Intego Mac Security Podcast

NameDrop, a Bluetooth Vulnerability, and a Chrome Zero-Day – Intego Mac Podcast Episode 320

Posted on by

The Chrome browser just got another update with security patches for serious vulnerabilities. A new Bluetooth vulnerability has been discovered that could allow hackers to listen in on your personal audio. And how much personal information are you actually transmitting when you share your contact info using Apple’s Name Drop feature?

  • Google Chrome emergency update fixes 6th zero-day exploited in 2023
  • New BLUFFS attack lets attackers hijack Bluetooth connections
  • North Korean hackers combine malware to attack macOS (KandyKorn)
  • Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks
  • A Word of Caution on MacOS Updates
  • Brit borough council apologizes for telling website users to disable HTTPS
  • Plex users rage over Discover Together privacy concerns
  • Police Departments and News Sites Spreading Misinformation About How iOS 17 NameDrop Feature Works
  • AirTags are the new go-to tool for cops after spike in car thefts
  • Don’t buy these tech products on Black Friday or Cyber Monday
  • How to Install macOS Sonoma on Unsupported Macs, for Security Improvements

  • If you like the Intego Mac Podcast, be sure to follow it on Apple Podcasts, Spotify, or Amazon.

    Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.

    Intego’s Mac Premium Bundle X9 is the ultimate protection and utility suite for your Mac. Intego’s Cyber Monday deal has been extended through Sunday, December 3, 2023. Intego Mac Podcast listeners can use [this link]( to get up to 65% off Intego software, our best deal of the year! Don’t miss your last chance to save big this holiday season.

    Transcript of Intego Mac Podcast episode 320

    Voice Over 0:00
    This is the Intego Mac Podcast–the voice of Mac security–for Thursday, November 30 2023.

    This week’s Intego Mac Podcast security headlines include: the Chrome browser just got another update with security patches for serious vulnerabilities. The number of updates it’s received already this year may surprise you. A new Bluetooth vulnerability has been discovered that could allow hackers to listen in on your personal audio. And how much personal information are you actually transmitting when you share your contact info using Apple’s Name Drop feature? Now, here are the hosts of the Intego Mac Podcast. Veteran Mac journalist, Kirk McElhearn. And Intego’s. Chief Security Analyst, Josh Long.

    Kirk McElhearn 0:52
    Good morning, Josh. How are you today?

    Josh Long 0:53
    I’m doing well. How are you Kirk?

    Kirk McElhearn 0:55
    I’m okay. Hey, listen, I made a Cyber Monday purchase. (Oh, what did you get?) A pair of Apple’s new AirPods Pro

    Josh Long 1:02
    Ooh, that’s pretty cool.

    Kirk McElhearn 1:04
    I had been thinking about this. And I’ve never been entirely a fan of in-canal earbuds. But these are actually quite comfortable and they sound okay.

    Josh Long 1:12
    We’ll have to talk about a vulnerability that might impact your AirPods Pro in a little bit.

    Chromium-based browsers get patched for the sixth zero-day vulnerability of the year.

    Kirk McElhearn 1:17
    Oh, no. Already. All right. Well, let’s start with Google Chrome, they have fixed their sixth zero day exploit for the year. Six zero day exploits in 2023. And when you mentioned this to me, I said well, how many have they had in previous years. And in 2022, they had nine and in 2021, they had 15. So they’re doing better. Six might sound like a lot, but they’re doing better.

    Josh Long 1:39
    Yeah. And so when we talk about zero day exploits in this context we’re talking about these are in the wild vulnerabilities that some threat actors using against people who are using Google Chrome, or it could also be Chromium based browsers or other software that uses the Google chromium code base. The Google Chrome browser is probably the most common of those things. You know, it’s by far the most commonly used browsers are worldwide. And so anytime that there’s a in the wild exploits for Google Chrome, it’s a good reminder that we should keep our browsers up to date on a regular basis. Basically, if you’re quitting your browser and relaunching it each day, that should force it to check for updates every day, which can help ensure that you’re always on the latest version. The other thing that you can do is you can go to the either, you know, it could be Google Chrome, or Microsoft Edge or brave or whatever browser, you’re using almost all of the Chromium based browsers, you can check for updates by going to the name of the browser in the top left corner right next to the Apple menu. And then you pick about and then the name of that browser. And that will check for updates. And if there are updates available, it will give you a button to restart the browser to finish installing those updates.

