[HN Gopher] About the security content of iOS 12.4.9
___________________________________________________________________
About the security content of iOS 12.4.9
Author : axyjo
Score : 84 points
Date : 2020-11-05 19:29 UTC (3 hours ago)
(HTM) web link (support.apple.com)
(TXT) w3m dump (support.apple.com)
| alewi481 wrote:
| I'd like to give kudos to Apple for including the iPhone 5S in
| this security update, which was released on September 20, 2013,
| over 7 years ago! Supporting a product for even 3 years is rare
| in the smartphone world.
| ponker wrote:
| This is why Apple makes the cheapest smartphones, as long as
| you avoid dropping them.
| wnevets wrote:
| until Apple throttles the hardware with their software
| updates [1]
|
| https://www.theverge.com/2020/7/13/21322867/apple-iphone-
| bat...
| hokumguru wrote:
| Wasn't the purpose of that throttling to extend the life of
| older phones? Throttling the CPU let them stay within the
| limits of the worn out battery and let the device continue
| to be used without crashing.
| wnevets wrote:
| That may have been their public explanation after being
| caught throttling the hardware.
| Y-bar wrote:
| It was to extend the battery life, which was a workaround
| for the flawed battery design (contra CPU power draw). I
| bought an iPhone SE in the first month available and it
| started throttling by month 10, I'm not a battery
| designer, but I did not buy a device marketed as 2x the
| speed of 5S only for it to silently drop to 0.8x the
| speed of the 5S less than a year later.
| jeron wrote:
| In which they had a whole year of really cheap, highly
| subsidized battery replacements to correct their error. I
| think Apple should be forgiven for this
| Y-bar wrote:
| I was unable to benefit from the battery replacement due
| to a chip in the screen they discovered after I got a CS
| code to do it: https://i.imgur.com/Gr1bPTU.jpg
| tdonovic wrote:
| What is a CS code?
| Y-bar wrote:
| Effectively a coupon code issued by a customer support
| representative.
|
| Apple did not actually offer the replacement program
| within ~600km of my home, but I managed to convince them
| that an Apple Authorised Service provider in my town at
| least do it. They agreed and gave me a CS Code valid for
| the the battery replacement to be done.
|
| But it was ultimately denied because of a tiny chip in
| the glass on the screen.
|
| I _really_ liked every other aspect of this phone though.
| reaperducer wrote:
| _the flawed battery design_
|
| I'm going to play the odds and guess that you're not a
| battery designer.
| als0 wrote:
| The 5S is still the perfect iPhone.
| Tepix wrote:
| If the 5S is perfect, what's the iPhone SE (2016)?
| encom wrote:
| The last iPhone with proper headphone support.
| mikepurvis wrote:
| I love the 5S form factor as well. I only updated from it
| earlier this year to get iOS 13 to use the COVID Alert app
| here in Canada (and my upgrade was buying a smashed-screen
| iPhone SE for next to nothing, of course, and swapping the
| old phone's screen onto it).
| nbzso wrote:
| The last iPhone that I use.:)
| saagarjha wrote:
| Not chamfered :(
| jdhawk wrote:
| sure they are, they're just matte finished.
| rosstex wrote:
| My current phone.
| gumby wrote:
| The price is definitely right -- cheaper than an upgrade!
| ezekg wrote:
| How do you still have one that's running OK? My Apple
| products almost always "die" after a few years. I had the 5S
| but one day it crashed and would not turn back on no matter
| what I did. The iPhone I had before that did the same thing.
| hbbio wrote:
| The list of old Apple devices that still work well is
| impressive: I still have one original iPad, an iPhone 3GS,
| several iPhone 4. Same goes for the more recent ones, with
| the exception of the few devices that I dropped on hard
| floors over the last 10 years...
| snazz wrote:
| Is that a common issue? I've certainly heard about devices
| losing battery life and cameras progressively getting
| worse, but complete death is very uncommon unless you use
| it without a case and drop it all the time or something.
|
| I still have a working iPhone 5 (no S) with a home button
| that spins and a slightly broken screen bezel but no other
| issues.
| wiredfool wrote:
| I had a 5s die at one point, it got reset to the point
| where it needed to activate, and couldn't.
