About the security content of iOS 12.4.9
support.apple.comI'd like to give kudos to Apple for including the iPhone 5S in this security update, which was released on September 20, 2013, over 7 years ago! Supporting a product for even 3 years is rare in the smartphone world.
Wouldn't last official sale date be a better indicator of true device support? For example if someone bought it in an Apple store on the last day available, how long period would they have received updates for?
For example in mid 2017 it was still officially sold by Apple in India (source: https://www.iphonehacks.com/2017/05/apple-iphone-5s-iphone-s...).
Comparatively, no. Android phones generally get a maximum of 3 years of security updates from launch, not from last device sale date. So, within mobile phones, it's more informative to compare it to their competition. It shows you just how much better Apple is at mobile device support compared to everyone else.
Well, you still get updates through the store way longer than 3 years. With more and more components (e.g. the browser) coming through the store, the picture is not as black and white anymore.
Are you talking about OS level updates or just updates for individual apps?
So use the last sale date for both. Your point makes no sense.
Galaxy S8 on sale at Walmart, Staples, and NewEgg. Likely falls off support in 3-4 months. So Android flagships are close to zero or even negative support time?
This is what got me to finally switch to Apple. Updates take forever. I bought a Samsung off Amazon for testing and for some reason I still have to wait on T-Mobile. And then after a year, maybe two, there just aren’t anymore updates.
Samsung makes superb hardware but they're clearly not at ease with software, it always feels like an afterthought.
If they were serious about competing with Apple software is where they should focus.
This is why I switched to Pixel. 3 years of full updates. And you can then switch to LineageOS if you'd like as well.
That sounds dangerous to me.
They have no legal requirement to update. Its also not a bait and switch, they have done this for a decade now. By an iphone if you want updates.
>Wouldn't last official sale date be a better indicator of true device support?
well in that case many cheap android phones/tablets would have negative support periods, considering they don't release any updates at all.
Yes? That sounds about right.
Which makes it kind of a pointlessly obtuse metric. To claim a device has negative months of support.
It's accurate, though. When I am evaluating devices to buy, a metric I care about is "after I buy this, how long will it remain up-to-date with security patches?" And the answer to that question is "on the day that you buy it, it is already several months behind on security patches and will not improve." That metric is not the be-all-end-all of support, but is meaningful, and low or negative values have the correct interpretation in that context.
It's not pointless at all. It accurately reflects the situation of buying a device off the shelf long after its official end of life.
Sorry, I don't follow.
Apple uses this metric as well[1]. If something hasn't been sold by Apple for 5 years (but less than 7 years), it's considered vintage and you can still get hardware service and certain critical software fixes, though not necessarily any new features.
The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update[2].
1. https://support.apple.com/en-us/HT201624 2. https://www.apple.com/macos/big-sur-preview/ (at the bottom of the page)
> The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update.
I think it's more likely that Apple's new frameworks don't require any fancy hardware features that aren't available in the Late 2013 MacBook Pros.
It's true that laptop computers have not changed as much over the years. This in large part because Intel CPU's and architecture have not changed as much, while iPhone CPU's have improved by leaps and bounds.
I wonder how much this might change when Apple Silicon comes to the Mac.
It feels like smartphones are stabilizing as well. I don't see myself needing to replace my iPhone 8 for a while, even though there have been three more generations afterwards. An iPhone 5 felt much more outdated at the time of the 6s/SE.
Agreed - since 2017 the main improvements have been to the cameras, plus some improvements to efficiency, and (depending on your carrier) 5G.
I find 5G (coverage on mid-band, not the hyped speed on ultra-wideband) to be the most compelling reason to upgrade my phone this year.
Having owned a 5S, 6 plus, and now XR, the all screen design is a much bigger upgrade than iPhone 5 vs. 6S in my opinion.
> I think it's more likely that Apple's new frameworks don't require any fancy hardware features
Mojave and higher isn’t “supported” on the cheese grater Mac Pro’s despite it running more than fine, including with FileVault 2 enabled on the boot volume (which an Apple exec tried to claim was technically not possible).
