hoakley April 27, 2024 Macs, Technology

How to make older macOS as secure as possible

There can be very good reasons for your Mac not running macOS 14. These include incompatibility with key software, particularly that for music and audio, or Sonoma may not be supported on your Mac. At the same time, you want your Mac to be as secure as possible. This article tackles a question that I’m often asked: how can I safely run an older version of macOS on my Mac? My answer comes in two parts: how to give macOS as good protection as possible in a process of Sonomatisation, and how to minimise the risks you take.

What does Sonoma bring?

Differences in security protection depend on which version of macOS your Mac is running. Mojave and earlier have a completely different architecture that exposes the system in a single, common startup volume. That improved considerably in Catalina, and further in Big Sur. Since then, the System volume has been a read-only snapshot with a tree of hashes to check its integrity. Provided that your Mac is running Big Sur or later, it gets the benefits of that new architecture, and there’s nothing to be done with earlier macOS than can compensate for it.

Checking executable code before it’s run is another feature that has undergone great change over the last few years. Provided it doesn’t have a quarantine flag set, Mojave performs only limited checks, and will happily run almost all completely unsigned code, and apps whose signatures have become broken because their contents have been altered.

Code that does have a quarantine flag is better scrutinised, though. All versions of macOS since about Yosemite (10.10) have used malware recognition signatures in XProtect, and those are still updated across all those versions. That merits careful checking, as some older versions of macOS have sometimes stopped receiving those updates.

XProtect checks made when macOS is about to run executable code are ‘Classic’ XProtect, and part of the Gatekeeper protection system. In Sonoma this is much more aggressive, checks all code regardless of its quarantine status, and is far stricter when it comes to code signatures and changes made internally to apps. There’s no way you can change older macOS to the standards imposed by Sonoma, unfortunately.

macOS Catalina and later also have a new type of XProtect, its Remediator, a set of scanning modules that look for signs of malicious software known to Apple. Those scans aren’t normally run on demand, and their results aren’t shown in the GUI either. However, from Catalina onwards XProtect Remediator should scan your Mac for malware every 24 hours or so. As with XProtect, ensure that your Mac is kept up to date with its current version.

This assumes that your Mac runs macOS as intended by Apple, and you don’t disable any of its security mechanisms, such as System Integrity Protection (SIP). The effects of doing so are far wider than just stopping certain files from being modified, and can disable much of Gatekeeper’s defences. This becomes more complicated with OCLP, which allows your Mac to run a more resilient version of macOS, but may require that some of its security features are disabled. Striking the right balance here is technical, and isn’t easy.

macOS vulnerabilities

Both Apple and third-party security researchers devote a lot of effort to checking macOS for vulnerabilities that could be exploited by the malicious. Although most of those discovered aren’t known to be exploited, it can only be a matter of time before some are. Apple therefore releases security updates to address known vulnerabilities, but only for the current and last two previous major versions of macOS, at present that means Sonoma, Ventura and Monterey.

If you have to run an older version of macOS, you’re thus best off running a version for which Apple still issues security updates, and the more recent, the more likely Apple will fix its most important vulnerabilities. This currently runs as:

macOS 14 Sonoma gets full security patches,
macOS 13 Ventura gets less than Sonoma, but more than
macOS 12 Monterey, but at least that does get some patches, while
macOS 11 Big Sur and earlier get none at all.

This assumes that you ensure macOS is kept up to date with its latest security updates. If you don’t, then some of its vulnerabilities may already be exploited in malicious software. These security updates aren’t a bonus, but an essential, and there’s nothing you can do to compensate for their absence.

Safari updates

Accompanying these security and other macOS updates are updates to Safari. Because your browser is often the front line between your Mac and malicious software, ensuring Safari is kept up to date is every bit as essential as general security updates. These are bundled in the current version of macOS, but for the previous two versions are normally released separately alongside its macOS security update.

Unfortunately, that means that Macs running Big Sur haven’t had a Safari update for a long time, and the version they’re running is highly likely to have some serious vulnerabilities. Rather than using an old version of Safari, you may then be better off using the current version of a third-party browser, such as Firefox. That’s not an easy decision to make, but ensuring robust browser security is of great importance.

Malware protection

One of the most common questions I’m asked is whether the protection provided by macOS is sufficient, or third-party security software is required. At present, if you’re able to run the current release of Sonoma, keep it up to date, and only engage in low-risk activities, I consider that third-party security software is not required by the cautious user. That’s only my personal opinion, though, and I appreciate that others have different opinions.

However, with older versions of macOS or higher risks, you should consider whether your Mac wouldn’t benefit from additional protection. Provided that it’s developed by engineers who understand the Mac and work with rather than against macOS, it may well be a help. But it can never be a substitute for your careful behaviour: if you do choose to run a security product, that doesn’t mean you can click on any dodgy link, or drop your guard. Security software is an enhancement, not a substitute, for good security practices.