| CuriousSkeptic wrote:
| I have a 4S still running.
|
| At one point I thought it died permanently. But it turned
| out to only be the screen dimming to much. In bright
| light it auto adjusted enough to be visible, allowing me
| to rise the brightness.
| reaperducer wrote:
| _How do you still have one that 's running OK? My Apple
| products almost always "die" after a few years._
|
| Consider yourself unlucky and never buy a lottery ticket.
|
| Apple is well-known for making products that last longer
| than most others in the industry.
|
| I have a launch day iPhone 5 that gets daily use and still
| works fine as of this morning. Launch day was in September
| of 2012.
| bradlys wrote:
| Well, let's not get crazy. It's fine (I'm using it currently
| because my Samsung S9 died) but it's definitely no perfect
| phone. It doesn't even have water resistance and the screen
| to body ratio is pretty bad, IMO.
|
| Only upside is the thing is built in such a way that it has
| barely taken any damage from the years of abuse I put it
| through.
|
| I'm likely getting an iPhone 12 Pro Max very soon and will
| continue to only use the iPhone 5S I've had since 2013 as a
| backup.
| radicaldreamer wrote:
| You're going from a 5s to a Pro Max? That's almost a jump
| across product categories... like switching from an iPhone
| to an iPad Mini.
| chews wrote:
| The 12 mini is gonna be my next daily driver.
| ChrisMarshallNY wrote:
| Same here.
|
| I write iOS software, so I have a whole bunch of test
| units.
|
| My "low-end" test unit is an iPod Touch (last gen).
| Basically, a skinny SE (Apple doesn't even have an iPod
| simulator -you're supposed to use an SE sim).
|
| My regular daily phone is an Excess Max (XSMax). I'm sick
| to death of it. I don't have much use for all that screen
| real estate, and it's a big honkin' monster.
|
| Every time I use my Touch, it makes me envious.
|
| I'll be placing an order for a Mini, tomorrow.
| namanaggarwal wrote:
| Also to Google for finding majority of them
| curt15 wrote:
| If only Google could put this much effort into supporting its
| own Pixel devices, which stop getting updates to the base OS
| after just three years.
| Shared404 wrote:
| Depending on your usecase, GrapheneOS may be of interest.
| Dahoon wrote:
| >after just three years
|
| The 5S was sold from Apple stores in India in mid 2017. So
| that's 3 years of updates from end-of-sale and this is an
| OS update for a 2 year old OS. So two years of support.
| Less than the Pixel.
| irae wrote:
| When someone buy a 5S in 2017 they surely know already,
| or should, that it is a cheap buy to last less than a
| newer model. So 3 years in this case is actually a great
| deal.
| majormajor wrote:
| I had a Pixel 1, launched in 2016, and it lost support in
| 2019. 3 years after _start_ of sale, not _end_ of sale.
|
| It's part of why I went back to Apple.
| dmitrygr wrote:
| I promise you, people inside google are equally frustrated
| with this unjustifiable top-down decision. (am Xoogler)
| Y-bar wrote:
| Wouldn't last official sale date be a better indicator of true
| device support? For example if someone bought it in an Apple
| store on the last day available, how long period would they
| have received updates for?
|
| For example in mid 2017 it was still officially sold by Apple
| in India (source: https://www.iphonehacks.com/2017/05/apple-
| iphone-5s-iphone-s...).
| JohnTHaller wrote:
| Comparatively, no. Android phones generally get a maximum of
| 3 years of security updates from launch, not from last device
| sale date. So, within mobile phones, it's more informative to
| compare it to their competition. It shows you just how much
| better Apple is at mobile device support compared to everyone
| else.
| gruez wrote:
| >Wouldn't last official sale date be a better indicator of
| true device support?
|
| well in that case many cheap android phones/tablets would
| have _negative_ support periods, considering they don 't
| release any updates at all.
| diebeforei485 wrote:
| Apple uses this metric as well[1]. If something hasn't been
| sold by Apple for 5 years (but less than 7 years), it's
| considered vintage and you can still get hardware service and
| certain critical software fixes, though not necessarily any
| new features.
