Apple gives Watch Series 3 users false sense of security, patching 1 vulnerability

Posted on June 23rd, 2023 by Joshua Long

This week, Apple released watchOS 8.8.1, a surprise security update for the Apple Watch Series 3. This was the first security update compatible with the Series 3 since 11 months ago, in July 2022.

This is kind of a big deal, but not for the reason you might think. Sure, it’s great that Apple patched a vulnerability. But that’s just it—Apple patched one, single, solitary vulnerability. Apple has yet again set a precedent of giving users a false sense of security by releasing incomplete patches. Here’s the whole story—that Apple doesn’t want you to know.

In this article:

What’s the back story with watchOS 8 and Apple Watch Series 3?
Does the release of watchOS 8.8.1 mean Apple has repented?
Has Apple ever done anything like this before?
- Apple’s history of discontinuing security updates for recently sold hardware
- Apple’s history of providing incomplete patches for older OS versions
How can I learn more?

What’s the back story with watchOS 8 and Apple Watch Series 3?

For reasons that Apple has never disclosed, the Apple Watch Series 3 is the only model stuck on watchOS 8; the Series 4 and later watches are all compatible with the latest watchOS 9 updates.

Apple’s decision to not support watchOS 9 on the Series 3 was mystifying.

The company continued to sell this watch model in the main section of its online store right up until five days before the release of watchOS 9.

Mind you, this was three months after the June 2022 WWDC, when Apple quietly revealed that the Series 3 would not be compatible with watchOS 9, yet Apple continued to feature the watch prominently in its online store for three more months.

Even after watchOS 9 was released and Apple removed Apple Watch Series 3 from the main section of its online store, Apple continued to sell refurbished units of the Series 3 for an additional eight months, until March 2023.

During this entire time that Apple continued selling the Series 3, Apple released precisely zero security updates for it—in spite of there being known “actively exploited” vulnerabilities impacting watchOS 8.

It’s truly a wonder that Apple has not been sued for its gross negligence. Apple knowingly left its customers vulnerable, and knowingly continued selling a device with in-the-wild exploited vulnerabilities.

Does the release of watchOS 8.8.1 mean Apple has repented?

So, now that Apple has finally released the first security update for watchOS 8 in nearly a year, does that mean that Apple has repented of its sins, and made things right for Series 3 watch owners?

Sadly, no.

What we actually got with watchOS 8.8.1 was a single patch, for a single vulnerability. Yes, it was an actively exploited vulnerability—and that’s a big deal, because it means it was confirmed to have been used in real-world attacks.

But it won’t be obvious to Apple Watch Series 3 users that all the other vulnerabilities that have remained unaddressed for the past 11 months are still there. They’ll see the watchOS 8.8.1 update, and notice that it says it’s a security update, and install it. And they won’t give it another thought.

They’ll continue to be blissfully unaware that their watches are still highly vulnerable. They won’t know that they still haven’t received patches for the two actively exploited vulnerabilities that Apple addressed only for watchOS 9.0, let alone dozens of other vulnerabilities in that update, and dozens since then that likely also impact watchOS 8.

If you’re one of those folks who…

bought a brand new Series 3 from Apple in early June 2022 (right before Apple silently revealed, on an obscure page of its site, that Series 3 wouldn’t support watchOS 9 in just three months—with no indication that you’d be cut off from security updates before then as well)
bought a brand new Series 3 from Apple in early September 2022 (just days before the release of watchOS 9—because Apple didn’t make it clear to you that it wouldn’t be compatible and that you wouldn’t get security updates anymore)
bought a refurbished Series 3 from Apple in March 2023 (unaware that it was already 8 months past its last security update)

…I truly feel for you, and I’m sorry that Apple has wronged you and violated your trust in this way. If you feel that Apple has treated you unjustly, I hope that somehow, someone at Apple will find some way to make it up to you in a satisfactory way.

But chances are that you, dear Series 3 user, aren’t even reading this article, and you’ll never know any better.

And chances are that, like my article back in March, this will get zero coverage from the mainstream press, and little to no coverage from the tech news press, or small outlets that cover Apple news.

And chances are that precious few will ever know about this, and Apple won’t feel any obligation to actually make things right.

After all, who cares about a giant mega-corporation, with more cash on hand than any other in the world, knowingly putting its paying customers at severe personal risk of having their data stolen, their devices hacked, and their privacy violated? Surely there aren’t any consumer protection laws against such things. And anyway, everyone knows that Apple is always the good guy. Because “Privacy. That’s Apple.”

Has Apple ever done anything like this before?

Apple has committed similar sins in the past, although previous instances were not quite as egregious.

Apple’s history of discontinuing security updates for recently sold hardware

A couple of notable examples of hardware that Apple cut off from security updates shortly after their last date of sale were the iPod touch (6th generation) in 2019 and the iPod touch (7th generation) in 2022.

Apple discontinued the 6th gen mere days before WWDC 2019—at which time the company silently revealed that the 6th gen wouldn’t support iOS 13 which would be released three months later.

Apple did nearly the same thing when it discontinued the 7th gen (the final iPod touch model) a few weeks before WWDC 2022, at which time the company silently revealed that the 7th gen wouldn’t support iOS 16 which would be released three months later.

Apple’s history of providing incomplete patches for older OS versions

Setting aside cases where Apple dropped support for recently sold hardware, Apple routinely provides a false sense of security to Mac, iPhone, and iPad users by providing only selective, cherry-picked security updates for previous versions of macOS, iOS, and iPadOS, respectively. I’ve written and spoken about this extensively over the past two years; see for example my October 2021 article, Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious. As I note in that article, Apple sometimes even neglects to patch actively exploited vulnerabilities for previous OS versions, knowingly leaving users vulnerable to in-the-wild exploits, unbeknownst to them.

This is a real problem, because users with old hardware that’s incompatible with the latest (and fully patched) OS—and users who simply don’t think they need to upgrade, and put it off for whatever reason—will mistakenly think they’re getting all security updates, when in fact their devices remain vulnerable to dozens of exploitable bugs that attackers can leverage to compromise their security and privacy.

Apple should either patch all vulnerabilities that are applicable to previous OS versions, or none—or if it’s going to cherry-pick, Apple should provide frequent, clear warnings to users who stay behind on an old OS. Apple’s current practices deceive users of older OS versions into thinking they’re just as safe as if they were running the current major OS, which is far from the truth.

How can I learn more?

For more details on what was patched this week, see our main article about the updates.

Apple patches vulns used to infect Russian iPhones with TriangleDB malware

We broke the story about Apple finally ending sales of refurbished Apple Watch Series 3 a few months ago, in March.

Apple stops selling Watch Series 3 — eight months after its last security update

In previous articles, we’ve discussed Apple’s planned obsolescence in the context of its new-for-2022 operating systems including watchOS, and about Apple’s poor patching policies with regard to macOS and iOS updates.

We discussed the end-of-sale of the Apple Watch Series 3 on episode 283 of the Intego Mac Podcast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels:

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →

Share