Software firewalls such as Little Snitch and LuLu can be effective in your defences, but also require your attention to ensure that they operate optimally, allowing necessary traffic to pass, and only blocking the malicious. In the wrong hands, they can cause all sorts of problems. Objective-See offers several other excellent products that can significantly reduce your Mac’s risks, and are worth assessing carefully.

Risk taking

If you’re going to run an older version of macOS on your Mac, you must be fully aware of all risks that you take. After all, it’s the human that is almost invariably the weakest part of any Mac’s security. Risk is determined by the threat landscape, and what you do with your Mac.

At the moment, you’re most likely to come into contact with malicious software and other threats if you engage in any of the following:

downloading ‘warez’ and commercial software with licensing restrictions removed, typically in torrents,
trading in cryptocurrency,
visiting dubious sites associated with certain countries,
engaging in any form of illegal or marginal trading or activity,
journalism, research, criticism, or political activity involving certain governments.

The last of those exposes you to the risk of being targeted by what Apple terms “mercenary spyware” produced by well-funded groups like NSO, who produce some of the most deeply invasive attacks. The others are all well-known vectors for more regular malicious software. Defending against those requires the full resources of the latest version of Sonoma, if you really have to engage in that activity, and requires specialist advice and security enhancements.

For the great majority of us who don’t take those risks, the most real threats are phishing attacks and similar scams via email or messaging services including Messages, and the occasional unintended visit to an unexpected website. If you’re going to survive those, then your personal defences are most important, and must be maintained.

With care and thought, running an older version of macOS need not put you at significantly greater risk. As the old adage goes: be good, and if you can’t be good all the time, at least be very careful.

Summary

Big Sur and later have a more resilient system architecture.
Keep XProtect up to date.
If possible, run Catalina or later to benefit from XProtect Remediator, and ensure it’s kept up to date.
Don’t disable any of the security protection in macOS. If you’re using OCLP, striking the right balance is complicated.
Prefer the most recent version of macOS your Mac can run, and ensure it’s kept up to date with security updates.
Ensure Safari is also kept up to date; if your Mac can’t run a current version, consider using a different browser that can be kept updated.
Consider third-party security products as an enhancement, not a substitute for good security practices.
Don’t run the risk of downloading ‘warez’, trading in crypto, visiting dubious sites, engaging in illegal activities, or becoming a target for mercenary spyware.
Never drop your guard.

16Comments

Add yours

1

Sab Gigo on April 27, 2024 at 2:30 pm
Reply

Thank you, Howard.
Maybe using Open Core Legacy Patcher to run a more recent version of macOS, perhaps the most current version available, would be a well considered option for many with an older Mac. I use it to run Sonoma on a 2014 Mac mini, with great success. The last supported version of macOS on my Mac mini is Monterey, so I feel very comfortable using the older Mac mini as a home server this way. It might require some sophistication for some users to set this up, but I find the documentation for OCLP to be excellent, and a user with some ability should be able to get it up and running, particularly on an external drive, so that their primary older macOS version remains intact. I would recommend any knowledgable user look into this elegant solution for updating their macOS on an older Mac.

LikeLiked by 1 person
- 2
  
  hoakley on April 27, 2024 at 3:52 pm
  Reply
  
  Thank you. This isn’t an easy decision, and it’s not one that I have taken. I note that you don’t reveal which of your Mac’s security systems you have had to disable to run OCLP, but that commonly includes the SSV and SIP, which have profound implications for defence against malware. I don’t think this is a decision that should taken lightly.
  Howard.
  
  LikeLiked by 1 person
3

macavenaghi on April 27, 2024 at 3:38 pm
Reply

Thank you!

I’ve been using Little Snitch since Catalina. Today, I run Sonoma+OCLP on my MBP11.2 with Apple Internal, Kext signing, and Filesystem Protection disabled on SIP and SSV disabled as well since Ventura.

Although I am always careful when browsing the internet and never use unlicensed software, back in Ventura I decided to install the payed version of Malwarebytes and also install Blockblock to help with the weakening in the native macOS security levels due to the need to run an unsealed macOS system with only part of SIP enabled.

It is not the ideal situation but, as you said “striking the right balance is complicated”.

LikeLiked by 2 people
- 4
  
  hoakley on April 27, 2024 at 3:53 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLiked by 2 people
5

sparse_array on April 27, 2024 at 5:25 pm
Reply

Some routers, like eero have malware scanning options (paid). I’m curious about the effectiveness of this type of solution.

LikeLiked by 1 person
- 6
  
  hoakley on April 27, 2024 at 7:15 pm
  Reply
  
  Hmm. If they don’t provide good technical information and frequent updates to the detection rules, then I wouldn’t rely on it for anything. Without good information, I’d treat it as a free bonus and maybe just a marketing gimmick.
  Howard.
  
  LikeLiked by 1 person
7

Aaron Shepard on April 28, 2024 at 6:16 pm
Reply

Unfortunately, up-to-date malware protection — third-party or Apple’s — may cause problems in itself because it is not adequately tested — or tested at all — on obsolete versions of MacOS.