|
| The support for MacBooks is actually great. Certain Late 2013
| and Mid 2014 Retina MacBook Pros, while considered vintage,
| will be receiving the Big Sur update[2].
|
| 1. https://support.apple.com/en-us/HT201624 2.
| https://www.apple.com/macos/big-sur-preview/ (at the bottom
| of the page)
| ValentineC wrote:
| > _The support for MacBooks is actually great. Certain Late
| 2013 and Mid 2014 Retina MacBook Pros, while considered
| vintage, will be receiving the Big Sur update._
|
| I think it's more likely that Apple's new frameworks don't
| require any fancy hardware features that aren't available
| in the Late 2013 MacBook Pros.
| diebeforei485 wrote:
| It's true that laptop computers have not changed as much
| over the years. This in large part because Intel CPU's
| and architecture have not changed as much, while iPhone
| CPU's have improved by leaps and bounds.
|
| I wonder how much this might change when Apple Silicon
| comes to the Mac.
| mulmen wrote:
| I have a Mid-2014 RMBP, there's nothing wrong with it at
| all. It's sad to think OS support may be dropped in the
| next few years.
| jtbayly wrote:
| No, because devices can be and sometimes are sold with
| software that is _already_ out of date. The better indicator
| is how long software support is provided for a device from
| beginning to end.
| anamexis wrote:
| Why is that a better indicator?
|
| If I buy a new phone from the manufacturer and it's already
| unsupported, that's really bad. I don't care if it was
| supported for 8 years before I bought it.
| Jtsummers wrote:
| Hah. This bit us when I got my mother an iPhone SE (2016)
| to replace her iPhone 4 a year or so ago. I tried to
| restore from iCloud backup and it kept failing, and finally
| it dawned on me that the OS may have been out of date.
| Skipped the restore, updated the OS, and wiped the phone.
| The restore worked correctly.
| Dahoon wrote:
| Sure but that doesn't change how long they supported after
| end of sale which wasn't in 2013 but at least until 2017.
| So ~3 years of software updates from end of sale. Still OK
| but not anything special.
| simonh wrote:
| To not be special, there must be many phones out there
| getting the same or better support. What are they? Who
| sells these many other smartphones that have had 3 or
| more years of updates from last sale?
|
| Certainly not the Pixel phones, they get 3 years support
| from first launch only, and they're supposedly the gold
| standard for Android software support. It's pretty much
| the reason they exist. Yet after last sale support for
| the 5S matched the Pixel's from launch support, and we
| don't even know that this is the last update the 5S will
| get.
| gcheong wrote:
| Since this is a security update I think it's more about support
| of an OS which is only 2 yrs old than the class of device as
| that class was supported with the initial iOS 12 release.
| tptacek wrote:
| A tricky thing about flagging "in the wild exploited
| vulnerabilities" in a title like this is that it suggests that
| sev:crit vulnerabilities in other updates that aren't flagged
| like this aren't being exploited in the wild. We get confirmation
| of only a subset of exploited vulnerabilities.
|
| We'd be better off with a more neutral title, like "fixing severe
| vulnerabilities" or something like that.
| dang wrote:
| We've changed the title above to that of the page. (Submitted
| title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the-
| wild exploited vulnerabilities".)
| scarybeast wrote:
| I think this is a bad decision. The "in-the-wild" part is the
| interesting part because it is not the norm at all and it
| implies an interesting story.
| sneak wrote:
| The other thing to consider is that doing a binary diff on the
| OS before/after patching puts a big red arrow right at the
| location of the bug, which means that there's no reasonable
| expectation that it will remain unexploited _after_ the patch.
|
| It's not really that important, really. It's either being
| exploited yesterday, or tomorrow.
| thatguy0900 wrote:
| I still think it's important to say that we know they are being
| actively exploited, even if all vulns might be
| tptacek wrote:
| That's the kind of thing you can say in a comment, rather
| than in the title.
| MrStonedOne wrote:
| Anybody get a bitter sweet feeling when ever these reported and
| fixed security exploits announcements happen?
|
| It's good that users aren't going to risk getting hacked by such
| vulnerabilities, but its bad that users can no longer uses these
| exploits to gain administrative control over their property.
