses and consumers who were not expecting to have to spend thousands of dollars on new hardware this year; note that the Xserve and Power Macintosh G5 in particular were high-end hardware and the most expensive models. For businesses that purchased a large number of Macs prior to the Intel transition, for example schools with computer labs full of iMacs purchased at the beginning of the 2005 school year, the cost of replacing all of the 6-year-old computers at once may be particularly burdensome due to economic factors including budget cuts in education. If they cannot afford to buy that many new Macs this year, they may be forced to seek alternative solutions such as replacing their Macs with sub-$400 Windows PCs.
Apple has a history of only releasing security updates for the most recent and one previous major release of its Mac OS X operating system (in this case, Lion and Snow Leopard, respectively). Apple typically continues to release security updates for some of its software, in particular Safari and QuickTime, for the two-versions-old release of Mac OS X (in this case, Leopard). Consistent with this track record, Apple released Safari 5.0.6 (a security-only update for Leopard) this past July at the same time as it released Safari 5.1 as part of Lion and as a free upgrade for Snow Leopard. In August, Apple released QuickTime 7.7 for Leopard, which was also a security-only update. Apple also releases non-security iTunes updates for two-versions-old releases of Mac OS X for a period of time; iTunes 10.4.1 was released for Leopard in August.
It should be clearly understood that security updates for Safari and QuickTime are not sufficient to make Leopard safe and secure. Since Apple is not releasing updates for the operating system itself, whenever new vulnerabilities are discovered that affect the core of Leopard, Apple will do nothing to help protect Leopard users from these vulnerabilities. So far, Security Update 2011-005 has been the only core OS security patch that Leopard has missed, and since it only addresses the DigiNotar issue, Leopard users can manually protect themselves by deleting the DigiNotar Root CA from the Keychain Access application in Leopard. Future security updates, however, may not be as easy—or may not be possible—to implement manually. For example, given that Apple has historically treated Java security updates the same as Mac OS X updates (only patching Java for the current and one previous version of Mac OS X), don't expect Apple to ever release any more Java security updates for Leopard. As of last year, Java was exploited more often than Adobe Reader and Flash. Last October, a Mac variant of the Koobface malware was found in the wild that installed itself via a Java applet.
Speaking of Flash, users of Leopard on PowerPC-based Macs should be aware that Adobe stopped releasing Flash Player updates for PowerPC in February of this year, beginning with Flash Player 10.2. As of February, Adobe no longer releases security updates for Flash Player 10.1 or Flash Player 9.0, so PowerPC Mac users have been vulnerable to numerous Flash vulnerabilities that have been widely exploited in the wild.
For now, G4 and G5 users running Leopard can hold out on buying an Intel-based Mac for a bit longer if absolutely necessary, as long as they manually implement a few security tweaks. First, they should manually delete the DigiNotar Root CA from their systems. Second, they should disable Java in all browsers. Third, they should uninstall Flash Player (the uninstaller for Flash Player 10.1 is located on the hard drive at /Applications/Utilities/Adobe Flash Player Install Manager.app). If Flash is absolutely necessary for a few trusted sites, users can install the insecure final version of Flash Player 10.1 (.zip file containing a .dmg with Flash Player 10.1.102.64) and block Flash content by default using a browser add-on. Safari 5.0.6 users can block Flash content using the ClickToFlash extension. Flash-blocking add-ons for Firefox 3.6.22 (currently the newest official release that supports PowerPC Macs, although Mozilla says they'll only continue updating it for a short time) include Flashblock and the much more full-featured (but more difficult for novices to use) NoScript. After Mozilla stops releasing security updates for Firefox 3.6.x, you can switch to TenFourFox, an unofficial PowerPC version of Firefox based on more current releases, although it does not support Flash. Regardless of these temporary and limited workarounds, users of PowerPC-based Macs running Leopard would be wise to consider upgrading to newer hardware—Mac or otherwise—as soon as possible.
Another alternative, which many Mac users will find unsatisfactory, is to try using the latest release of Ubuntu Linux for PowerPC as an alternative to Leopard. Those who try Ubuntu for PPC will likely be disappointed by the limited PowerPC support from third-party Linux software developers.