    Kirk McElhearn 3:04
    And that’s different from most apps that update internally. In other words, not to the Mac App Store, where if you go to the name menu, you’ll have a check for updates menu entry, which is if people look they would think well this has check for updates. That’s how I get updates. Most people wouldn’t think that it’s in the about page that you’re going to be checking for updates.

    Josh Long 3:23
    Right. And it’s kind of funny that you mentioned that because Vivaldi actually has a slightly different update mechanism. Most people probably are not using Vivaldi browser on Mac OS. But to check for updates there, you actually have to go through a slightly different process, you have to go to the Vivaldi menu and choose Check for updates like a more normal app, but kind of different from all the rest of the browsers for some reason.

    Hackers can use a vulnerability in Bluetooth for attacks.

    Kirk McElhearn 3:48
    Okay, so tell me about this Bluetooth problem that’s going to affect my AirPods Pro, does this mean that my cats can figure out some way to hear what I’m listening?

    Josh Long 3:56
    Well, it just might if your cats are Bluetooth hackers. So this latest attack, lets attackers hijack Bluetooth connections and this vulnerability or it’s actually two vulnerabilities that are being used together. But they have one CVE number, so one common vulnerabilities and exposure identifier. But this impacts Bluetooth core specification 4.2 through 5.4. And it’s interesting in their list, they actually show a Bluetooth 4.1 device so and some of the devices that they’ve tested this with include AirPods pro Oh, as well as a few iPhone models. They tested this with iPhone 12 and 13. And all the way back to iPhone seven probably because that particular model has Bluetooth 4.2 which is on the earlier side. So they were probably just testing a range of devices.

    Kirk McElhearn 4:52
    Okay, worth pointing out that this is the AirPods Pro first generation that’s tested here and I have the new ones the second generation which are not on the list.

    Josh Long 4:59
    They’re not on the list of devices that they tested. However, they say that this basically impacts all Bluetooth devices. So there’s actually a series of attacks and that are collectively named bluffs. And these attacks can break the secrecy of Bluetooth connections, allowing for device impersonation and man in the middle attacks. So basically, yes, somebody could intercept Bluetooth communications that are supposed to be for you and listen in. For example, if using Bluetooth for audio, they could listen in and hear the things that you’re supposed to be hearing on your Bluetooth headset.

    Kirk McElhearn 5:38
    So Tom Cruise scenario, they could listen to phone calls that you’re making.

    Josh Long 5:42
    Sure, yeah, exactly. There’s, there’s lots of different like potential use cases for this. But, you know, is this something that people need to worry about? I would say, probably not, I mean, the likelihood that somebody is actually going to be near you and trying to exploit these vulnerabilities is pretty low. But at the same time, I would say that if you have highly secure communications, probably don’t use Bluetooth or anything wireless really, for that matter, right. Like, the more security that you need, the less you should be relying on wireless technologies that are floating through the air that could potentially be intercepted by somebody down the street from you.

    Kirk McElhearn 6:22
    Especially because recent Bluetooth has a much longer range than in the past. If you go back a few years, the range of Bluetooth was generally considered to be 10 meters, 30 feet, I got these new AirPods Pro this morning, I left my phone in my office, I walked all the way around my house and had no problem listening to anything.

    Josh Long 6:38
    Yes, I’ve been very surprised by that, too. I’ve done similar experiments with Bluetooth around my house and have been very surprised that the Bluetooth range seems to be a lot farther than certainly than it used to be, and farther than the specification specifically allows for. But the other thing is, and most people don’t know this, you can often extend the range of wireless technologies, whether it’s Wi Fi or Bluetooth, by using boosters. And so if an attacker is like, you know, across the street from you, they could be in another building, or you know, completely, you know, a block away and still be able to potentially intercept some of those communications. So even if your devices are all perfectly functioning as normal, somebody from much farther away could potentially intercept transmissions on your devices.