> Mojave and higher isn’t “supported” on the cheese grater Mac Pro
The 2010 and 2012 Mac Pros officially support Mojave with a compatible video card:
Install macOS 10.14 Mojave on Mac Pro (Mid 2010) and Mac Pro (Mid 2012) https://support.apple.com/en-us/HT208898
Yeah, my sentence structure leaves a bit to be desired. The key there is including FileVault being enabled.
I have a Mid-2014 RMBP, there's nothing wrong with it at all. It's sad to think OS support may be dropped in the next few years.
Yes, we're bombarded with guilt messages about us destroying the planet but even when we want to do the right thing there's no path available.
I have an old Samsung tablet that doesn't work anymore. I could try to change the battery for 20€ or buy the cheapest tablet on Amazon for 40€
Still rocking my maxxed-out 2012 mbp15r here.
Ahem, rocking my 2009 MBP running Catalina =D
Although this appears to be the end of the line as there is no graphic acceleration support in Big Sur
A range would be fair. For example "safe to use for 3-7 years" in the case of this phone by the sound of it.
No, because devices can be and sometimes are sold with software that is already out of date. The better indicator is how long software support is provided for a device from beginning to end.
Why is that a better indicator?
If I buy a new phone from the manufacturer and it's already unsupported, that's really bad. I don't care if it was supported for 8 years before I bought it.
Hah. This bit us when I got my mother an iPhone SE (2016) to replace her iPhone 4 a year or so ago. I tried to restore from iCloud backup and it kept failing, and finally it dawned on me that the OS may have been out of date. Skipped the restore, updated the OS, and wiped the phone. The restore worked correctly.
On the flip side, the Apple guys have a lot of patience to deal with my stubborn ass trying to activate an iPhone 4... the non-SIM servers were taken offline years ago so I popped in a SIM and off I went.
Sure but that doesn't change how long they supported after end of sale which wasn't in 2013 but at least until 2017. So ~3 years of software updates from end of sale. Still OK but not anything special.
To not be special, there must be many phones out there getting the same or better support. What are they? Who sells these many other smartphones that have had 3 or more years of updates from last sale?
Certainly not the Pixel phones, they get 3 years support from first launch only, and they're supposedly the gold standard for Android software support. It's pretty much the reason they exist. Yet after last sale support for the 5S matched the Pixel's from launch support, and we don't even know that this is the last update the 5S will get.
You decided to count the days of support in a completely uncommon way that no one usually discusses but decided that three years was ok based on the common way people count, which is since initial release.
You can’t have your cake and eat it as well.
The 5S is still the perfect iPhone.
Well, let's not get crazy. It's fine (I'm using it currently because my Samsung S9 died) but it's definitely no perfect phone. It doesn't even have water resistance and the screen to body ratio is pretty bad, IMO.
Only upside is the thing is built in such a way that it has barely taken any damage from the years of abuse I put it through.
I'm likely getting an iPhone 12 Pro Max very soon and will continue to only use the iPhone 5S I've had since 2013 as a backup.
You're going from a 5s to a Pro Max? That's almost a jump across product categories... like switching from an iPhone to an iPad Mini.
Or from a Commodore 64 to a first-generation iMac.
I remember the first generation imac, but i dont remember them being that bad.
> the screen to body ratio is pretty bad, IMO
if rated against _my_ body, the ratio is damn near perfect
If the 5S is perfect, what's the iPhone SE (2016)?
I love the 5S form factor as well. I only updated from it earlier this year to get iOS 13 to use the COVID Alert app here in Canada (and my upgrade was buying a smashed-screen iPhone SE for next to nothing, of course, and swapping the old phone's screen onto it).
My current phone.
The price is definitely right -- cheaper than an upgrade!
What's in your back pocket? Seriously, love my SE. I just got the battery replaced, $49 taken from a MacBook trade-in value, so basically free since I can't use that money any other way.
The last iPhone with proper headphone support.
Not chamfered :(
sure they are, they're just matte finished.
A replica.
The last iPhone that I use.:)
I have one also. Love it as a secondary phone
How do you still have one that's running OK? My Apple products almost always "die" after a few years. I had the 5S but one day it crashed and would not turn back on no matter what I did. The iPhone I had before that did the same thing.
