Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
sunrunner 4 days ago

> Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?

bri3d 4 days ago | parent | next [-]

Yes, this means it was exploited in a spyware campaign in the wild.

The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.

https://www.whatsapp.com/security/advisories/2025/

giancarlostoro 4 days ago | parent | prev | next [-]

One key thing I noticed is this is before iPadOS was a thing, so this patch targets iPads too... Which makes me wonder... this is speculation no proof, but I wonder if someone is exploiting Point of Sale devices that are powered by old iPads somehow, which is out of the control of a lot of end-users who are at thee mercy of the POS vendors who are probably charging an insane premium on them.

I worked at a restaurant chain and I remember it being a whole thing to even consider reworking the POS tables + software due to rising costs.

batiudrami 4 days ago | parent | next [-]

By the phrasing this is almost certainly a patch for targeted vulnerabilities to install Pegasus or similar.

joshstrange 4 days ago | parent | prev | next [-]

I work for a POS company that uses iPads (along other clients) and I’ve not heard of anything like that. I assume it’s people of interest (journalists, or politicians).

Also my company, as well as at least 1 other I know of that uses iPads, don’t sell the iPads to the stores, they replace or buy their iPads directly from Apple. Smaller places handle it all themselves, larger might use MDM but they are buying them at-cost.

I’m not saying everyone does that, just that I’m not aware of it.

giancarlostoro 3 days ago | parent [-]

Makes sense, I dont recall the name of the vendor my employer was using at the time, only that it was insanely expensive at the time.

rafram 4 days ago | parent | prev [-]

Only if you think some state intelligence agency is wasting million-dollar vulnerabilities on a bit of credit card skimming.

sfilmeyer 4 days ago | parent | prev | next [-]

> What’s Apple’s default time frame for security support?

This isn't thaaaaat far out of support. Their last security update for iOS 15 was just earlier this year, and they only dropped iPhone 6s from new major versions with iOS 16 a few years ago. As someone who has kept my last few iPhones for 5+ years each, I definitely appreciate that they keep a much longer support window than most folks on the Android side of things.

giancarlostoro 4 days ago | parent [-]

Before I got my first iPhone five years ago, I always noticed that iPhone owners would drag it along for a long time, but really the phones are tanks. I remember switching Android phones every two years, because they quite literally started to decay. I think my last Android Phone I could have probably made last longer than two years, I still turn it on and play random games on it, and its still very responsive.

I assume they know just how long their customers keep their phones and maintain them accordingly.

blahedo 4 days ago | parent | next [-]

This... is the opposite of my experience. Friends with iPhones seem to upgrade them unreasonably often, but my (Samsung) Android phones last a loooong time. My first Samsung I retired somewhat involuntarily after 3 years so that I could get a model that would also work overseas, but the phone itself was still fine. My second Samsung (the one I got in 2016 for the overseas trip) I just retired last fall, 2024, and even then only because a job required MS Authenticator and it wouldn't let me download it to the phone. Battery life was still fine, everything I used worked fine.

I fully expect to be using my current Android phone into the 2030s.

Twisell 4 days ago | parent [-]

Well your experience is maybe more based on your friend behavior than on an absolute rule.

This is the same for absolutely every manufactured goods. The same durable car model will be kept for over a decade by some people while some other opt for a leasing plan that guarantee a new car every two years. But the intrinsic quality of the car remain unaffected.

To ponder this you must consider what become of the phone they replace : did they trash it or did they have a second life with a less edgy owner?

subscribed 4 days ago | parent | prev | next [-]

Maybe you use low end phones or crappy vendors?

I'm migrating from my 5 year old flagship (lol) only because vendor decided to stop supporting it. Battery still good for a day, great screen, good enough camera, fantastic sound, ssd card slot...

My next has at least 7 years of mainline support (with all AOSP releases) plus at least couple of years damage control updates.

It's a matter of the choose I think.

jnaina 4 days ago | parent | prev | next [-]

The second hand resale market for iPhone is huge, especially in Asian 3rd world countries.

It is in Apple’s interest to keep old iPhones updated, as old iPhones being in active usage is better than them rotting in a drawer.

opan 4 days ago | parent | prev [-]

A relative of mine used their Galaxy Note II until the internal flash died and it stopped booting. It was definitely over 5 years old by that point.

duxup 4 days ago | parent | prev | next [-]

> is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability?

That is my assumption, that the result is a pretty severe impact and/or the victim has little to no way to prevent it (zero click situation).

Granted I can't speak for Apple, but I was thinking along the same lines you were.

altairprime 4 days ago | parent | prev | next [-]

No specific timeframe is defined, but they tend to release things that matter really far back — like, the Apple CA certificate expiration update went out a few years ago to basically the entire deployed Square terminal iPad userbase, etc. I expect it’s driven by telemetry and threat model both. Presumably the cutoff is wherever the telemetry ceases!

zomiaen 4 days ago | parent | prev | next [-]

Almost certainly some kind of zero click/zero user action RCE exploit.

Edit: I should've read, "Impact: Processing a malicious image file may result in memory corruption."

So simply receiving an image via SMS or loading it in some other way likely accomplishes the initial exploit, so yeah, zero click exploit. Always bad.

al_borland 4 days ago | parent | prev [-]

I think their minimum standard is 5 years after they stop selling a product. However, it could go longer if things still work.

The 6S was discontinued in 2018, which would give it support until at least 2023, so we aren’t too far beyond that.