| snazz wrote:
| Apple isn't going to force you to update your device, so you
| can stay on an older version if you want jailbreaks.
| ValentineC wrote:
| Apple doesn't allow downgrading (and it's gotten even harder
| with Touch/Face ID not being downgradable with SHSH blobs),
| so people accidentally update, or get their hardware replaced
| in a repair, are SOL.
| MrStonedOne wrote:
| users buying new devices that automatically update on
| activation aren't going to have that choice.
| nahkoots wrote:
| Users that care about having control over their devices
| shouldn't be buying Apple hardware in the first place. Not
| that I support Apple's anti-consumer practices, but if you
| buy one of their products, you have to know what you're
| getting yourself into.
| beagle3 wrote:
| If you want a phone that you have control over, don't buy one
| from Apple... At this point in time, choices are mostly limited
| to Librem and PinePhone.
| bamboozled wrote:
| FairPhone too?
| swiley wrote:
| Maybe I got hit with one of these, my phone stopped being able to
| answer phone calls and auto focus stopped working (like something
| re flashed the firmware on a bunch of the internal peripherals.)
|
| I was going to wait until the software on my pinephone was more
| mature but that pushed me over the edge to get power management
| working on my own and make sure it could make phone calls. I
| think dumping iOS has done a lot for my mental health and I'm
| glad to have left it.
| asimilator wrote:
| > I was going to wait until the software on my pinephone was
| more mature but that pushed me over the edge to get power
| management working on my own and make sure it could make phone
| calls.
|
| I guess stress is personal, because this sounds way more
| stressful than anything I've had to deal with on iOS! And I say
| that as someone who'd like to get a more open (hardware and
| software) phone in the future.
| swiley wrote:
| iOS wasn't stressing me directly, it was that the UI is built
| to encourage compulsive media consumption and that was eating
| into other parts of my life like work (which is stressful.)
| tptacek wrote:
| Per PZ, the attacks here are targeted, meaning that the people
| exploiting them spent a fair bit of money to get these
| exploits, and are presumably very unhappy that they are burned.
| Unless you are special, it's unlikely that you got hit with one
| of these.
| [deleted]
| saagarjha wrote:
| I think this is the first time Apple has mentioned that the bugs
| they fixed were exploited in the wild? A welcome change if so.
| patio11 wrote:
| Note that there are similar issues in macOS, too.
| https://support.apple.com/en-us/HT211947 <-- Catalina 10.15.7
| Supplemental Update notes
| heavyset_go wrote:
| I think it's interesting how iOS exploits are cheaper[1] than
| Android exploits, because iOS exploits are so plentiful in
| comparison to Android exploits.
|
| [1] https://arstechnica.com/information-
| technology/2019/09/for-t...
| duxup wrote:
| Is that still the case?
|
| The article implies that before it was written that wasn't the
| case previously.
| heavyset_go wrote:
| Yes. Here's an article from May of this year[1], where it
| states that it is still the case.
|
| Also, you can go directly to Zerodium's website, where, as of
| today, they are still paying more for Android exploits than
| iOS exploits[2].
|
| [1]
| https://www.theregister.com/2020/05/14/zerodium_ios_flaws/
|
| [2] http://zerodium.com/program.html
| Veserv wrote:
| Does it matter? A full-chain zero-click remote complete
| compromise for either system is only $2-3 million. That is
| absolute chump change. 4-6% of households in the US [1], 5-8
| million households, have sufficient assets to fully
| compromise every iPhone or Android in the world. If we
| consider businesses, I bet that is within the reach of no
| less than 50% of the businesses (including small businesses)
| in the US. That is an absurd number of entities where that
| price point is totally doable.
|
| If a bad actor can derive just $10 on average per phone they
| attack, then all they need to do is find a way to deploy
| their $2-3 million exploit to 1 million phones for less than
| $5 million to make a tidy profit. Given that we are talking
| about zero-click remote compromises, which means the victim
| only needs to receive the payload, this means that it is
| profitable as long as the cost per victim impression is less
| than $5, a CPM of $5000. With that sort of budget you can
| embed your attack into an ad and then outbid everybody else
| by a factor of 10 for placements. You can buy a mailing list
| and embed your attack as a "payload pixel". If it is a zero-
| click text message attack then you can buy access to the
| spam-callers and mass deploy it that way.