How do you still have one that's running OK? My Apple products almost always "die" after a few years.
Consider yourself unlucky and never buy a lottery ticket.
Apple is well-known for making products that last longer than most others in the industry.
I have a launch day iPhone 5 that gets daily use and still works fine as of this morning. Launch day was in September of 2012.
Is that a common issue? I've certainly heard about devices losing battery life and cameras progressively getting worse, but complete death is very uncommon unless you use it without a case and drop it all the time or something.
I still have a working iPhone 5 (no S) with a home button that spins and a slightly broken screen bezel but no other issues.
I have a 4S still running.
At one point I thought it died permanently. But it turned out to only be the screen dimming to much. In bright light it auto adjusted enough to be visible, allowing me to rise the brightness.
I had a 5s die at one point, it got reset to the point where it needed to activate, and couldn’t.
The list of old Apple devices that still work well is impressive: I still have one original iPad, an iPhone 3GS, several iPhone 4. Same goes for the more recent ones, with the exception of the few devices that I dropped on hard floors over the last 10 years...
Still have a first-generation iPod Touch running iOS 3. Works like a charm, can even download some apps from the App Store. Bit of a shock how both primitive and advanced the early versions of iOS were.
I had an iPad 1 running iOS 5 I think, but in the end I stopped using it because Safari would "crash" on most websites due to it running out of ram I guess.
IIRC there's 128M of ram on the fist iPad.
I have a 4S that's still running perfectly happily. Can't do much with it, mind, given that everything is wildly out of date but it may yet get repurposed as a webcam when I get some free time.
I believe you but I've honestly never heard of anybody suffering "random cellphone death" - Apple or otherwise. Everybody seems to break them or upgrade them long before that.
I had it with Nexus 5x. It died after 1.5 years when I used an app to get a train ticket. It turned out it was a known hardware bug judging by forums. It was in Norway so the phone was still under warranty and it was “repaired” - the motherboard was replaced. Still not much later I bought the original iPhone SE. I just did not like the idea of phone stopping working for no reason.
Yes, the 5X has a known nardware issue.
I have an iPhone 3GS and an iPad 2 that still work. They are very slow and most apps don’t support their oses. I’d still have an iPhone 7 Plus if it wasn’t at the bottom of a river rapid. My wife has a white MacBook somewhere from 2009/10.
The only problem I’ve had was a 2011 MBP have a gpu issue.
I fired up an old 5S as a result of this post and was sad to find that it appears to be dead.
The 12 mini is gonna be my next daily driver.
Same here.
I write iOS software, so I have a whole bunch of test units.
My "low-end" test unit is an iPod Touch (last gen). Basically, a skinny SE (Apple doesn't even have an iPod simulator -you're supposed to use an SE sim).
My regular daily phone is an Excess Max (XSMax). I'm sick to death of it. I don't have much use for all that screen real estate, and it's a big honkin' monster.
Every time I use my Touch, it makes me envious.
I'll be placing an order for a Mini, tomorrow.
Some YouTube gadget reviewers agree with you and predict some “revivals”.
Also to Google for finding majority of them
If only Google could put this much effort into supporting its own Pixel devices, which stop getting updates to the base OS after just three years.
I promise you, people inside google are equally frustrated with this unjustifiable top-down decision. (am Xoogler)
I know a google dev who says they wouldn't trust the security of an Android phone as far as they could throw it.
I know an apple dev who thinks the same about their product, lol.
Depending on your usecase, GrapheneOS may be of interest.
No support for Pixel 1, Pixel 2 are marked as obsolete, so I'm not sure it's better than Google as far as EOL is concerned.
Ah, I take it back then. It's been a little while since I looked at it.
>after just three years
The 5S was sold from Apple stores in India in mid 2017. So that's 3 years of updates from end-of-sale and this is an OS update for a 2 year old OS. So two years of support. Less than the Pixel.
When someone buy a 5S in 2017 they surely know already, or should, that it is a cheap buy to last less than a newer model. So 3 years in this case is actually a great deal.