    What kind of malware is KandyKorn?

    Kirk McElhearn 7:30
    Okay, I’ll keep my eyes on my cats if they have any little electronic devices trying to figure out how to get treats. Alright, we have KandyKorn. North Korean hackers have new malware attacking Mac OS, they’re really focusing on cryptocurrency people and I hate to say it the usual targets is it’s where the money is. So if you’re doing anything with cryptocurrency, you got to be really careful what you download.

    Josh Long 7:55
    KandyKorn was actually discovered in October. But this happened to resurface in the news. And so we thought it was worth mentioning here. If you are using Intego Virus Barrier, you are fully protected from KandyKorn and related malware, which has some fun names like SugarLoader, for example. So if you are using Virus Barrier, you’re already protected from this malware.

    Microsoft Word documents can still be used for hacking and distributing macro viruses

    Kirk McElhearn 8:16
    Okay, what about the Connie group using Russian language malicious Word documents in their latest attacks?

    Josh Long 8:23
    Yeah, now this was an interesting story because we don’t often hear about, you know, Microsoft Word files that are being used in in attack scenarios. But it’s still a thing that can happen. Microsoft Word and other Microsoft Office documents can still use VB scripts, Visual Basic scripts. And these macros can do other things like they can download malicious payload or other things like that. And in this particular case, if you open this Word doc on a Windows system, it will run a batch file. So it’ll run a script that does some more malicious things to to your machine. So in this particular case, this is not something that affects the Mac, but I thought this was worth bringing up because people often don’t really think about Word documents as being something dangerous that you need to worry about. So just a reminder, you know, this type of thing can also affect the Mac as well. You know, they can certainly create a Word document that is capable of infecting Macs. So be very careful about downloading any kind of attachments, regardless of whether it seems like something benign, like a Word document.

    Kirk McElhearn 9:39
    Back in the day, and this goes back a while in the late 90s. In the early 2000s. When I was working as a translator, Word macro viruses were relatively common. And when you’re working in a job like that, where you’re exchanging documents from a business to a translation agency to a translator and back and forth, it was extremely common, and I don’t remember how long it was ago but It took Microsoft many years to change their app. So they didn’t run macros when documents were open originally, they would run automatically, but then they had a setting to prevent that. But that was probably the most pernicious malware on Macs for a very long time.

    Josh Long 10:15
    Yeah, and it is still a problem, I would say. It’s definitely not the number one problem in terms of malware on the Mac, but it’s still something that people should be aware of. And by the way, the built in protections in macOS, there’s nothing to protect you from macro viruses in Microsoft Office documents. So that is something to be aware of to and a good reason why you should have antivirus software that is the full package that detects all this kind of malware, and not just this few specific things that Apple knows how to detect,

    Kirk McElhearn 10:48
    Right. Apple can detect certain apps that are code signed, or that don’t have a certain flag when you’ve downloaded them, and they can check for certain things. But they can’t check files, they can only check apps, is that correct?

    Josh Long 11:00
    Apple can basically do whatever they want. But it’s just that they’re not doing it. They’re, they’re not being comprehensive in right, what exactly they’re checking when things are downloaded. So it basically like you could kind of look at it as this. So people we’ve talked about XProtect before this is this technology that’s been built into Mac OS, since all the way back in Snow Leopard is when it was first introduced macOS 10.6. And Apple has gradually iterated on that and made it a little bit more advanced over time. But to this day, they still are not detecting so for example, they don’t detect any Windows malware, they only detect a handful of specific Mac malware samples. And it’s just not it’s not comprehensive protection. And so if people are assuming that x protect is going to protect them. We’ve also talked in the past before about how sometimes Apple takes a while before adding signatures for some malware that we’ve been detecting for some period of time already. So it kind of like basically if it gets big enough that it’s on Apple’s radar, then they’ll add a signature for it. But if it’s not yet on Apple’s radar, then you know, in the meantime, you’re vulnerable if you’re just relying on Apple’s protection.

    Kirk McElhearn 12:17
    Okay, we’re gonna take a break and in the ad read the follow us you can find out how you can save up to 65% on Intego software, so you are protected from all this malware. We’ll be back in a minute.