|
| These systems are between a factor of 10-100x off of
| adequate. To care about their relative differences is like
| debating whether paper mache or tissue paper is better at
| stopping bullets. One is probably better than the other, but
| neither provides meaningful protection, so it hardly matters.
| You need fundamental, qualitative improvements before
| differences between the solutions provide meaningful effects
| on outcomes.
|
| [1] https://dqydj.com/average-median-top-net-worth-
| percentiles/
| duxup wrote:
| >Does it matter?
|
| Yes?
|
| Considering it was the measuring stick that person seemed
| to feel was important.
| rozab wrote:
| What about the fact that android has 3 times the market share?
| Closi wrote:
| And the fact that android devices are generally patched
| slower, so an exploit can give you access for longer.
| heavyset_go wrote:
| In the US, iOS has the majority of market share at 52.4%, and
| Android has 47%[1].
|
| [1] https://www.statista.com/statistics/266572/market-share-
| held...
| kogir wrote:
| I'd guess it's because the individuals worth using a targeted
| exploit on are more likely to be carrying iPhones.
| asdfasgasdgasdg wrote:
| I think you've misunderstood. iOS exploits are _cheaper_. If
| your explanation held, then you 'd expect them to be
| costlier. That said, I'm sure your explanation is a component
| of their price.
| win32k wrote:
| Why are you citing a year+ old article? It's clearly out of
| date. iOS is a much more secure platform, and exploits are much
| rarer than Android exploits.
|
| HN has really gone down in quality of readers/commenters.
| buzzy_hacker wrote:
| It would be better for you to provide the up-to-date
| information showing otherwise yourself, rather than name-
| calling
| irae wrote:
| What about the "Released November 5, 2020" part of the page?
| Are you from the future?
| heavyset_go wrote:
| > _Why are you citing a year+ old article? It 's clearly out
| of date_
|
| Because it is still the case as of today[1], and nothing of
| note has changed[2].
|
| > _HN has really gone down in quality of readers
| /commenters._
|
| Ironic, considering this comment violates HN's guidelines.
|
| [1] http://zerodium.com/program.html
|
| [2]
| https://www.theregister.com/2020/05/14/zerodium_ios_flaws/
| snazz wrote:
| Functionally, iOS is a much more secure platform. Far more
| people are updated to the latest iOS version, which makes a
| huge difference. Apple invests tons of money into secure
| biometrics, privacy initiatives, and lots more.
|
| At the same time, Android might still have fewer
| vulnerabilities in the latest versions. It's possible that
| Android's security technology or coding practices result in
| fewer security bugs. I don't think that Android has any
| attack surface equivalent to iMessage (which is written in
| Objective-C and uses some fairly low-level techniques, if I
| remember correctly).
|
| A lot fewer people use the latest version of Android, though,
| so most of that effort goes to waste.
| saagarjha wrote:
| I think a major part of it is that iOS has much less
| variety.
| jamiehall wrote:
| Linking to the 14.2 list (https://support.apple.com/en-
| us/HT211929) might be better? After clicking the headline link,
| it took me a few seconds to understand why we were caring about
| updates for the iPhone 5 and 6...
| snazz wrote:
| I think it's worth linking the 12.4.9 page because it's
| impressive that the software update is available going all the
| way back to the iPhone 5s. That's some serious longevity.
| zokier wrote:
| > That's some serious longevity
|
| Well, yes, its better than your average Android vendor. But
| on the other hand Windows 8 was released 2012 (i.e. about a
| year before iPhone 5s), and is scheduled to get updates until
| _2023_. That is pretty serious longevity. And supporting
| handful of Apple devices must be comparatively simpler than
| supporting the hodgepodge fleet of Windows 8 devices.
| beagle3 wrote:
| Apples (ha!) to Oranges. Personal computers cost, on
| average 2-4 times what the 5S cost in its day, and are
| expected to last much longer than a phone (as evidenced by
| the lack of uproar that all phone vendors including
| Microsoft drop support within 2-3 years ... except Apple).
___________________________________________________________________
(page generated 2020-11-05 23:00 UTC)