About the security content of iOS 12.4.9

About the security content of iOS 12.4.9(support.apple.com)

160 points by axyjo 5 years ago | 171 comments

alewi481 5 years ago |

I'd like to give kudos to Apple for including the iPhone 5S in this security update, which was released on September 20, 2013, over 7 years ago! Supporting a product for even 3 years is rare in the smartphone world.

Y-bar 5 years ago | |

Wouldn't last official sale date be a better indicator of true device support? For example if someone bought it in an Apple store on the last day available, how long period would they have received updates for?

For example in mid 2017 it was still officially sold by Apple in India (source: https://www.iphonehacks.com/2017/05/apple-iphone-5s-iphone-s...).

JohnTHaller 5 years ago | | |

Comparatively, no. Android phones generally get a maximum of 3 years of security updates from launch, not from last device sale date. So, within mobile phones, it's more informative to compare it to their competition. It shows you just how much better Apple is at mobile device support compared to everyone else.

gruez 5 years ago | | |

>Wouldn't last official sale date be a better indicator of true device support?

well in that case many cheap android phones/tablets would have negative support periods, considering they don't release any updates at all.

diebeforei485 5 years ago | | |

Apple uses this metric as well[1]. If something hasn't been sold by Apple for 5 years (but less than 7 years), it's considered vintage and you can still get hardware service and certain critical software fixes, though not necessarily any new features.

The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update[2].

1. https://support.apple.com/en-us/HT201624 2. https://www.apple.com/macos/big-sur-preview/ (at the bottom of the page)

swinglock 5 years ago | | |

A range would be fair. For example "safe to use for 3-7 years" in the case of this phone by the sound of it.

jtbayly 5 years ago | | |

No, because devices can be and sometimes are sold with software that is already out of date. The better indicator is how long software support is provided for a device from beginning to end.

als0 5 years ago | |

The 5S is still the perfect iPhone.

bradlys 5 years ago | | |

Well, let's not get crazy. It's fine (I'm using it currently because my Samsung S9 died) but it's definitely no perfect phone. It doesn't even have water resistance and the screen to body ratio is pretty bad, IMO.

Only upside is the thing is built in such a way that it has barely taken any damage from the years of abuse I put it through.

I'm likely getting an iPhone 12 Pro Max very soon and will continue to only use the iPhone 5S I've had since 2013 as a backup.

Tepix 5 years ago | | |

If the 5S is perfect, what's the iPhone SE (2016)?

ezekg 5 years ago | | |

How do you still have one that's running OK? My Apple products almost always "die" after a few years. I had the 5S but one day it crashed and would not turn back on no matter what I did. The iPhone I had before that did the same thing.

chews 5 years ago | | |

The 12 mini is gonna be my next daily driver.

texasbigdata 5 years ago | | |

Some YouTube gadget reviewers agree with you and predict some “revivals”.

namanaggarwal 5 years ago | |

Also to Google for finding majority of them

curt15 5 years ago | | |

If only Google could put this much effort into supporting its own Pixel devices, which stop getting updates to the base OS after just three years.

ponker 5 years ago | |

This is why Apple makes the cheapest smartphones, as long as you avoid dropping them.

RotANobot 5 years ago | |

My 8 (or 10?) year old AppleTV just got an update today. I was excited because the YouTube app pause function stopped working after the previous update a couple of weeks ago. Alas the problem remains.

gcheong 5 years ago | |

Since this is a security update I think it’s more about support of an OS which is only 2 yrs old than the class of device as that class was supported with the initial iOS 12 release.

evad3r 5 years ago | | |

I think it's more a testament to the length of time they support their devices for.

PopsiclePete 5 years ago | |

This is what I try to explain when it comes to "why are you paying so much for Apple". Because when you buy a cheap Android phone from Xuoiamiaeoi or whatever, you get some custom crippled OS in god knows what ways in close to 0 long-term support from them.

tptacek 5 years ago |

A tricky thing about flagging "in the wild exploited vulnerabilities" in a title like this is that it suggests that sev:crit vulnerabilities in other updates that aren't flagged like this aren't being exploited in the wild. We get confirmation of only a subset of exploited vulnerabilities.

We'd be better off with a more neutral title, like "fixing severe vulnerabilities" or something like that.

thatguy0900 5 years ago | |

I still think it's important to say that we know they are being actively exploited, even if all vulns might be

tptacek 5 years ago | | |

That's the kind of thing you can say in a comment, rather than in the title.

dang 5 years ago | |

We've changed the title above to that of the page. (Submitted title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the-wild exploited vulnerabilities".)

scarybeast 5 years ago | | |

I think this is a bad decision. The "in-the-wild" part is the interesting part because it is not the norm at all and it implies an interesting story.

sneak 5 years ago | |

The other thing to consider is that doing a binary diff on the OS before/after patching puts a big red arrow right at the location of the bug, which means that there's no reasonable expectation that it will remain unexploited after the patch.

