I'd like to give kudos to Apple for including the iPhone 5S in this security update, which was released on September 20, 2013, over 7 years ago! Supporting a product for even 3 years is rare in the smartphone world.
Wouldn't last official sale date be a better indicator of true device support? For example if someone bought it in an Apple store on the last day available, how long period would they have received updates for?
Comparatively, no. Android phones generally get a maximum of 3 years of security updates from launch, not from last device sale date. So, within mobile phones, it's more informative to compare it to their competition. It shows you just how much better Apple is at mobile device support compared to everyone else.
Well, you still get updates through the store way longer than 3 years. With more and more components (e.g. the browser) coming through the store, the picture is not as black and white anymore.
Galaxy S8 on sale at Walmart, Staples, and NewEgg. Likely falls off support in 3-4 months. So Android flagships are close to zero or even negative support time?
This is what got me to finally switch to Apple. Updates take forever. I bought a Samsung off Amazon for testing and for some reason I still have to wait on T-Mobile. And then after a year, maybe two, there just aren’t anymore updates.
It's accurate, though. When I am evaluating devices to buy, a metric I care about is "after I buy this, how long will it remain up-to-date with security patches?" And the answer to that question is "on the day that you buy it, it is already several months behind on security patches and will not improve." That metric is not the be-all-end-all of support, but is meaningful, and low or negative values have the correct interpretation in that context.
Apple uses this metric as well[1]. If something hasn't been sold by Apple for 5 years (but less than 7 years), it's considered vintage and you can still get hardware service and certain critical software fixes, though not necessarily any new features.
The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update[2].
> The support for MacBooks is actually great. Certain Late 2013 and Mid 2014 Retina MacBook Pros, while considered vintage, will be receiving the Big Sur update.
I think it's more likely that Apple's new frameworks don't require any fancy hardware features that aren't available in the Late 2013 MacBook Pros.
It's true that laptop computers have not changed as much over the years. This in large part because Intel CPU's and architecture have not changed as much, while iPhone CPU's have improved by leaps and bounds.
I wonder how much this might change when Apple Silicon comes to the Mac.
It feels like smartphones are stabilizing as well. I don't see myself needing to replace my iPhone 8 for a while, even though there have been three more generations afterwards. An iPhone 5 felt much more outdated at the time of the 6s/SE.
> I think it's more likely that Apple's new frameworks don't require any fancy hardware features
Mojave and higher isn’t “supported” on the cheese grater Mac Pro’s despite it running more than fine, including with FileVault 2 enabled on the boot volume (which an Apple exec tried to claim was technically not possible).
No, because devices can be and sometimes are sold with software that is already out of date. The better indicator is how long software support is provided for a device from beginning to end.
If I buy a new phone from the manufacturer and it's already unsupported, that's really bad. I don't care if it was supported for 8 years before I bought it.
Hah. This bit us when I got my mother an iPhone SE (2016) to replace her iPhone 4 a year or so ago. I tried to restore from iCloud backup and it kept failing, and finally it dawned on me that the OS may have been out of date. Skipped the restore, updated the OS, and wiped the phone. The restore worked correctly.
On the flip side, the Apple guys have a lot of patience to deal with my stubborn ass trying to activate an iPhone 4... the non-SIM servers were taken offline years ago so I popped in a SIM and off I went.
Sure but that doesn't change how long they supported after end of sale which wasn't in 2013 but at least until 2017. So ~3 years of software updates from end of sale. Still OK but not anything special.
To not be special, there must be many phones out there getting the same or better support. What are they? Who sells these many other smartphones that have had 3 or more years of updates from last sale?
Certainly not the Pixel phones, they get 3 years support from first launch only, and they're supposedly the gold standard for Android software support. It's pretty much the reason they exist. Yet after last sale support for the 5S matched the Pixel's from launch support, and we don't even know that this is the last update the 5S will get.
You decided to count the days of support in a completely uncommon way that no one usually discusses but decided that three years was ok based on the common way people count, which is since initial release.
Well, let's not get crazy. It's fine (I'm using it currently because my Samsung S9 died) but it's definitely no perfect phone. It doesn't even have water resistance and the screen to body ratio is pretty bad, IMO.
Only upside is the thing is built in such a way that it has barely taken any damage from the years of abuse I put it through.
I'm likely getting an iPhone 12 Pro Max very soon and will continue to only use the iPhone 5S I've had since 2013 as a backup.
I love the 5S form factor as well. I only updated from it earlier this year to get iOS 13 to use the COVID Alert app here in Canada (and my upgrade was buying a smashed-screen iPhone SE for next to nothing, of course, and swapping the old phone's screen onto it).
What's in your back pocket? Seriously, love my SE. I just got the battery replaced, $49 taken from a MacBook trade-in value, so basically free since I can't use that money any other way.
How do you still have one that's running OK? My Apple products almost always "die" after a few years. I had the 5S but one day it crashed and would not turn back on no matter what I did. The iPhone I had before that did the same thing.
Is that a common issue? I've certainly heard about devices losing battery life and cameras progressively getting worse, but complete death is very uncommon unless you use it without a case and drop it all the time or something.
I still have a working iPhone 5 (no S) with a home button that spins and a slightly broken screen bezel but no other issues.
At one point I thought it died permanently. But it turned out to only be the screen dimming to much. In bright light it auto adjusted enough to be visible, allowing me to rise the brightness.
The list of old Apple devices that still work well is impressive: I still have one original iPad, an iPhone 3GS, several iPhone 4. Same goes for the more recent ones, with the exception of the few devices that I dropped on hard floors over the last 10 years...
Still have a first-generation iPod Touch running iOS 3. Works like a charm, can even download some apps from the App Store. Bit of a shock how both primitive and advanced the early versions of iOS were.