I had a Pixel 1, launched in 2016, and it lost support in 2019. 3 years after start of sale, not end of sale.
It's part of why I went back to Apple.
This is why Apple makes the cheapest smartphones, as long as you avoid dropping them.
My 8 (or 10?) year old AppleTV just got an update today. I was excited because the YouTube app pause function stopped working after the previous update a couple of weeks ago. Alas the problem remains.
Since this is a security update I think it’s more about support of an OS which is only 2 yrs old than the class of device as that class was supported with the initial iOS 12 release.
I think it's more a testament to the length of time they support their devices for.
This is what I try to explain when it comes to "why are you paying so much for Apple". Because when you buy a cheap Android phone from Xuoiamiaeoi or whatever, you get some custom crippled OS in god knows what ways in close to 0 long-term support from them.
A tricky thing about flagging "in the wild exploited vulnerabilities" in a title like this is that it suggests that sev:crit vulnerabilities in other updates that aren't flagged like this aren't being exploited in the wild. We get confirmation of only a subset of exploited vulnerabilities.
We'd be better off with a more neutral title, like "fixing severe vulnerabilities" or something like that.
I still think it's important to say that we know they are being actively exploited, even if all vulns might be
That's the kind of thing you can say in a comment, rather than in the title.
We've changed the title above to that of the page. (Submitted title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the-wild exploited vulnerabilities".)
I think this is a bad decision. The "in-the-wild" part is the interesting part because it is not the norm at all and it implies an interesting story.
Happy to change it to a better title, i.e. something more accurate and neutral. We're particularly happy to do that with corporate press releases, which often deliberately obscure the situation. But usually that requires a suggestion (and at least partial consensus) from users who understand the story.
https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
Yeah, Apple's page titles generally suck, especially when they are presented without context. The big things in this one is that they're pushing fixes to devices that people had considered abandoned for almost two years, and that these fixes explicitly mention that they have been exploited in the wild in what I believe is Apple's second admission of this, and the first time they did so without blaming Google Project Zero of a mischaracterization. That's clearly a bit too much to put in a title, but something like "Apple releases iOS 12.4.9, backporting fixes for severe security vulnerabilities". I'd like to put "exploited in the wild" in there somewhere as well since I think it's an important part of the story, but I am not sure if this would keep it neutral.
It's an idiosyncrasy of the site that we avoid highlighting things in titles ("stories are community property, and submitting one doesn't give anyone the right to editorialize them").
I agree that the title we ended up with is suboptimal! "Exploitable" is a word I'd have been comfortable seeing there. But you take the good with the bad with the HN title rule; the site is primarily about discussion, not about being a noticeboard, and titles determine the discussion we have.
I’m not sure if it actually means “being used to exploit unknowing devices” given that Apple doesn’t define how they use it on that page. It very well could be referring to news about iPhone 12 jailbreaks (not that there is one yet https://twitter.com/fce365/status/1320691136890109952?s=21)
The other thing to consider is that doing a binary diff on the OS before/after patching puts a big red arrow right at the location of the bug, which means that there's no reasonable expectation that it will remain unexploited after the patch.
It's not really that important, really. It's either being exploited yesterday, or tomorrow.
Disagree, if we have proof that it is currently being exploited then that’s the news more than anything else.
Note that there are similar issues in macOS, too. https://support.apple.com/en-us/HT211947 <-- Catalina 10.15.7 Supplemental Update notes
But nothing for macOS 10.14.x, oddly.
Catalina runs on all Macs that support Mojave, which I assume influenced the decision. (I didn't see an iOS 13 update, which helps bolster this theory.)
My guess is that iOS 13 didn't drop support for any devices, and Apple is only releasing a patch for devices that can't upgrade to the newest OS.
This is also my guess ;)
I think it's interesting how iOS exploits are cheaper[1] than Android exploits, because iOS exploits are so plentiful in comparison to Android exploits.
[1] https://arstechnica.com/information-technology/2019/09/for-t...
What about the fact that android has 3 times the market share?
And the fact that android devices are generally patched slower, so an exploit can give you access for longer.
In the US, iOS has the majority of market share at 52.4%, and Android has 47%[1].