It's not really that important, really. It's either being exploited yesterday, or tomorrow.

baby 5 years ago | |

Disagree, if we have proof that it is currently being exploited then that’s the news more than anything else.

patio11 5 years ago |

Note that there are similar issues in macOS, too. https://support.apple.com/en-us/HT211947 <-- Catalina 10.15.7 Supplemental Update notes

1over137 5 years ago | |

But nothing for macOS 10.14.x, oddly.

saagarjha 5 years ago | | |

Catalina runs on all Macs that support Mojave, which I assume influenced the decision. (I didn't see an iOS 13 update, which helps bolster this theory.)

heavyset_go 5 years ago |

I think it's interesting how iOS exploits are cheaper[1] than Android exploits, because iOS exploits are so plentiful in comparison to Android exploits.

[1] https://arstechnica.com/information-technology/2019/09/for-t...

saagarjha 5 years ago |

I think this is the first time Apple has mentioned that the bugs they fixed were exploited in the wild? A welcome change if so.

jamiehall 5 years ago |

Linking to the 14.2 list (https://support.apple.com/en-us/HT211929) might be better? After clicking the headline link, it took me a few seconds to understand why we were caring about updates for the iPhone 5 and 6...

snazz 5 years ago | |

I think it's worth linking the 12.4.9 page because it's impressive that the software update is available going all the way back to the iPhone 5s. That's some serious longevity.

zokier 5 years ago | | |

> That's some serious longevity

Well, yes, its better than your average Android vendor. But on the other hand Windows 8 was released 2012 (i.e. about a year before iPhone 5s), and is scheduled to get updates until 2023. That is pretty serious longevity. And supporting handful of Apple devices must be comparatively simpler than supporting the hodgepodge fleet of Windows 8 devices.

sebastien_b 5 years ago |

The problem with these updates is that it's only for devices that can only support up to iOS 12 (in this case) - if you have another device that supports anything higher but don't want upgrade to the latest iOS, you still won't get these iOS 12 security updates - they force you to upgrade the entire OS to get them.

olliej 5 years ago | |

You're literally saying you have the ability to update, but don't want to, and so it's unfair you can't update.

sebastien_b 5 years ago | | |

Not exactly - more like being denied the ability to not have a specific OS version forced on someone if they want their device to stay secured.

Being able to stay secured with the latest patches shouldn’t require one to be forced to get the unwanted memory/resource hogging “features” of newer OS releases.

hosteur 5 years ago |

Can these vulns be used to jailbreak a phone?

MrStonedOne 5 years ago |

Anybody get a bitter sweet feeling when ever these reported and fixed security exploits announcements happen?

It's good that users aren't going to risk getting hacked by such vulnerabilities, but its bad that users can no longer uses these exploits to gain administrative control over their property.

userbinator 5 years ago | |

Nevermind right to repair, how about right to own...

The fact that you're even being downvoted for this shows just how far the authoritarian control-freaks have taken over and brainwashed everyone with paranoia to jump right into their jail.

snazz 5 years ago | |

Apple isn't going to force you to update your device, so you can stay on an older version if you want jailbreaks.

ValentineC 5 years ago | | |

Apple doesn't allow downgrading (and it's gotten even harder with Touch/Face ID not being downgradable with SHSH blobs), so people accidentally update, or get their hardware replaced in a repair, are SOL.

MrStonedOne 5 years ago | | |

users buying new devices that automatically update on activation aren't going to have that choice.

beagle3 5 years ago | |

If you want a phone that you have control over, don't buy one from Apple... At this point in time, choices are mostly limited to Librem and PinePhone.

bamboozled 5 years ago | | |

FairPhone too?

lern_too_spel 5 years ago | |

The users of these devices know they are serfs in the Apple ecosystem. People who want devices they can control buy other devices.

swiley 5 years ago |

Maybe I got hit with one of these, my phone stopped being able to answer phone calls and auto focus stopped working (like something re flashed the firmware on a bunch of the internal peripherals.)

I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls. I think dumping iOS has done a lot for my mental health and I'm glad to have left it.

tptacek 5 years ago | |

Per PZ, the attacks here are targeted, meaning that the people exploiting them spent a fair bit of money to get these exploits, and are presumably very unhappy that they are burned. Unless you are special, it's unlikely that you got hit with one of these.

asimilator 5 years ago | |

> I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls.

I guess stress is personal, because this sounds way more stressful than anything I've had to deal with on iOS! And I say that as someone who'd like to get a more open (hardware and software) phone in the future.

swiley 5 years ago | | |

iOS wasn't stressing me directly, it was that the UI is built to encourage compulsive media consumption and that was eating into other parts of my life like work (which is stressful.)