    Voice Over 12:27
    Protecting Your Online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years and our latest Mac protection suite includes the tools you need to stay protected. Indigos Mac premium bundle X nine includes virus barrier, the world’s best mac anti malware protection, net barrier, powerful inbound and outbound firewall security, Personal Backup to keep your important files safe from ransomware. And much more to help protect, secure and organize your Mac. Best of all, it’s compatible with macOS Sonoma, and the latest Apple silicon Macs. And don’t miss Intego’s Black Friday and Cyber Monday sale going on now. The best deal of the year on Intego software — up to 65% off — has now been extended through Sunday December Third. Check out the exclusive link for Intego Mac Podcast listeners at That’s for our exclusive Black Friday and Cyber Monday deals. But only through Sunday December 3rd. Intego. World class protection and utility software for Mac users made by the Mac security experts.

    Should I download and install Apple beta operating systems?

    Kirk McElhearn 13:43
    We want to briefly talk about running beta software on Mac, iPhone, iPad, etc. And what prompted this was an article that was published today by the developer rogue amoeba, we use rogue amoebas Audio Hijack to record this podcast. In fact, most podcasters on the Mac use Audio Hijack, they reminded users that beta software is dangerous and beta means bugs and they talk specifically about the most recent MacOS 14.1 beta update, which, as they say interrupted significant functionality in the then current versions of our apps. Two years ago, three years ago, five years ago, we wouldn’t have had to talk about this. But since Apple made it possible for anyone to go into the software update settings of their Mac, their iPad, their iPhone, and choose to download beta software, it means a lot of people were taking risks, just because they want to be on the cutting edge. But they don’t realize that these risks could be serious, and that this could prevent them from using their devices. So we’re going to link to an article on the Intego Mac security blog about how to use beta software. But be careful this isn’t for everyone.

    Josh Long 14:51
    Right. Think of beta software instead of the cutting edge. Like think of it as the bleeding edge right? Like this is the problematic zone. So beware that yes, you might get to try out some features and functionality before they’re generally available to the public. But that also necessarily means that there’s going to be a bunch of bugs. That’s the whole reason why beta software exists, is to get a small group of people to start testing that software to make sure that there are no major issues before they release it to the general public. So that is something to be aware of, I definitely don’t recommend installing beta operating systems on your main device. In fact, that’s why I never install iOS betas. Whenever there’s a new version of iOS coming out soon, I always use a backup phone. It’s a device that is specifically not my main phone that I can test the new operating system on.

    Don’t let anyone tell you to switch off HTTPS.

    Kirk McElhearn 15:48
    Okay, we found a story on the Register, which is a very interesting British website that we cite occasionally. And it’s entitled Brit Borough Council apologizes for telling website users to disable HTTPS. If you’re a regular listener of this podcast, you know that the s in HTTPS means secure. Apparently, reading Borough Council tweeted to people who were having problems with their online planning application and said, Well, if you’re using Chrome, uncheck the always use HTTPS setting and try accessing the portal again, this is dangerous because they say when you finished accessing the portal, revert the setting Many thanks. Most people would forget to do this. Don’t ever let anyone tell you to turn that off. And even let’s say you can’t access a website and you call the company and they say turn off HTTPS, don’t do it. Because it means that they’re poorly coded and that you’re at risk, because you’ll never remember to turn it back on again.

    Josh Long 16:42
    Yeah, this is kind of concerning that this would be a public recommendation, by the way. So this was in response in reply to someone. But nevertheless, it shows that their IT department presumably was like telling the Social Media Manager to tell people this as a solution to the problem. And it’s like, oh, yeah, that’s not such a good idea. So what should have happened, of course, is that they should have improved the security of their website, so they wouldn’t, it wouldn’t be necessary to tweak any settings in order to access the site.

    Plex media manager automatically opts-in users to sharing viewing habits.

