How to make older macOS as secure as possible
There can be very good reasons for your Mac not running macOS 14. These include incompatibility with key software, particularly that for music and audio, or Sonoma may not be supported on your Mac. At the same time, you want your Mac to be as secure as possible. This article tackles a question that I’m often asked: how can I safely run an older version of macOS on my Mac? My answer comes in two parts: how to give macOS as good protection as possible in a process of Sonomatisation, and how to minimise the risks you take.
What does Sonoma bring?
Differences in security protection depend on which version of macOS your Mac is running. Mojave and earlier have a completely different architecture that exposes the system in a single, common startup volume. That improved considerably in Catalina, and further in Big Sur. Since then, the System volume has been a read-only snapshot with a tree of hashes to check its integrity. Provided that your Mac is running Big Sur or later, it gets the benefits of that new architecture, and there’s nothing to be done with earlier macOS than can compensate for it.
Checking executable code before it’s run is another feature that has undergone great change over the last few years. Provided it doesn’t have a quarantine flag set, Mojave performs only limited checks, and will happily run almost all completely unsigned code, and apps whose signatures have become broken because their contents have been altered.
Code that does have a quarantine flag is better scrutinised, though. All versions of macOS since about Yosemite (10.10) have used malware recognition signatures in XProtect, and those are still updated across all those versions. That merits careful checking, as some older versions of macOS have sometimes stopped receiving those updates.
XProtect checks made when macOS is about to run executable code are ‘Classic’ XProtect, and part of the Gatekeeper protection system. In Sonoma this is much more aggressive, checks all code regardless of its quarantine status, and is far stricter when it comes to code signatures and changes made internally to apps. There’s no way you can change older macOS to the standards imposed by Sonoma, unfortunately.
macOS Catalina and later also have a new type of XProtect, its Remediator, a set of scanning modules that look for signs of malicious software known to Apple. Those scans aren’t normally run on demand, and their results aren’t shown in the GUI either. However, from Catalina onwards XProtect Remediator should scan your Mac for malware every 24 hours or so. As with XProtect, ensure that your Mac is kept up to date with its current version.
This assumes that your Mac runs macOS as intended by Apple, and you don’t disable any of its security mechanisms, such as System Integrity Protection (SIP). The effects of doing so are far wider than just stopping certain files from being modified, and can disable much of Gatekeeper’s defences. This becomes more complicated with OCLP, which allows your Mac to run a more resilient version of macOS, but may require that some of its security features are disabled. Striking the right balance here is technical, and isn’t easy.
macOS vulnerabilities
Both Apple and third-party security researchers devote a lot of effort to checking macOS for vulnerabilities that could be exploited by the malicious. Although most of those discovered aren’t known to be exploited, it can only be a matter of time before some are. Apple therefore releases security updates to address known vulnerabilities, but only for the current and last two previous major versions of macOS, at present that means Sonoma, Ventura and Monterey.
If you have to run an older version of macOS, you’re thus best off running a version for which Apple still issues security updates, and the more recent, the more likely Apple will fix its most important vulnerabilities. This currently runs as:
macOS 14 Sonoma gets full security patches,
macOS 13 Ventura gets less than Sonoma, but more than
macOS 12 Monterey, but at least that does get some patches, while
macOS 11 Big Sur and earlier get none at all.
This assumes that you ensure macOS is kept up to date with its latest security updates. If you don’t, then some of its vulnerabilities may already be exploited in malicious software. These security updates aren’t a bonus, but an essential, and there’s nothing you can do to compensate for their absence.
Safari updates
Accompanying these security and other macOS updates are updates to Safari. Because your browser is often the front line between your Mac and malicious software, ensuring Safari is kept up to date is every bit as essential as general security updates. These are bundled in the current version of macOS, but for the previous two versions are normally released separately alongside its macOS security update.
Unfortunately, that means that Macs running Big Sur haven’t had a Safari update for a long time, and the version they’re running is highly likely to have some serious vulnerabilities. Rather than using an old version of Safari, you may then be better off using the current version of a third-party browser, such as Firefox. That’s not an easy decision to make, but ensuring robust browser security is of great importance.
Malware protection
One of the most common questions I’m asked is whether the protection provided by macOS is sufficient, or third-party security software is required. At present, if you’re able to run the current release of Sonoma, keep it up to date, and only engage in low-risk activities, I consider that third-party security software is not required by the cautious user. That’s only my personal opinion, though, and I appreciate that others have different opinions.
However, with older versions of macOS or higher risks, you should consider whether your Mac wouldn’t benefit from additional protection. Provided that it’s developed by engineers who understand the Mac and work with rather than against macOS, it may well be a help. But it can never be a substitute for your careful behaviour: if you do choose to run a security product, that doesn’t mean you can click on any dodgy link, or drop your guard. Security software is an enhancement, not a substitute, for good security practices.
Software firewalls such as Little Snitch and LuLu can be effective in your defences, but also require your attention to ensure that they operate optimally, allowing necessary traffic to pass, and only blocking the malicious. In the wrong hands, they can cause all sorts of problems. Objective-See offers several other excellent products that can significantly reduce your Mac’s risks, and are worth assessing carefully.
Risk taking
If you’re going to run an older version of macOS on your Mac, you must be fully aware of all risks that you take. After all, it’s the human that is almost invariably the weakest part of any Mac’s security. Risk is determined by the threat landscape, and what you do with your Mac.
At the moment, you’re most likely to come into contact with malicious software and other threats if you engage in any of the following:
downloading ‘warez’ and commercial software with licensing restrictions removed, typically in torrents,
trading in cryptocurrency,
visiting dubious sites associated with certain countries,
engaging in any form of illegal or marginal trading or activity,
journalism, research, criticism, or political activity involving certain governments.
The last of those exposes you to the risk of being targeted by what Apple terms “mercenary spyware” produced by well-funded groups like NSO, who produce some of the most deeply invasive attacks. The others are all well-known vectors for more regular malicious software. Defending against those requires the full resources of the latest version of Sonoma, if you really have to engage in that activity, and requires specialist advice and security enhancements.
For the great majority of us who don’t take those risks, the most real threats are phishing attacks and similar scams via email or messaging services including Messages, and the occasional unintended visit to an unexpected website. If you’re going to survive those, then your personal defences are most important, and must be maintained.
With care and thought, running an older version of macOS need not put you at significantly greater risk. As the old adage goes: be good, and if you can’t be good all the time, at least be very careful.
Summary
Big Sur and later have a more resilient system architecture.
Keep XProtect up to date.
If possible, run Catalina or later to benefit from XProtect Remediator, and ensure it’s kept up to date.
Don’t disable any of the security protection in macOS. If you’re using OCLP, striking the right balance is complicated.
Prefer the most recent version of macOS your Mac can run, and ensure it’s kept up to date with security updates.
Ensure Safari is also kept up to date; if your Mac can’t run a current version, consider using a different browser that can be kept updated.
Consider third-party security products as an enhancement, not a substitute for good security practices.
Don’t run the risk of downloading ‘warez’, trading in crypto, visiting dubious sites, engaging in illegal activities, or becoming a target for mercenary spyware.
Never drop your guard.