[1] https://www.statista.com/statistics/266572/market-share-held...
The US isn't representative of the rest of the world in this regard. That's why any discussion of iMessage is filled with half the people arguing that iMessage it the best thing since sliced bread (Americans) and the other half saying they never use it.
Do Americans really represent half of smart phone users? I would though it to be smaller than that given the population of the planet.
I was meaning HN users. In those discussions, it feels like about half are Americans. You’re right if we’re talking about overall users.
This is super interesting. I don’t agree on your explanation. But is there any scholarship on the matter?
Variables appear to be size of user base, average disposable income, mean time to patch and number of competing exploits in the market.
Is that still the case?
The article implies that before it was written that wasn't the case previously.
Does it matter? A full-chain zero-click remote complete compromise for either system is only $2-3 million. That is absolute chump change. 4-6% of households in the US [1], 5-8 million households, have sufficient assets to fully compromise every iPhone or Android in the world. If we consider businesses, I bet that is within the reach of no less than 50% of the businesses (including small businesses) in the US. That is an absurd number of entities where that price point is totally doable.
If a bad actor can derive just $10 on average per phone they attack, then all they need to do is find a way to deploy their $2-3 million exploit to 1 million phones for less than $5 million to make a tidy profit. Given that we are talking about zero-click remote compromises, which means the victim only needs to receive the payload, this means that it is profitable as long as the cost per victim impression is less than $5, a CPM of $5000. With that sort of budget you can embed your attack into an ad and then outbid everybody else by a factor of 10 for placements. You can buy a mailing list and embed your attack as a "payload pixel". If it is a zero-click text message attack then you can buy access to the spam-callers and mass deploy it that way.
These systems are between a factor of 10-100x off of adequate. To care about their relative differences is like debating whether paper mache or tissue paper is better at stopping bullets. One is probably better than the other, but neither provides meaningful protection, so it hardly matters. You need fundamental, qualitative improvements before differences between the solutions provide meaningful effects on outcomes.
[1] https://dqydj.com/average-median-top-net-worth-percentiles/
If bad actors could derive $10 on average from 1MM phones, vulnerabilities would cost substantially more than $2-3MM.
Not really. That is only looking at the demand-side of a supply-demand relationship. Buyers will obviously prefer a cheaper vulnerability with a comparable effect to a more expensive one, so if vulnerabilities are easy to find at a price point where it is profitable to sell them at $2-3MM, then any finder who charges a lower price than others will be more attractive to buyers. This selling competition can easily drive the price down until it is much lower than the potential upside to a buyer of $10MM with a lower bound of the actual cost of discovery (which I already postulated is low enough that $2-3MM is profitable given that Zerodium is able to acquire vulnerabilities for that price) since anything less than the actual cost of discovery is unprofitable. This is the same reason why water is cheap even though it is absolutely essential to human life, it is plentiful and easy to acquire so suppliers compete on price driving it down to a a value much closer to the cost of acquisition rather than the maximal upside to the buyer assuming no other alternatives are present.
Zerodium is not generally paying out $2MM for vulnerabilities and the people who acquire vulnerabilities from Zerodium aren't monetizing them directly off the installed base of phones.
An important thing to know about the market for these things is that the "clearing price" of an exploit chain is usually a cap, not an actual price; you're paid in tranches, until the vulnerability is burned. You're hoping it isn't burned before all your tranches are paid.
That has implications for the hypothetical business model you've proposed.
>Does it matter?
Yes?
Considering it was the measuring stick that person seemed to feel was important.
Yes. Here's an article from May of this year[1], where it states that it is still the case.
Also, you can go directly to Zerodium's website, where, as of today, they are still paying more for Android exploits than iOS exploits[2].
[1] https://www.theregister.com/2020/05/14/zerodium_ios_flaws/
Or possibly bec apple patches quicker so the exploit is less useful.
I’d guess it’s because the individuals worth using a targeted exploit on are more likely to be carrying iPhones.
I think you've misunderstood. iOS exploits are cheaper. If your explanation held, then you'd expect them to be costlier. That said, I'm sure your explanation is a component of their price.
Ha, I’m dumb and can’t read. You’re entirely right.