    Kirk McElhearn 17:13
    So I use Plex. Plex is a media management tool that you can use to play music and videos, and I use it to hold all of my blu rays and DVDs that I’ve ripped on a Mac mini that I streamed on Apple TV. I’ll link in the show notes to some articles about ripping blu rays and DVDs on the Intego Max security blog. Plex is really useful because it kind of it’s the wrapper for watching videos and organizes them with metadata with actor info and sometimes even shows trailers. So Plex came up with this wonderful idea to tell your friends what you’ve been watching. So you can add friends on Plex, and you can actually share your library with friends, which doesn’t sound totally legal. And Plex has always been piggybacking on not totally legal. But imagine you’ve got a network of friends and you’re all sharing your libraries. And that every week, all your friends get an email showing what you’ve been watching. Now, maybe you’re just watching the latest, you know, Tom Cruise movie, or maybe you’re watching things you don’t want your friends to know about. One of the promises to introduce this new feature complex is saying it’s an opt in, but it’s not. We’re going to link to an article on tech hive where you see a screenshot about this. After the update, your settings are changed, and you click the Finish button to accept it. And if you’re not paying attention, you don’t realize that they’ve changed the setting. So it’s really opt out because you have to click to choose Private instead of friends only.

    Josh Long 18:40
    Right this particular dialog box says you’re in control at the top and it says control which of your activities your friends can see on Plex, your profile privacy settings are currently set to private. And this is in super fine print. Right. And then it’s got the four different options. My watch history by default is set to friends only my watch list my ratings are both set to friends only. And then my friends of friends can see that you’re friends with your friend, I guess is the idea behind that setting. So they’re changing all of these settings if you just hit finish, so it says you’re in control. That’s the the thing you see and then you see a finished button and you go Yeah, I’m done. I’m done installing this so I’m gonna hit finish. So if you’re not paying real close attention, you don’t realize that they’re actually changing all of your settings for you to opt you into this not so private functionality.

    Apple’s Name Drop feature to share your Contacts card may share information you want kept private.

    Kirk McElhearn 19:37
    Okay, we have an A side in the beside this week in police departments sharing information about technology with people. The first one is a number of police departments. I don’t know why they all came up with this started recommending that people turn off name drop, which is a new feature in iOS 17 And watch OS. If you bring two phones close together, you can send contact information, you can do the same with a watch. And all of a sudden police departments have been warning that this information could be shared just by bringing your phones close together. Not at all, this is just totally wrong. Because you have to actually tap a button to share it. It’s not like an automatic thing. So imagine if it was automatic, and you’re on a crowded subway, and you’ve got a phone in your pocket. And the person next to us got a phone in their pocket and you bumped into each other. It’s not how it works.

    Josh Long 20:27
    Right. And in fact, when when this feature was announced, I saw people on social media like imagining scenarios where they happen to run into Tim Cook, and you know, and in the public somewhere in an elevator, and oops, I accidentally brushed my phone against his and now I’ve got his phone number. No, it doesn’t work like that. It does not work like that at all. And quite intentionally, because you don’t want people to bump into you on the subway, and now they have your phone number, right, that doesn’t make any sense. So if somebody comes in proximity to you, then you have the option. And Apple actually shows this in their marketing material, you get two buttons, you get one that says receive only meaning, okay, I want to get your contact information, or share meaning you actually exchange contact information with the other person.

    Kirk McElhearn 21:20
    This is actually a useful feature. It’s like a digital business card. But what I would suggest is to be very careful what you put in your contact card. Because I’m assuming it shares everything in your contact card. You may want to give someone your phone number and email address, but not your address and not your secondary email address or your Skype account, or your Twitter account and all that because your contact card can contain an awful lot of information.

    Josh Long 21:46
    So the takeaways here are that first of all, it doesn’t work as a lot of these police departments and others are describing it where you just bumped into somebody and now you have their contact information. It doesn’t actually work like that. So you don’t need to be too concerned about that. name drop is not very well documented from what I can tell it Apple doesn’t really clearly state anywhere, how to select what is shared, it seems like it shares almost everything in your contact card with somebody when you go to share with name drop. Unfortunately, this is not something that it’s very easy to test either unless you have somebody that you don’t know that you’re trying to share your contact card with because it will not update an existing contact card when you tried to name drop either.

