Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security for OCLP (OpenCore Legacy Patcher)

deeveedee said:
@dimme For me, the security of an OCLP-patched Mac has never been about whether I like the Devs (although the video does make me like and respect Mykola Grymalyuk even more than I did before). For me, it's always been about what OCLP has to do to an unsupported Mac to make it run the latest versions of MacOS. The video didn't change that.
Click to expand...
One thing OCLP has done for me is give me an idea of what a current version of macOS would be like on a new mac in relation to existing software and workflows I do daily, or enjoy occasionally. For daily tasks like email, web, etc I'd be OK, even the stuff that works on supported Macs like the graphics stuff. It's more about backward compatibility and rare stuff I've had questions about. So, I'd rather find that out first without dumping a bunch of money into a new machine and then having something happen to the colder computer with no way to go back, and being stuck with the new mac and new arch. I can tell you, from my testing, Monterey still does 95% of what I need and it's the latest supported OS for this late 2015 iMac. Second in supported Operating system, Mojave can still run maybe about 90% of my stuff, even if it's one or 2 versions old, and still offers 32 bit support for games and older apps not updated for 64-bit only. Then I have Linux on an external drive for stuff that macOS just doesn't do well at. And then I have two installs of operating systems that use Open Core to boot. All the macOS installs are on the internal Fusion Drive via APFS Volumes.

For the Record, Firefox ESR still supports Mojave so it might not have the latest features, but it's patched for security.

I've always enjoyed older computers but also like staying current enough to still do the current stuff I need as well.
 
  • Like
Reactions: wjcroft, schnaps, BillyJoeJimBob and 1 other person
deeveedee said:
There are 3rd party versions of OCLP freely available to download and use. Based on the title of this thread, I don't think I need to say any more.
Click to expand...
No you don't and this is expected. But thanks for mentioning it. Worth spreading to the current forums at some point.
And perhaps to the devs to add the standard warning to OCLP docs and installers if that helps.
Dangerous times..
 
  • Like
Reactions: m4v3r1ck
@bogdanw I'm laughing at your post, not because it's wrong, but because you've come a long way from "a software project started and maintained by members of a Russian warez forum" here.

Maybe we've both become a bit more accepting of OCLP and appreciative of what the Devs have accomplished. ;)
 
I stand by it.
deeveedee said:
@bogdanw I'm laughing at your post, not because it's wrong, but because you've come a long way from "a software project started and maintained by members of a Russian warez forum" here.

Maybe we've both become a bit more accepting of OCLP and appreciative of what the Devs have accomplished. ;)
Click to expand...
An explanation is not an endorsement ;-) My previous statement is true and I stand by it.
 
Why do many people say OCLP is more secure than staying on an unsupported OS if it introduces security risks itself?
 
BloxUnskilleden said:
Why do many people say OCLP is more secure than staying on an unsupported OS if it introduces security risks itself?
Click to expand...
Because upgrading to supported versions of MacOS plugs known weaknesses that are sometimes being actively exploited and are present in unsupported versions. As opposed to the identified risk of a rootkit that is Open Source and carefully scrutinised - not risk-free but clearly visible.

You pays your money and you takes your choice. Oh, wait! OK, either way pay nothing and make your own choice :)
 
  • Like
Reactions: Subarctic5216, basslik, LlamaLarry and 1 other person
@jbn858273 I like your confidence. What are the 'clearly visible' 'identified risks' of simultaneously disabling SIP, breaking the APFS Seal and patching macOS with a Wi-Fi framework that no longer receives updates? How are the risks 'clearly visible' without FIPS-certified testing?
 
Last edited:
I see that in a way that completely out-of-date EOS operating system introduces bigger possible attack surface than up-to-date base system while using drivers and extensions from that EOS system. We have obvious compromises by third-party code and lowered restrictions instead of completely out-of-date system.

Most of people do not resort to OCLP when official support ends but continue to use their Macs being completely oblivious of fact that all security update support has ended. They might even be delighted by absence of interruptions brought by updates - and they continue this until Safari will be so out of date that websites wont work properly. Later at point where support for other browsers ends they use these until browsers start to notify about unsupported system - and that might be first moment for "most-oblivious" user to notice what is going on...