I think this is the first time Apple has mentioned that the bugs they fixed were exploited in the wild? A welcome change if so.
Linking to the 14.2 list (https://support.apple.com/en-us/HT211929) might be better? After clicking the headline link, it took me a few seconds to understand why we were caring about updates for the iPhone 5 and 6...
I think it's worth linking the 12.4.9 page because it's impressive that the software update is available going all the way back to the iPhone 5s. That's some serious longevity.
> That's some serious longevity
Well, yes, its better than your average Android vendor. But on the other hand Windows 8 was released 2012 (i.e. about a year before iPhone 5s), and is scheduled to get updates until 2023. That is pretty serious longevity. And supporting handful of Apple devices must be comparatively simpler than supporting the hodgepodge fleet of Windows 8 devices.
8.0 which was released in 2012 is no longer supported, with the last updates landing in early 2016. [1]
8.1 on the other hand _is_ supported until 2023. [2]
The majority of 8.0 users immediately upgraded to 8.1 (because 8.0 was slightly terrible), so you're mostly correct. 10 years of support is pretty standard for Windows releases.
[1] https://docs.microsoft.com/en-ca/lifecycle/products/windows-...
[2] https://docs.microsoft.com/en-ca/lifecycle/products/windows-...
Apples (ha!) to Oranges. Personal computers cost, on average 2-4 times what the 5S cost in its day, and are expected to last much longer than a phone (as evidenced by the lack of uproar that all phone vendors including Microsoft drop support within 2-3 years ... except Apple).
The problem with these updates is that it's only for devices that can only support up to iOS 12 (in this case) - if you have another device that supports anything higher but don't want upgrade to the latest iOS, you still won't get these iOS 12 security updates - they force you to upgrade the entire OS to get them.
You're literally saying you have the ability to update, but don't want to, and so it's unfair you can't update.
Not exactly - more like being denied the ability to not have a specific OS version forced on someone if they want their device to stay secured.
Being able to stay secured with the latest patches shouldn’t require one to be forced to get the unwanted memory/resource hogging “features” of newer OS releases.
Can these vulns be used to jailbreak a phone?
Anybody get a bitter sweet feeling when ever these reported and fixed security exploits announcements happen?
It's good that users aren't going to risk getting hacked by such vulnerabilities, but its bad that users can no longer uses these exploits to gain administrative control over their property.
Nevermind right to repair, how about right to own...
The fact that you're even being downvoted for this shows just how far the authoritarian control-freaks have taken over and brainwashed everyone with paranoia to jump right into their jail.
Apple isn't going to force you to update your device, so you can stay on an older version if you want jailbreaks.
Apple doesn't allow downgrading (and it's gotten even harder with Touch/Face ID not being downgradable with SHSH blobs), so people accidentally update, or get their hardware replaced in a repair, are SOL.
users buying new devices that automatically update on activation aren't going to have that choice.
Users that care about having control over their devices shouldn't be buying Apple hardware in the first place. Not that I support Apple's anti-consumer practices, but if you buy one of their products, you have to know what you're getting yourself into.
If you want a phone that you have control over, don't buy one from Apple... At this point in time, choices are mostly limited to Librem and PinePhone.
FairPhone too?
The users of these devices know they are serfs in the Apple ecosystem. People who want devices they can control buy other devices.
Maybe I got hit with one of these, my phone stopped being able to answer phone calls and auto focus stopped working (like something re flashed the firmware on a bunch of the internal peripherals.)
I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls. I think dumping iOS has done a lot for my mental health and I'm glad to have left it.
Per PZ, the attacks here are targeted, meaning that the people exploiting them spent a fair bit of money to get these exploits, and are presumably very unhappy that they are burned. Unless you are special, it's unlikely that you got hit with one of these.
> I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls.
I guess stress is personal, because this sounds way more stressful than anything I've had to deal with on iOS! And I say that as someone who'd like to get a more open (hardware and software) phone in the future.
iOS wasn't stressing me directly, it was that the UI is built to encourage compulsive media consumption and that was eating into other parts of my life like work (which is stressful.)
you can turn off notification badges per app