Early adopters of Intel Macs may have cause for concern a couple years down the road, but as long as they have upgraded to Snow Leopard they should be fine for now. Users of early Intel Macs should be aware that if Apple continues its tradition of releasing a new version of Mac OS X every two years and only releasing security updates for the current and one previous version of the OS, they too could be left in the cold around 2013. Snow Leopard was the last release of Mac OS X to support the original Core Duo and Core Solo processors. Intel iMacs and MacBook Pros shipped with a Core Duo processor prior to September 2006, and MacBooks shipped with a Core Duo until November 2006. Mac minis did not receive a Core 2 Duo processor until August 2007. (The Mac Pro and Xserve initially shipped with Xeon processors, which are Lion-compatible.) Assuming a summer 2013 release date for Mac OS X v10.8 (which is highly speculative and based solely on Apple's typical two-year release schedule), Mac minis sold in July 2007 could cease to get security updates just 6 years after purchase.
Meanwhile, Microsoft will continue to offer security updates for Windows XP, the first version of which was released in 2001, until April 2014—12.5 years after the operating system's initial release. At first glance, this makes Apple's dropping of support for 5-year-old computers look especially bad. However, Microsoft allowed PC manufacturers to sell Windows 7 PCs "downgraded" to Windows XP (that is, with Windows XP preinstalled) as recently as October 2010, so users who bought Windows XP computers then will only receive updates for their installed operating system for a total of 3.5 years. The major difference is that unlike Mac users, Windows XP users will have the option to reformat their systems and install a newer version of Windows after the April 2014 deadline; PowerPC Mac users have no similar option because their hardware is no longer supported, not just their operating system. For all consumer versions of Windows from at least XP onward, Microsoft has supported hardware much older than it would be reasonable to continue using; for example, Windows 7's minimum requirements include a 1 GHz processor and 1 GB of RAM, which includes Pentium III systems purchased 11 years ago (which would be excruciatingly slow running Windows 7). Basically, Microsoft lets its users figure out when enough is enough based on the speed and usability of their hardware, which is radically different from Apple's approach of terminating support for hardware that many users still find quite usable for their needs.
Although Apple's philosophy is to ensure only the best experience for users of its products, some might also see Apple's position as a conflict of interest; unlike Microsoft, Apple manufactures the hardware as well as the software, and ceasing to support hardware in a new OS release is a subtle way of forcing users to spend money on new hardware. Apple has high profit margins, with an estimated average net profit of $370 per Mac sold. There's a fine line between ensuring that customers have the best possible experience and artificially expiring hardware to drive hardware sales.
Apple should consider supporting Mac hardware for at least a few years longer than it has been in recent years. If Apple had chosen to support the last generation of G4/G5 Macs with Snow Leopard, and the first-generation Intel Core Solo/Duo Macs with Lion, it would have added an additional two years onto the life cycle of each hardware platform. For many Apple customers, having to throw away their hardware and spend $1,000 or more on a new computer every 5 or 6 years (or risk being exposed to security exploits) is not a very reasonable solution.
Incidentally, Apple only released iOS updates (including security updates) for approximately 2.5 years after the original iPhone and the iPhone 3G initially went on sale, meaning that those who bought an iPhone just prior to when the new model was released (or bought the old model at a discount after the new model was released) only received security updates for their device for about 1.5 years. In the United States, cell phone contracts typically last 2 years, which meant that late-buyers were potentially left vulnerable for several months until their carrier allowed them to buy a new phone at the regular price. Fortunately for iPhone 3GS users, Apple plans to release a (slightly feature-limited) version of the upcoming iOS 5 for the 2-year-old iPhone 3GS, which is still being sold alongside the iPhone 4. The successor to the iPhone 4 is widely expected to ship next month, and some have speculated that the iPhone 3GS will be replaced by the iPhone 4 as the lower-priced model, but only time will tell how much longer AT&T and international carriers continue to sell the 3GS. It will be interesting to see how much longer Apple continues to release iOS updates for the 3GS; it's possible that late-buyers will again be left in the cold less than 2 years after purchase. Thankfully, at $199 with a two-year contract, iPhones are much more affordable than Macs (unless, of course, you factor in the monthly voice and data service fees), so having to buy a new iPhone every 2 years may be less of a financial burden for some people than being forced to buy a new Mac.
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.
the JoshMeister (Joshua Long) is a computer security researcher from Southern California. He has a Master of Information Technology degree concentrating in Internet Security, and he has also taken doctorate-level coursework studying Business Administration and Computer and Information Security.
For more than a decade, Josh has been reporting spam, phishing scams, malicious or infected sites, and undetected malware samples to help protect others online.
To contact Josh, simply leave a comment on this site; all comments are moderated, so you can leave a private message this way. For confidentiality, you may encrypt your message with Josh's PGP key.