Apple canceling security updates for PowerPC Macs

With Apple's latest update, it appears the company has stopped issuing security updates for OS X 10.5, which means that PowerPC-based Macs will be left more vulnerable.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

Last week Apple released a security update to address the DigiNotar root certificate vulnerability, but in doing so revealed that the company may no longer support PowerPC-based Macs, at least when it comes to security updates. Unlike previous security updates that have supported Leopard and even Tiger, Apple's latest update requires OS X 10.6 and OS X 10.7, and this means that users running OS X 10.5 will not be able to update their systems.

If you have an early Intel-based Mac that is running Tiger or Leopard, then the only way to ensure you can update it is to upgrade your system at least to Snow Leopard. This requirement for having at least Snow Leopard means that any Mac user running a PowerPC system, be it a G4 or a G5, will not be able to run the latest security update. Apple stopped supplying OS updates for PowerPC-based systems with the OS X 10.5.8 update, but this is the first time that Apple has no longer supported them with security fixes.

Keychain Access
With the latest Security Update, OS X 10.5 users can open these root certificates in Keychain Access and set the system to never trust them (see below).

While the fixes addressed in the latest security update can be easily implemented in systems by manually disabling the DigiNotar root certificates in Apple's Keychain Access utility (see below), it also means that future security updates may not be supported for these systems.

Without an official security update, addressing security vulnerabilities that are found may be a bit of a challenge, if possible at all. Most of the time security problems lie in the programming of specific services on the system, so unless you can manually alter a setting or two to perform the same actions as the security update, then the only option is to limit the use of the affected services on your system.

This means that if a problem is found in the future for a system service such as File Sharing, then the only way for older systems to avoid the problem is to disable the service. While this is the only true way to avoid the issue, it is also a bit limiting and in many cases may not be necessary. For instance, a home system on a private network would likely not be affected by a vulnerability in a local file sharing service, but a system on a large public network may have more of a risk.

While it is difficult to recommend that security updates are not necessary, in many situations they address proof-of-principle vulnerabilities more than those that are active security problems that are even remotely used to hack into systems. As a result, in addition to considering how exposed your system might be to a vulnerability, chances are that you will be OK as long as you access files and Web sites that you trust.

Nevertheless, if you are concerned about your older system and wish to keep it as safe as possible, here are some recommendations for when using it:

  1. Run Safari in Private Browsing mode
    Apple's Safari Web browser supports a Private Browsing option that will not save any user data, be it cookies or cached information, that can be retrieved from the browser. This may be inconvenient in some situations, but is one way to ensure your browsing remains more secure. This can be enabled in the "Safari" application menu when the browser is open.

  2. Disable content management add-ons unless absolutely needed
    Browsers in OS X make use of Java and browser plugins to expand user experience, but also which may leave the system open to vulnerabilities either with Java or with various plug-ins, especially if the plug-ins are allowed to run automatically. If manufacturers have not supplied recent updates to their plug-ins, disable them by removing them from your system.

  3. Install ClickToFlash, NoScript, FlashBlock or another plug-in and script manager
    In the case of Java and Flash Player, many Web sites use them, so if you need them on your system then install a plug-in management tool like the ClickToFlash Safari extension (FlashBlock for Firefox), and other security tools like NoScript for Firefox. These will allow you to block all scripts on a site except for the sites that you explicitly trust, which will greatly reduce the possibility of having a vulnerability taken advantage of.

  4. Keychain Access Certificate Trust
    With the certificate opened, expand the "Trust" section and set all these menus to the option for never trusting the certificate.
  5. Implement manual fixes, if possible
    In some cases, by looking up the various fixes being implemented in a Security Update from Apple, you might be able to implement the fixes yourself. With respect to the latest security update, Apple removes the DigiNotar security fixes, but this can be done manually by setting the system to never trust these certificates. To do this, first open the Keychain Access utility and select the "System Roots" keychain. Then scroll down until you see the DigiNotar certificates. Double-click them to get information on them, and in the new window expand the "Trust" section. In here, set the first menu option to "Never Trust" instead of "Use System Defaults," and optionally do the same for the other menus. When done, close the window and quit Keychain Access.

    Unfortunately future security fixes may not be as simple and straightforward as this, so to help tighten security on your older systems, consider disabling sharing services, installing browser plug-in and script management tools mentioned above, and disabling the automatic opening of "Safe Files" in Safari's preferences.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.