This is a bit out-of-scope but kind of common observation about the fact that EOS from Apple can leave ordinary user in more vulnerable position. Even Microsoft starts to bombard users about EOS of Windows 10 in time before actual support will end and gives you a way to see if your hardware is supported on newer OS...
 
Last edited:
  • Like
Reactions: dimme
nmt1900 said:
I see that in a way that completely out-of-date EOS operating system introduces bigger possible attack surface...
Click to expand...
That sounds good, so it must be true, right? So as long as the OS is "completely out-of-date" it doesn't matter that OCLP requires disabled SIP, disabled Secure Boot Model, broken APFS Seal and root patching with a Wi-Fi framework that no longer receives updates. As long as the macOS version is newer "enough", it must be more secure than the old one.

Your Microsoft example can be applied to OCLP which silently allows a user to run a newer macOS without alerting the OCLP user to any potential security risks. OCLP doesn't even provide a single alert, let alone "bombard users" about security issues.

My point is that the decision to use OCLP is not as simple as "new vs. old macOS version" and a code review of an Open Source project. I don't have proof, but my guess is that OCLP adoption has grown to the point where most OCLP users are unaware of the security risks, because warnings requested here are still nowhere in the app or the documentation.

nmt1900 said:
bigger possible attack surface than up-to-date base system while using drivers and extensions from that EOS system.
Click to expand...
OCLP's root patches are extracted from "drivers and extensions from that EOS system." I see that you understand this, but other OCLP users are not aware of this. OCLP never alerts its users to the fact that potential vulnerabilities existing in frameworks extracted from the "EOS system" are present in the new version of macOS thanks to OCLP patches.
 
Last edited:
Yes more problems can appear as non-knowledgeable people are moving to use OCLP - but I cannot remember that original out-of-date EOS machine will even notify user about anything else than "system is up to date" - there's were comparison with Microsoft comes in.

Some of features broken by OCLP do not even apply to seriously older machines - SSV appeared only with Big Sur so there would not be any sealed volume if last supported OS would be Catalina.

This should be obvious that OCLP should be used only by people who are able to understand "what comes with it".
I have it on one 10 year old MBP which is only rarely used for testing. As i work in related field and have to deal with customers then I never go recommending this to them but say straight out that it is time to get a new machine. I have enough work without helping them out if anything would go wrong with OCLP-installed machine - it won't boot properly after update etc. It is obvious that 13 year old Macbook Pro would not perform as new Apple Silicon machine anyway so it is just not worth it to "make your work" from installing it to other people machines or even recommending it to be used on their main (work) machine.
 
nmt1900 said:
Yes more problems can appear as non-knowledgeable people are moving to use OCLP - but I cannot remember that original out-of-date EOS machine will even notify user about anything else than "system is up to date" - there's were comparison with Microsoft comes in.
Click to expand...
Then maybe we're in agreement that the "non-knowledgeable people" with Macs natively supported by Monterey (for example) may soon be running OCLP-patched macOS Tahoe on their Mac while being lulled into a false sense of better security because their macOS still receives updates from Apple. I'm a big OCLP supporter (and donator). I remain firm in my position that the OCLP app and docs should provide security warnings.

EDIT: Note that I am not stating that the security assessment of native Montery vs. OCLP-patched Tahoe is black and white. Any security assessment must consider the use case as has been previously discussed in this thread.
 
Last edited:
There are multiple layers to security and for most of users more common scenarios include userspace as first layer of intrusion. This is where out-of-date OS and web browsers come into play. Forward from there are ways to exploit root level vulnerabilities that might arise from disabled security features - but many old machines and their latest Apple-supported OS releases do not have some of these features anyway.

Therefore it really is not black-or-white - but for common scenarios it is outdated userspace level with its' vulnerabilities which brings most of troubles in our times. Even if Mac would be completely impenetrable on root-level it would not make it absolutely secure because the data that is being compromised is in (or is linked to) userspace.

P. S. I think that users living in EOS "system is up to date" world are also lulled into sense of security - but by Apple...
 
  • Like
Reactions: bzgnyc2
@nmt1900 Those same users with their latest browser are surfing with an old, uncertified layer-2 in a coffee shop. Now we're just discussing things already discussed in this thread. I'd encourage everyone to read this thread from the beginning.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back