Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
If you bought a Ferrari and then the engine stopped running after 15 years, you'd be upset yes?
If your car is over 15 or 20 years old, engine would still run but you will face the problem with obtaining spare parts (sometimes even consumable/service items). That is now but seeing how cars are getting more and more software defined functionality in them, even this might change in future as they increasingly start to look like computers on wheels.
 
If your car is over 15 or 20 years old, engine would still run but you will face the problem with obtaining spare parts (sometimes even consumable/service items). That is now but seeing how cars are getting more and more software defined functionality in them, even this might change in future as they increasingly start to look like computers on wheels.
Yes, this is exactly the situation owners of John Deere tractors have now. Because of software locks, it is almost impossible for owners to perform maintain or make repairs. Even if physical replacement parts can be sourced and installed, the tractor will not function until a John Deere representative enters the relevant software unlock code to reboot the OS.
 
It can easily get much worse in future. When CAN bus appeared on cars decades ago it made many electrical things more efficient in a vehicle. However this enabled wide spread of "controllerization". While this has its' positives it is opening a new can of worms on form of softwarization of vehicles and were are just at the beginnings of it. When BMW came out with "subscription for heated seats" it was just probing the market for which can turn into much bigger revenue stream for carmakers than anything before it.

Computers are nothing without software therefore we can increasingly see every software vendor making new revenue streams with subscription fees. Any corporate IT guy knows that Microsoft does not provide perpetual licenses for server software any more. You want to set up Windows Servers - you just select amount of licenses, subscription period and billing cycle. This can open much worse perspectives for any computer we use in a future...
 
  • Like
Reactions: Omega Mac
A lot of the rhetoric around updates and security drives me bonkers. You’d think your entire life will be ruined unless you install every update right away. It’s true that if you don’t want to think too hard, staying fully up to date is an easy shortcut for being reasonably secure in most situations. But that’s not practical or desirable for everyone.

True zero-click RCE vulnerabilities—where merely connecting your computer to the internet is enough for an attacker to infect the machine—are extremely rare, especially if you’re using the computer behind a router. To my knowledge—and I have researched this reasonably extensively—there are not any known vulnerabilities like this on any version of macOS. In order for an attacker to hack you, they would have to be able to run malicious computer code on your machine.

So what opportunities are there for a ne'er-do-well to run malicious code? One way would be to install a malicious app. However, I only install apps from developers who I have concluded are good/trustworthy people. There is certainly a risk I will end up trusting the wrong person, but that’s true for most things in life.

It’s theoretically possible for an outdated, vulnerable app to open a document or media file which tricks it into running malicious code. This is a legitimate concern. However, these types of vulnerabilities are generally difficult to exploit. So unless you’re a high value target who someone will be willing to put considerable effort into attacking, you probably aren’t going to get hacked in this way. That said, you should briefly stop and think before opening a document you downloaded from the internet on an old OS. If you know the source, it’s probably fine. If it came from a Nigerian Prince, stay away.

By contrast, when you browse the internet, your computer is constantly running Javascript code from all over the place! You probably don’t think "do I trust the owner of this website” every time you open a link—I certainly don’t. IMO, this is a clear source of danger, and I do NOT recommend browsing the web with both an unsupported operating system and an unsupported web browser. If your web browser is up-to-date, the browser sandbox should keep code isolated. However, an outdated web browser may have documented vulnerabilities. So I’d say you should always use an up-to-date web browser if at all possible!

Security people will tell you it’s better to also have defense in depth—if there’s a vulnerability in your up-to-date web browser which no one knows about yet (a “0 day”), it’s better to have an up-to-date operating system as an additional layer of protection. They’re right, of course! But if you’re Joe Schmo and not working with military secrets, what are the chances a sophisticated hacker is going to waste a heretofore undiscovered vulnerability on you?

All of this is to say that, yes, of course using old operating systems is less secure. But in practice, when normal people get hacked, it's virtually never caused by some sophisticated OS exploit! The real danger lies in simple and stupid credential stuffing attacks, aka stolen passwords. I truly believe that for almost everyone, just using a password manager and a unique randomly-generated password on every website will make you more secure than 99% of tech users, and any brain power you’re currently spending worrying about your operating system should be dedicated to switching to a password manager. Otherwise, keep your web browser up to date and think before installing an app, and to some very limited extent think before opening a file.
92 minutes of applause
 
True zero-click RCE vulnerabilities—where merely connecting your computer to the internet is enough for an attacker to infect the machine—are extremely rare, especially if you’re using the computer behind a router. To my knowledge—and I have researched this reasonably extensively—there are not any known vulnerabilities like this on any version of macOS. In order for an attacker to hack you, they would have to be able to run malicious computer code on your machine.
Nobody just connects the computer to the Internet, people use apps.
"Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS"
https://mikko-kenttala.medium.com/z...ick-vulnerability-chain-in-macos-a7a434fc887b
"Airborne: Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk"
https://www.oligo.security/blog/airborne
"Zero-Click Spyware Hits WhatsApp on iOS and macOS"
https://www.esecurityplanet.com/news/zero-day-spyware-hits-whatsapp/
 
Nobody just connects the computer to the Internet, people use apps.
"Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS"
https://mikko-kenttala.medium.com/z...ick-vulnerability-chain-in-macos-a7a434fc887b
"Airborne: Wormable Zero-Click Remote Code Execution (RCE) in AirPlay Protocol Puts Apple & IoT Devices at Risk"
https://www.oligo.security/blog/airborne
"Zero-Click Spyware Hits WhatsApp on iOS and macOS"
https://www.esecurityplanet.com/news/zero-day-spyware-hits-whatsapp/
The third of these only affects WhatsApp. I don't think you can even use an outdated WhatsApp client? It's all Electron anyway, use the web version.

The second requires the attacker to be on the same network as you. You can't AirPlay to any computer in the world.

The Calendar one is a bit more concerning though and I'm annoyed with myself that I hadn't seen it before. I did some initial tests, and Mavericks at least (the OS I care about) doesn't seem vulnerable at all. It may be more troublesome if you're on more recent versions. However, the full exploit chain requires you to upgrade your Mac from Monterey to Ventura (those versions very specifically) and now that Ventura fixed the bug it should be fine.
 
Last edited:
I think that using a VPN and an updated browser, together with an active firewall and not visiting naughty sites is the best way to be able to use even an unsupported Mac for decades to come.
 
October 20, 2025 "CISA Adds Five Known Exploited Vulnerabilities to Catalog"
https://www.cisa.gov/news-events/al...-five-known-exploited-vulnerabilities-catalog
CVE-2022-48503 "Processing web content may lead to arbitrary code execution."
https://www.cve.org/CVERecord?id=CVE-2022-48503
These are the kinds of things I don’t find concerning at all. Stay behind a router and don’t use an outdated web browser.

I think that using a VPN and an updated browser, together with an active firewall and not visiting naughty sites is the best way to be able to use even an unsupported Mac for decades to come.
Just FYI, the VPN doesn’t really do anything here. I suppose you could argue it keeps websites from getting your IP address, but (1) it’s the IP address of your router, which they shouldn’t be able to do anything with, and (2) since IP scanning is a thing your IP isn’t secret anyway.
 
Just FYI, the VPN doesn’t really do anything here. I suppose you could argue it keeps websites from getting your IP address, but (1) it’s the IP address of your router, which they shouldn’t be able to do anything with, and (2) since IP scanning is a thing your IP isn’t secret anyway.
Thanks!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.