    Kirk McElhearn 22:31
    You want to try it Josh hold up your phone. Let’s see if we can do it over zoom.

    Josh Long 22:35
    Yeah, I don’t think it’s gonna work over zoom.

    Police departments distribute AirTags to track stolen cars.

    Kirk McElhearn 22:36
    No, I don’t think so. Okay. All right. So that was the A side of police misinformation. And the B side is actually some good advice from police. We talked a while ago about a couple of brands of cars that are apparently very easy to hack in the US. I don’t know if it’s just the US but around the world. I think Kia, Hyundai cars. Police in Washington, DC started realizing, according to Ars Technica that it was much easier to recover stolen vehicles that could be tracked with Apple AirTags. A lot of cars have built in trackers but you don’t have access to it, right? The car companies receiving data and sending data to your car, or that may use your car’s location, my car has a button that I push to get assistance right from the car manufacturer. So they’ll use the location there. But it’s not a bad idea to stick an AirTag someplace in the trunk of the car, or under a seat or you know any place like that, that no one would think to look if they steal it because the amount of time it would take to get the information from the car manufacturer probably needs like a police warrant and all that. Whereas your AirTag can be used in real time.

    Josh Long 23:41
    Right. This Ars Technica article says that over the summer, there were 10s of 1000s of car thefts that were supposedly inspired by some TikTok videos that encouraged people to go out and try these things. And so regardless of whether it was tick tock that inspired it or not, there have been a lot of car thefts. And of course, in certain regions of the world, this is a lot more common than others in San Francisco, for example, car thefts are you have to expect that your car’s gonna get broken into especially if you leave anything in plain sight in your car is pretty much a guarantee that your car’s gonna get broken into. And so in Washington, DC, this is one of the jurisdictions where police officers actually have realized it’s cheaper for them to just give out AirTags to buy AirTags and give them out to people than it is to deal with the massive volume of car theft reports that they’re getting. So now they’re actually giving out AirTags to people so that they can track where their own car is, in case it gets stolen.

    Kirk McElhearn 24:43
    So here’s a tip if you share a car with someone or often ride with someone, you can go into the Find my app on any of your devices and you can share the AirTag that’s in the car. So the person that you’re with in the car doesn’t get all these alerts that there’s an AirTag following them.

    Josh Long 24:59
    Right, that’s a good point. So if you have not already purchased an AirTag, I don’t know, I’ve seen some pretty good sales over the past week. So maybe there’s still some cyber week details on AirTags, it’s probably a good idea to stick one in each of your cars, you know, put it in some inconspicuous place, so that you can find it easily enough. But if a car thief goes through your car, they won’t be able to find it very quickly.

    Sales on older tech products should be evaluated on how long they’ll receive security updates.

    Kirk McElhearn 25:23
    Okay, speaking of buying tech products, you recently wrote an article about not buying certain tech products on Black Friday or Cyber Monday. Now our strategy here is to change the headline for every buying season, it will soon change it to don’t buy these tech products for Christmas. And it’ll be Amazon Prime Day next year. Because this is something we talked about in last week’s episode, and we talk about regularly about tech products that are out of date and it can’t be updated.

    Josh Long 25:48
    Well, it is still cyber week. And by the way, if you happen to miss the mid roll ad, our Black Friday and Cyber Monday deal has been extended through the rest of this week, all the way through Sunday. So if you missed our Black Friday deal, you can still get that deal with the link in our show notes. But okay, so if you’re still buying tech products, you know most people, although the you may buy some things on Black Friday and Cyber Monday, most people are still doing their holiday shopping like pretty much right up until Christmas. In this article, I cover everything from all Apple devices that have an operating system that needs to be on the current version in order to make sure you’re getting all the security updates you need. That includes Macs, iPhones, iPads, Apple Watches, I also talk about Android and Chrome OS devices. Wi Fi routers…

    Kirk McElhearn 26:37
    As you said, this is something people should think of all year round, if they’re looking to buy things, if they’re going on eBay, if they’re buying refurbished devices, there’s no point buying something that’s going to be it’s going to put you at risk in a year or two. If it’s a device that’s meant to last like a Mac more than a phone or a tablet, you want to make sure that you’re going to be able to use it for long enough and not have to worry about security updates.