LikeLiked by 1 person
- 8
  
  hoakley on April 28, 2024 at 9:26 pm
  Reply
  
  I’m not sure that I follow you with respect to Apple’s protection. XProtect’s Yara rules work just the same on any macOS from before Sierra to Sonoma. XProtect Remediator scans work the same on any Mac from Catalina to Sonoma. I’m not sure where the testing comes in – the malware is just the same, and that’s what they are trying to detect.
  Howard.
  
  LikeLiked by 1 person
  - 9
    
    Aaron Shepard on April 29, 2024 at 3:05 am
    Reply
    
    At one point, an automatic update to Apple’s virus definitions caused my 2010 Mac Pro with High Sierra to take an extra minute or two at each startup. That was when I decided I couldn’t trust Apple’s malware protection anymore and turned off the updates. They’re just not concerned about performance on such an old system — though that’s certainly understandable.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on April 29, 2024 at 5:39 am
      
      I think you may be referring to MRT, which used to run at startup to check your Mac for malicious software. There have been some individual updates that have caused this type of problem, which has then been resolved in a subsequent update.
      As MRT is no longer updated or supported, as it has been replaced by XProtect Remediator, for Catalina and later, it now serves little purpose. But if you have also turned off other security data updates such as XProtect, you’re missing out on a great deal of protection now, as that’s actively maintained and provides important on-demand checks.
      Howard.
      
      LikeLiked by 1 person
11

lorenzo9000 on April 28, 2024 at 7:39 pm
Reply

Slightly beyond your topic but…. I use an ancient Mac Mini running 10.6 Snow Leopard mostly as a ersatz time capsule and just occasionally for old apps in PPC code. It is not used for anything on the web or email beyond Apples connections and updates to an antivirus program (the excellent ClamXav). How vulnerable would this sort or repurposed ageing technology be?

LikeLiked by 1 person
- 12
  
  hoakley on April 28, 2024 at 9:29 pm
  Reply
  
  Provided that you don’t start browsing websites using it, or opening phishing emails, it should be fine. I doubt very much whether anyone is still distributing PPC malware either! There does come a time when a Mac is sufficiently old to be essentially invulnerable because of age.
  Howard.
  
  LikeLiked by 2 people
13

MarkA on April 28, 2024 at 8:44 pm
Reply

Dear Howard,

Thank you for the article, I was one of the many that had asked about this.

There is one part that I am a bit confused about, regarding macOS and vulnerabilities. Let’s say that I am using Catalina, play it safe, use FireFox, don’t download ‘warez’, or the other risky activities you list (which I don’t), and keep XProtect Remediator up-to-date — where would I be likely to encounter a risk for having an older version of macOS that doesn’t get the newest OS security patches? Is it the stories that I read about iMessage messages that cause problems, could it be from connecting to a WiFi access point?

Is it really that risky to have Catalina connected to the Internet, using apps from the App Store (or known-good developers)?

LikeLiked by 1 person
- 14
  
  hoakley on April 28, 2024 at 9:54 pm
  Reply
  
  The main dangers aren’t the apps you choose to install and use, but the tricks used to install malware without your being aware of it. To be effective, most malware exploits vulnerabilities in macOS, for example to gain elevated privileges so it can access your private data. If you’re running an older version of macOS, then some of those won’t be fixed, allowing their exploitation, and there’s little you can do to prevent that.
  All sorts of tricks are used to get you to click on a link that downloads a small ‘dropper’ app that then downloads and installs the main malware. Genuine websites can get hijacked and hacked, in a few cases developers offering software have had their servers hacked, in others malware has been inserted into widely-used apps, and in many users get tempted to click on offers they can’t refuse, or tricked into visiting a malicious website they think is genuine. Just recently, very good fakes of Apple sites have been used in email and Messages that appeared to be from Apple.
  No one is immune, unless their Mac never connects to the Internet at all (and even then there are ways). All we can do is manage our risks, and most important is your level of suspicion and care. Sonoma is no substitute for that, just additional layers of your defence. Catalina doesn’t offer as many effective layers, so requires enhanced care on the user’s part.
  Howard.
  
  LikeLiked by 2 people
15

Alexandre Dieulot on May 3, 2024 at 7:47 pm
Reply

Great article as always, but I believe you are being too lax regarding web browsing.

I would strongly recommend a reputable content blocker (meaning uBlock Origin), ads are a known vector for malware even if you don’t visit shady sites, ad exchanges are a giant melting pot delivering third-party content, present on most web pages.

I would also cross unmatched Safari definitely, although its low usage share might help spare it I do not bet on that for my pseudo-retro computing. Its inferior content-blocking abilities also lessen confidence a bit.

LikeLiked by 1 person
- 16
  
  hoakley on May 3, 2024 at 8:32 pm
  Reply
  
  Thank you.
  While it’s easy to condemn older versions of Safari, it’s harder to come up with a good substitute! My current best guess is Firefox, but I know many who wouldn’t even consider it.
  Howard.
  
  LikeLike