![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/03\/Apple-Watch-Series-3-headstone-graveyard-600x320-1.jpg\")
<\/p>\n<\/p>\n
This week, Apple released watchOS 8.8.1<\/a>, a surprise security update for the Apple Watch Series 3. This was the first security update compatible with the Series 3 since 11 months ago, in July 2022.<\/p>\n This is kind of a big deal, but not for the reason you might think. Sure, it’s great that Apple patched a vulnerability. But that’s just it\u2014Apple patched one, single, solitary vulnerability. Apple has yet again set a precedent of giving users a false sense of security by releasing incomplete patches. Here’s the whole story\u2014that Apple doesn’t want you to know.<\/strong><\/p>\n In this article:<\/p>\n For reasons that Apple has never disclosed, the Apple Watch Series 3 is the only model stuck on watchOS 8; the Series 4 and later watches are all compatible with the latest watchOS 9 updates.<\/p>\n Apple’s decision to not support watchOS 9 on the Series 3 was mystifying.<\/p>\n The company continued to sell this watch model in the main section of its online store right up until five days before the release of watchOS 9.<\/p>\n Mind you, this was three months after the June 2022 WWDC, when Apple quietly revealed that the Series 3 would not be compatible with watchOS 9, yet Apple continued to feature the watch prominently in its online store for three more months.<\/p>\n Even after watchOS 9 was released and Apple removed Apple Watch Series 3 from the main section of its online store, Apple continued to sell refurbished units of the Series 3 for an additional eight months, until March 2023.<\/p>\n During this entire time that Apple continued selling the Series 3, Apple released precisely zero security updates for it\u2014in spite of there being known “actively exploited” vulnerabilities impacting watchOS 8<\/strong>.<\/p>\n It’s truly a wonder that Apple has not been sued for its gross negligence. Apple knowingly left its customers vulnerable, and knowingly continued selling a device with in-the-wild exploited vulnerabilities.<\/a><\/p>\n So, now that Apple has finally released the first security update for watchOS 8 in nearly a year, does that mean that Apple has repented of its sins, and made things right for Series 3 watch owners?<\/p>\n Sadly, no.<\/p>\n What we actually got with watchOS 8.8.1 was a single patch, for a single vulnerability.<\/strong> Yes, it was an actively exploited vulnerability<\/a>\u2014and that’s a big deal, because it means it was confirmed to have been used in real-world attacks.<\/p>\n But it won’t be obvious to Apple Watch Series 3 users that all the other vulnerabilities that have remained unaddressed for the past 11 months are still there. They’ll see the watchOS 8.8.1 update, and notice that it says it’s a security update, and install it. And they won’t give it another thought.<\/p>\n They’ll continue to be blissfully unaware that their watches are still highly vulnerable. They won’t know that they still haven’t received patches for the two actively exploited vulnerabilities that Apple addressed only for watchOS 9.0, let alone dozens of other vulnerabilities in that update, and dozens since then that likely also impact watchOS 8.<\/p>\n If you’re one of those folks who\u2026<\/p>\n \u2026I truly feel for you, and I’m sorry that Apple has wronged you and violated your trust in this way. If you feel that Apple has treated you unjustly, I hope that somehow, someone at Apple will find some way to make it up to you in a satisfactory way.<\/p>\n But chances are that you, dear Series 3 user, aren’t even reading this article, and you’ll never know any better.<\/p>\n And chances are that, like my article back in March, this will get zero coverage from the mainstream press, and little to no coverage from the tech news press, or small outlets that cover Apple news.<\/p>\n And chances are that precious few will ever know about this, and Apple won’t feel any obligation to actually make things right.<\/p>\n After all, who cares about a giant mega-corporation, with more cash on hand than any other in the world, knowingly putting its paying customers at severe personal risk of having their data stolen, their devices hacked, and their privacy violated? Surely there aren’t any consumer protection laws against such things. And anyway, everyone knows that Apple is always the good guy. Because “Privacy. That’s Apple.<\/a>” Apple has committed similar sins in the past, although previous instances were not quite as egregious.<\/p>\n A couple of notable examples of hardware that Apple cut off from security updates shortly after their last date of sale were the iPod touch (6th generation) in 2019 and the iPod touch (7th generation) in 2022.<\/p>\n Apple discontinued the 6th gen mere days before WWDC 2019\u2014at which time the company silently revealed that the 6th gen wouldn’t support iOS 13 which would be released three months later.<\/p>\n <\/a>Apple did nearly the same thing when it discontinued the 7th gen (the final iPod touch model) a few weeks before WWDC 2022, at which time the company silently revealed that the 7th gen wouldn’t support iOS 16 which would be released three months later.<\/p>\n <\/p>\n Setting aside cases where Apple dropped support for recently sold hardware, Apple routinely provides a false sense of security to Mac, iPhone, and iPad users<\/strong> by providing only selective, cherry-picked security updates for previous versions of macOS, iOS, and iPadOS, respectively. I’ve written and spoken about this extensively over the past two years; see for example my October 2021 article, Apple’s Poor Patching Policies Potentially Make Users’ Security and Privacy Precarious<\/a>. As I note in that article, Apple sometimes even neglects to patch actively exploited<\/em> vulnerabilities for previous OS versions, knowingly leaving users vulnerable to in-the-wild exploits<\/strong>, unbeknownst to them.<\/p>\n This is a real problem, because users with old hardware that’s incompatible with the latest (and fully patched) OS\u2014and users who simply don’t think they need to upgrade, and put it off for whatever reason\u2014will mistakenly think they’re getting all<\/em> security updates, when in fact their devices remain vulnerable to dozens of exploitable bugs that attackers can leverage to compromise their security and privacy.<\/p>\n Apple should either patch all vulnerabilities that are applicable to previous OS versions, or none\u2014or if it’s going to cherry-pick, Apple should provide frequent, clear warnings to users who stay behind on an old OS. Apple’s current practices deceive users of older OS versions into thinking they’re just as safe as if they were running the current major OS, which is far from the truth.<\/a><\/p>\n For more details on what was patched this week, see our main article<\/a> about the updates.<\/p>\n Apple patches vulns used to infect Russian iPhones with TriangleDB malware<\/a><\/p><\/blockquote>\n\n
\n
What’s the back story with watchOS 8 and Apple Watch Series 3?<\/h3>\n
Does the release of watchOS 8.8.1 mean Apple has repented?<\/h3>\n
\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/06\/apple-logo-with-security-lock.png\"){kind=logo}
<\/a><\/p>\nHas Apple ever done anything like this before?<\/a><\/h3>\n
Apple’s history of discontinuing security updates for recently sold hardware<\/strong><\/h4>\n
Apple’s history of providing incomplete patches for older OS versions<\/strong><\/h4>\n
How can I learn more?<\/h3>\n