    Josh Long 27:02
    Right. To break this down a little bit further, let’s talk about the Apple devices. And we don’t need to go into too great detail here. Because it’s pretty simple advice. Overall, for Apple devices, my recommendation is that you try to buy an Apple device relatively soon after it’s released. If you want to buy an older generation Apple device, then keep in mind kind of approximately how long you’re likely to get security updates for that device. And you know, so for example, if you’re buying a year old device, then you know, on something like a Mac, where Apple usually releases OS updates, for particular MAC models for about roughly five, six years or so after that Mac model is released. And so if you’re buying a year old Mac take off like 20% or so of the price. If if you can get it around that price point I feel like then it’s pretty reasonable to buy it at that point. Also, it doesn’t really matter so much. If you’re going to be buying a new, for example, an iPhone every two years anyway, then it’s perfectly fine. I would say to get a two year old iPhone if you can get a really good deal on it. Because you know that Apple is going to be releasing security updates and the latest iOS versions for it for at least another couple of years until you’re likely to buy a new phone.

    Kirk McElhearn 28:22
    So this makes me think of something when I bought my M1 iMac. I swore to you that I would keep it for five years. But what’s going to happen when I get to that five year point is it going to be close to its end of life for OS updates, which means that if I try to sell it used actually, it wouldn’t be fair to sell it to someone thinking that they may not be able to update it in the next couple of years and get security updates.

    Josh Long 28:44
    A lot of people do tend to sell their devices even past the point where Apple is still releasing the latest operating system updates for it. I mean, if you look on something like eBay, you’ll find all kinds of Mac’s that are much much older than Apple is currently supporting. You know, right now the earliest Mac that Apple supports for Mac OS Sonoma is the iMac Pro which came out in 2017. Everything else is 2018 or later, some are 2019 models even. So if you’re buying a 2017 Mac, for instance, other than that iMac Pro, you’re not going to be able to run Mac OS Sonoma on it. Well, at least not without third party hacks. We do have an article on the Mac security blog, where we explain how you can do that. But you know, with M1 This is actually pretty interesting to talk about because we don’t know yet what’s going to happen. My assumption is that sometime within the next couple of years, Apple is going to start only supporting M1 Or later Mac’s with the next you know, version of macOS. At that point. I presume that that means that all these Intel Macs are going to get cut off. So you’re going to be stuck forever with macOS Sonoma or whatever one came after that that still support some of these Intel Macs. And at that point, you know, I don’t know if we’re still going to get these patches that allow you to use the latest operating system on older Mac’s very likely, you’re not going to get it that particular year, because Apple is going to make a bunch of changes to the operating system to prevent it from being backwards compatible with Intel Macs. And it would just be far too much effort for some third party developer to backport that operating system to Intel Max, it just is not going to work.

    Kirk McElhearn 30:28
    Okay, so bookmark this article because Josh is going to keep it up to date every year when there’s a new operating system, and older Macs are no longer able to run the newest operating system. Maybe if you have some last minute purchases you are planning to make in Black Friday, Cyber week. Whenever that ends, I guess it ends just when the Christmas sales start right. So this is like an ongoing permanent cycle. Just keep this in mind: Don’t buy old tech. Until next week, Josh, stay secure.

    Josh Long 30:53
    All right, stay secure.

    Voice Over 30:57
    Thanks for listening to the Intego Mac Podcast: The Voice of Mac Security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us in Apple Podcasts, or subscribe in your favorite podcast app. And—if you’d be so kind—leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast-dot-intego-dot-com. The Intego website is also where to find details on the full line of Intego security and utility software. intego-dot-com. And—don’t forget!—take advantage of our Black Friday and Cyber Monday deal thru Sunday December 3rd only. Our exclusive link for Intego Mac Podcast listeners is available only in our show notes, at podcast-dot-intego-dot-com — that’s podcast-dot-intego-dot-com and look for our exclusive link to save up to 65%. This is the best deal of the year on Intego’s powerful protection and utility software. But hurry, the savings only last through Sunday December 3rd.

    About Kirk McElhearn

    Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →