[HN Gopher] About the security content of iOS 12.4.9 ___________________________________________________________________ About the security content of iOS 12.4.9 Author : axyjo Score : 84 points Date : 2020-11-05 19:29 UTC (3 hours ago) (HTM) web link (support.apple.com) (TXT) w3m dump (support.apple.com) | alewi481 wrote: | I'd like to give kudos to Apple for including the iPhone 5S in | this security update, which was released on September 20, 2013, | over 7 years ago! Supporting a product for even 3 years is rare | in the smartphone world. | ponker wrote: | This is why Apple makes the cheapest smartphones, as long as | you avoid dropping them. | wnevets wrote: | until Apple throttles the hardware with their software | updates [1] | | https://www.theverge.com/2020/7/13/21322867/apple-iphone- | bat... | hokumguru wrote: | Wasn't the purpose of that throttling to extend the life of | older phones? Throttling the CPU let them stay within the | limits of the worn out battery and let the device continue | to be used without crashing. | wnevets wrote: | That may have been their public explanation after being | caught throttling the hardware. | Y-bar wrote: | It was to extend the battery life, which was a workaround | for the flawed battery design (contra CPU power draw). I | bought an iPhone SE in the first month available and it | started throttling by month 10, I'm not a battery | designer, but I did not buy a device marketed as 2x the | speed of 5S only for it to silently drop to 0.8x the | speed of the 5S less than a year later. | jeron wrote: | In which they had a whole year of really cheap, highly | subsidized battery replacements to correct their error. I | think Apple should be forgiven for this | Y-bar wrote: | I was unable to benefit from the battery replacement due | to a chip in the screen they discovered after I got a CS | code to do it: https://i.imgur.com/Gr1bPTU.jpg | tdonovic wrote: | What is a CS code? | Y-bar wrote: | Effectively a coupon code issued by a customer support | representative. | | Apple did not actually offer the replacement program | within ~600km of my home, but I managed to convince them | that an Apple Authorised Service provider in my town at | least do it. They agreed and gave me a CS Code valid for | the the battery replacement to be done. | | But it was ultimately denied because of a tiny chip in | the glass on the screen. | | I _really_ liked every other aspect of this phone though. | reaperducer wrote: | _the flawed battery design_ | | I'm going to play the odds and guess that you're not a | battery designer. | als0 wrote: | The 5S is still the perfect iPhone. | Tepix wrote: | If the 5S is perfect, what's the iPhone SE (2016)? | encom wrote: | The last iPhone with proper headphone support. | mikepurvis wrote: | I love the 5S form factor as well. I only updated from it | earlier this year to get iOS 13 to use the COVID Alert app | here in Canada (and my upgrade was buying a smashed-screen | iPhone SE for next to nothing, of course, and swapping the | old phone's screen onto it). | nbzso wrote: | The last iPhone that I use.:) | saagarjha wrote: | Not chamfered :( | jdhawk wrote: | sure they are, they're just matte finished. | rosstex wrote: | My current phone. | gumby wrote: | The price is definitely right -- cheaper than an upgrade! | ezekg wrote: | How do you still have one that's running OK? My Apple | products almost always "die" after a few years. I had the 5S | but one day it crashed and would not turn back on no matter | what I did. The iPhone I had before that did the same thing. | hbbio wrote: | The list of old Apple devices that still work well is | impressive: I still have one original iPad, an iPhone 3GS, | several iPhone 4. Same goes for the more recent ones, with | the exception of the few devices that I dropped on hard | floors over the last 10 years... | snazz wrote: | Is that a common issue? I've certainly heard about devices | losing battery life and cameras progressively getting | worse, but complete death is very uncommon unless you use | it without a case and drop it all the time or something. | | I still have a working iPhone 5 (no S) with a home button | that spins and a slightly broken screen bezel but no other | issues. | wiredfool wrote: | I had a 5s die at one point, it got reset to the point | where it needed to activate, and couldn't. | CuriousSkeptic wrote: | I have a 4S still running. | | At one point I thought it died permanently. But it turned | out to only be the screen dimming to much. In bright | light it auto adjusted enough to be visible, allowing me | to rise the brightness. | reaperducer wrote: | _How do you still have one that 's running OK? My Apple | products almost always "die" after a few years._ | | Consider yourself unlucky and never buy a lottery ticket. | | Apple is well-known for making products that last longer | than most others in the industry. | | I have a launch day iPhone 5 that gets daily use and still | works fine as of this morning. Launch day was in September | of 2012. | bradlys wrote: | Well, let's not get crazy. It's fine (I'm using it currently | because my Samsung S9 died) but it's definitely no perfect | phone. It doesn't even have water resistance and the screen | to body ratio is pretty bad, IMO. | | Only upside is the thing is built in such a way that it has | barely taken any damage from the years of abuse I put it | through. | | I'm likely getting an iPhone 12 Pro Max very soon and will | continue to only use the iPhone 5S I've had since 2013 as a | backup. | radicaldreamer wrote: | You're going from a 5s to a Pro Max? That's almost a jump | across product categories... like switching from an iPhone | to an iPad Mini. | chews wrote: | The 12 mini is gonna be my next daily driver. | ChrisMarshallNY wrote: | Same here. | | I write iOS software, so I have a whole bunch of test | units. | | My "low-end" test unit is an iPod Touch (last gen). | Basically, a skinny SE (Apple doesn't even have an iPod | simulator -you're supposed to use an SE sim). | | My regular daily phone is an Excess Max (XSMax). I'm sick | to death of it. I don't have much use for all that screen | real estate, and it's a big honkin' monster. | | Every time I use my Touch, it makes me envious. | | I'll be placing an order for a Mini, tomorrow. | namanaggarwal wrote: | Also to Google for finding majority of them | curt15 wrote: | If only Google could put this much effort into supporting its | own Pixel devices, which stop getting updates to the base OS | after just three years. | Shared404 wrote: | Depending on your usecase, GrapheneOS may be of interest. | Dahoon wrote: | >after just three years | | The 5S was sold from Apple stores in India in mid 2017. So | that's 3 years of updates from end-of-sale and this is an | OS update for a 2 year old OS. So two years of support. | Less than the Pixel. | irae wrote: | When someone buy a 5S in 2017 they surely know already, | or should, that it is a cheap buy to last less than a | newer model. So 3 years in this case is actually a great | deal. | majormajor wrote: | I had a Pixel 1, launched in 2016, and it lost support in | 2019. 3 years after _start_ of sale, not _end_ of sale. | | It's part of why I went back to Apple. | dmitrygr wrote: | I promise you, people inside google are equally frustrated | with this unjustifiable top-down decision. (am Xoogler) | Y-bar wrote: | Wouldn't last official sale date be a better indicator of true | device support? For example if someone bought it in an Apple | store on the last day available, how long period would they | have received updates for? | | For example in mid 2017 it was still officially sold by Apple | in India (source: https://www.iphonehacks.com/2017/05/apple- | iphone-5s-iphone-s...). | JohnTHaller wrote: | Comparatively, no. Android phones generally get a maximum of | 3 years of security updates from launch, not from last device | sale date. So, within mobile phones, it's more informative to | compare it to their competition. It shows you just how much | better Apple is at mobile device support compared to everyone | else. | gruez wrote: | >Wouldn't last official sale date be a better indicator of | true device support? | | well in that case many cheap android phones/tablets would | have _negative_ support periods, considering they don 't | release any updates at all. | diebeforei485 wrote: | Apple uses this metric as well[1]. If something hasn't been | sold by Apple for 5 years (but less than 7 years), it's | considered vintage and you can still get hardware service and | certain critical software fixes, though not necessarily any | new features. | | The support for MacBooks is actually great. Certain Late 2013 | and Mid 2014 Retina MacBook Pros, while considered vintage, | will be receiving the Big Sur update[2]. | | 1. https://support.apple.com/en-us/HT201624 2. | https://www.apple.com/macos/big-sur-preview/ (at the bottom | of the page) | ValentineC wrote: | > _The support for MacBooks is actually great. Certain Late | 2013 and Mid 2014 Retina MacBook Pros, while considered | vintage, will be receiving the Big Sur update._ | | I think it's more likely that Apple's new frameworks don't | require any fancy hardware features that aren't available | in the Late 2013 MacBook Pros. | diebeforei485 wrote: | It's true that laptop computers have not changed as much | over the years. This in large part because Intel CPU's | and architecture have not changed as much, while iPhone | CPU's have improved by leaps and bounds. | | I wonder how much this might change when Apple Silicon | comes to the Mac. | mulmen wrote: | I have a Mid-2014 RMBP, there's nothing wrong with it at | all. It's sad to think OS support may be dropped in the | next few years. | jtbayly wrote: | No, because devices can be and sometimes are sold with | software that is _already_ out of date. The better indicator | is how long software support is provided for a device from | beginning to end. | anamexis wrote: | Why is that a better indicator? | | If I buy a new phone from the manufacturer and it's already | unsupported, that's really bad. I don't care if it was | supported for 8 years before I bought it. | Jtsummers wrote: | Hah. This bit us when I got my mother an iPhone SE (2016) | to replace her iPhone 4 a year or so ago. I tried to | restore from iCloud backup and it kept failing, and finally | it dawned on me that the OS may have been out of date. | Skipped the restore, updated the OS, and wiped the phone. | The restore worked correctly. | Dahoon wrote: | Sure but that doesn't change how long they supported after | end of sale which wasn't in 2013 but at least until 2017. | So ~3 years of software updates from end of sale. Still OK | but not anything special. | simonh wrote: | To not be special, there must be many phones out there | getting the same or better support. What are they? Who | sells these many other smartphones that have had 3 or | more years of updates from last sale? | | Certainly not the Pixel phones, they get 3 years support | from first launch only, and they're supposedly the gold | standard for Android software support. It's pretty much | the reason they exist. Yet after last sale support for | the 5S matched the Pixel's from launch support, and we | don't even know that this is the last update the 5S will | get. | gcheong wrote: | Since this is a security update I think it's more about support | of an OS which is only 2 yrs old than the class of device as | that class was supported with the initial iOS 12 release. | tptacek wrote: | A tricky thing about flagging "in the wild exploited | vulnerabilities" in a title like this is that it suggests that | sev:crit vulnerabilities in other updates that aren't flagged | like this aren't being exploited in the wild. We get confirmation | of only a subset of exploited vulnerabilities. | | We'd be better off with a more neutral title, like "fixing severe | vulnerabilities" or something like that. | dang wrote: | We've changed the title above to that of the page. (Submitted | title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the- | wild exploited vulnerabilities".) | scarybeast wrote: | I think this is a bad decision. The "in-the-wild" part is the | interesting part because it is not the norm at all and it | implies an interesting story. | sneak wrote: | The other thing to consider is that doing a binary diff on the | OS before/after patching puts a big red arrow right at the | location of the bug, which means that there's no reasonable | expectation that it will remain unexploited _after_ the patch. | | It's not really that important, really. It's either being | exploited yesterday, or tomorrow. | thatguy0900 wrote: | I still think it's important to say that we know they are being | actively exploited, even if all vulns might be | tptacek wrote: | That's the kind of thing you can say in a comment, rather | than in the title. | MrStonedOne wrote: | Anybody get a bitter sweet feeling when ever these reported and | fixed security exploits announcements happen? | | It's good that users aren't going to risk getting hacked by such | vulnerabilities, but its bad that users can no longer uses these | exploits to gain administrative control over their property. | snazz wrote: | Apple isn't going to force you to update your device, so you | can stay on an older version if you want jailbreaks. | ValentineC wrote: | Apple doesn't allow downgrading (and it's gotten even harder | with Touch/Face ID not being downgradable with SHSH blobs), | so people accidentally update, or get their hardware replaced | in a repair, are SOL. | MrStonedOne wrote: | users buying new devices that automatically update on | activation aren't going to have that choice. | nahkoots wrote: | Users that care about having control over their devices | shouldn't be buying Apple hardware in the first place. Not | that I support Apple's anti-consumer practices, but if you | buy one of their products, you have to know what you're | getting yourself into. | beagle3 wrote: | If you want a phone that you have control over, don't buy one | from Apple... At this point in time, choices are mostly limited | to Librem and PinePhone. | bamboozled wrote: | FairPhone too? | swiley wrote: | Maybe I got hit with one of these, my phone stopped being able to | answer phone calls and auto focus stopped working (like something | re flashed the firmware on a bunch of the internal peripherals.) | | I was going to wait until the software on my pinephone was more | mature but that pushed me over the edge to get power management | working on my own and make sure it could make phone calls. I | think dumping iOS has done a lot for my mental health and I'm | glad to have left it. | asimilator wrote: | > I was going to wait until the software on my pinephone was | more mature but that pushed me over the edge to get power | management working on my own and make sure it could make phone | calls. | | I guess stress is personal, because this sounds way more | stressful than anything I've had to deal with on iOS! And I say | that as someone who'd like to get a more open (hardware and | software) phone in the future. | swiley wrote: | iOS wasn't stressing me directly, it was that the UI is built | to encourage compulsive media consumption and that was eating | into other parts of my life like work (which is stressful.) | tptacek wrote: | Per PZ, the attacks here are targeted, meaning that the people | exploiting them spent a fair bit of money to get these | exploits, and are presumably very unhappy that they are burned. | Unless you are special, it's unlikely that you got hit with one | of these. | [deleted] | saagarjha wrote: | I think this is the first time Apple has mentioned that the bugs | they fixed were exploited in the wild? A welcome change if so. | patio11 wrote: | Note that there are similar issues in macOS, too. | https://support.apple.com/en-us/HT211947 <-- Catalina 10.15.7 | Supplemental Update notes | heavyset_go wrote: | I think it's interesting how iOS exploits are cheaper[1] than | Android exploits, because iOS exploits are so plentiful in | comparison to Android exploits. | | [1] https://arstechnica.com/information- | technology/2019/09/for-t... | duxup wrote: | Is that still the case? | | The article implies that before it was written that wasn't the | case previously. | heavyset_go wrote: | Yes. Here's an article from May of this year[1], where it | states that it is still the case. | | Also, you can go directly to Zerodium's website, where, as of | today, they are still paying more for Android exploits than | iOS exploits[2]. | | [1] | https://www.theregister.com/2020/05/14/zerodium_ios_flaws/ | | [2] http://zerodium.com/program.html | Veserv wrote: | Does it matter? A full-chain zero-click remote complete | compromise for either system is only $2-3 million. That is | absolute chump change. 4-6% of households in the US [1], 5-8 | million households, have sufficient assets to fully | compromise every iPhone or Android in the world. If we | consider businesses, I bet that is within the reach of no | less than 50% of the businesses (including small businesses) | in the US. That is an absurd number of entities where that | price point is totally doable. | | If a bad actor can derive just $10 on average per phone they | attack, then all they need to do is find a way to deploy | their $2-3 million exploit to 1 million phones for less than | $5 million to make a tidy profit. Given that we are talking | about zero-click remote compromises, which means the victim | only needs to receive the payload, this means that it is | profitable as long as the cost per victim impression is less | than $5, a CPM of $5000. With that sort of budget you can | embed your attack into an ad and then outbid everybody else | by a factor of 10 for placements. You can buy a mailing list | and embed your attack as a "payload pixel". If it is a zero- | click text message attack then you can buy access to the | spam-callers and mass deploy it that way. | | These systems are between a factor of 10-100x off of | adequate. To care about their relative differences is like | debating whether paper mache or tissue paper is better at | stopping bullets. One is probably better than the other, but | neither provides meaningful protection, so it hardly matters. | You need fundamental, qualitative improvements before | differences between the solutions provide meaningful effects | on outcomes. | | [1] https://dqydj.com/average-median-top-net-worth- | percentiles/ | duxup wrote: | >Does it matter? | | Yes? | | Considering it was the measuring stick that person seemed | to feel was important. | rozab wrote: | What about the fact that android has 3 times the market share? | Closi wrote: | And the fact that android devices are generally patched | slower, so an exploit can give you access for longer. | heavyset_go wrote: | In the US, iOS has the majority of market share at 52.4%, and | Android has 47%[1]. | | [1] https://www.statista.com/statistics/266572/market-share- | held... | kogir wrote: | I'd guess it's because the individuals worth using a targeted | exploit on are more likely to be carrying iPhones. | asdfasgasdgasdg wrote: | I think you've misunderstood. iOS exploits are _cheaper_. If | your explanation held, then you 'd expect them to be | costlier. That said, I'm sure your explanation is a component | of their price. | win32k wrote: | Why are you citing a year+ old article? It's clearly out of | date. iOS is a much more secure platform, and exploits are much | rarer than Android exploits. | | HN has really gone down in quality of readers/commenters. | buzzy_hacker wrote: | It would be better for you to provide the up-to-date | information showing otherwise yourself, rather than name- | calling | irae wrote: | What about the "Released November 5, 2020" part of the page? | Are you from the future? | heavyset_go wrote: | > _Why are you citing a year+ old article? It 's clearly out | of date_ | | Because it is still the case as of today[1], and nothing of | note has changed[2]. | | > _HN has really gone down in quality of readers | /commenters._ | | Ironic, considering this comment violates HN's guidelines. | | [1] http://zerodium.com/program.html | | [2] | https://www.theregister.com/2020/05/14/zerodium_ios_flaws/ | snazz wrote: | Functionally, iOS is a much more secure platform. Far more | people are updated to the latest iOS version, which makes a | huge difference. Apple invests tons of money into secure | biometrics, privacy initiatives, and lots more. | | At the same time, Android might still have fewer | vulnerabilities in the latest versions. It's possible that | Android's security technology or coding practices result in | fewer security bugs. I don't think that Android has any | attack surface equivalent to iMessage (which is written in | Objective-C and uses some fairly low-level techniques, if I | remember correctly). | | A lot fewer people use the latest version of Android, though, | so most of that effort goes to waste. | saagarjha wrote: | I think a major part of it is that iOS has much less | variety. | jamiehall wrote: | Linking to the 14.2 list (https://support.apple.com/en- | us/HT211929) might be better? After clicking the headline link, | it took me a few seconds to understand why we were caring about | updates for the iPhone 5 and 6... | snazz wrote: | I think it's worth linking the 12.4.9 page because it's | impressive that the software update is available going all the | way back to the iPhone 5s. That's some serious longevity. | zokier wrote: | > That's some serious longevity | | Well, yes, its better than your average Android vendor. But | on the other hand Windows 8 was released 2012 (i.e. about a | year before iPhone 5s), and is scheduled to get updates until | _2023_. That is pretty serious longevity. And supporting | handful of Apple devices must be comparatively simpler than | supporting the hodgepodge fleet of Windows 8 devices. | beagle3 wrote: | Apples (ha!) to Oranges. Personal computers cost, on | average 2-4 times what the 5S cost in its day, and are | expected to last much longer than a phone (as evidenced by | the lack of uproar that all phone vendors including | Microsoft drop support within 2-3 years ... except Apple). ___________________________________________________________________ (page generated 2020-11-05 23:00 UTC)