I had an iPad 1 running iOS 5 I think, but in the end I stopped using it because Safari would "crash" on most websites due to it running out of ram I guess.
I have a 4S that's still running perfectly happily. Can't do much with it, mind, given that everything is wildly out of date but it may yet get repurposed as a webcam when I get some free time.
I believe you but I've honestly never heard of anybody suffering "random cellphone death" - Apple or otherwise. Everybody seems to break them or upgrade them long before that.
I had it with Nexus 5x. It died after 1.5 years when I used an app to get a train ticket. It turned out it was a known hardware bug judging by forums. It was in Norway so the phone was still under warranty and it was “repaired” - the motherboard was replaced. Still not much later I bought the original iPhone SE. I just did not like the idea of phone stopping working for no reason.
I have an iPhone 3GS and an iPad 2 that still work. They are very slow and most apps don’t support their oses. I’d still have an iPhone 7 Plus if it wasn’t at the bottom of a river rapid. My wife has a white MacBook somewhere from 2009/10.
The only problem I’ve had was a 2011 MBP have a gpu issue.
I write iOS software, so I have a whole bunch of test units.
My "low-end" test unit is an iPod Touch (last gen). Basically, a skinny SE (Apple doesn't even have an iPod simulator -you're supposed to use an SE sim).
My regular daily phone is an Excess Max (XSMax). I'm sick to death of it. I don't have much use for all that screen real estate, and it's a big honkin' monster.
The 5S was sold from Apple stores in India in mid 2017. So that's 3 years of updates from end-of-sale and this is an OS update for a 2 year old OS. So two years of support. Less than the Pixel.
When someone buy a 5S in 2017 they surely know already, or should, that it is a cheap buy to last less than a newer model. So 3 years in this case is actually a great deal.
Wasn't the purpose of that throttling to extend the life of older phones? Throttling the CPU let them stay within the limits of the worn out battery and let the device continue to be used without crashing.
It was to extend the battery life, which was a workaround for the flawed battery design (contra CPU power draw). I bought an iPhone SE in the first month available and it started throttling by month 10, I'm not a battery designer, but I did not buy a device marketed as 2x the speed of 5S only for it to silently drop to 0.8x the speed of the 5S less than a year later.
In which they had a whole year of really cheap, highly subsidized battery replacements to correct their error. I think Apple should be forgiven for this
I was unable to benefit from the battery replacement due to a chip in the screen they discovered after I got a CS code to do it: https://i.imgur.com/Gr1bPTU.jpg
Effectively a coupon code issued by a customer support representative.
Apple did not actually offer the replacement program within ~600km of my home, but I managed to convince them that an Apple Authorised Service provider in my town at least do it. They agreed and gave me a CS Code valid for the the battery replacement to be done.
But it was ultimately denied because of a tiny chip in the glass on the screen.
I really liked every other aspect of this phone though.
I wish they gave those odds in Vegas: OP said right there in their comment that they're not a battery designer. Now, granted, perhaps OP should have not run their fingers on the keyboard about topics they know little to nothing about...
This is just great, and you see why it's so hard to be a product manufacturer.
Not only does the person not understand why it was done, and that it produced a phone that would be functional for longer lifetime than if it hadn't been implement, but he also continues spreading unhelpful information to others.
I turned off this feature when they shipped the option and promptly turned it back on. I use Apple because they make reasonable decisions instead of requiring endless configuration, and they made the right decision here. The lawsuit feels like pure power politics... Apple can handle the cost, I don’t feel bad for them or anything, but I see it as a pure money grab rather than any culpability for Apple.
My 8 (or 10?) year old AppleTV just got an update today. I was excited because the YouTube app pause function stopped working after the previous update a couple of weeks ago. Alas the problem remains.
Since this is a security update I think it’s more about support of an OS which is only 2 yrs old than the class of device as that class was supported with the initial iOS 12 release.
This is what I try to explain when it comes to "why are you paying so much for Apple". Because when you buy a cheap Android phone from Xuoiamiaeoi or whatever, you get some custom crippled OS in god knows what ways in close to 0 long-term support from them.
A tricky thing about flagging "in the wild exploited vulnerabilities" in a title like this is that it suggests that sev:crit vulnerabilities in other updates that aren't flagged like this aren't being exploited in the wild. We get confirmation of only a subset of exploited vulnerabilities.
We'd be better off with a more neutral title, like "fixing severe vulnerabilities" or something like that.
We've changed the title above to that of the page. (Submitted title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the-wild exploited vulnerabilities".)
Happy to change it to a better title, i.e. something more accurate and neutral. We're particularly happy to do that with corporate press releases, which often deliberately obscure the situation. But usually that requires a suggestion (and at least partial consensus) from users who understand the story.
Yeah, Apple's page titles generally suck, especially when they are presented without context. The big things in this one is that they're pushing fixes to devices that people had considered abandoned for almost two years, and that these fixes explicitly mention that they have been exploited in the wild in what I believe is Apple's second admission of this, and the first time they did so without blaming Google Project Zero of a mischaracterization. That's clearly a bit too much to put in a title, but something like "Apple releases iOS 12.4.9, backporting fixes for severe security vulnerabilities". I'd like to put "exploited in the wild" in there somewhere as well since I think it's an important part of the story, but I am not sure if this would keep it neutral.
It's an idiosyncrasy of the site that we avoid highlighting things in titles ("stories are community property, and submitting one doesn't give anyone the right to editorialize them").
I agree that the title we ended up with is suboptimal! "Exploitable" is a word I'd have been comfortable seeing there. But you take the good with the bad with the HN title rule; the site is primarily about discussion, not about being a noticeboard, and titles determine the discussion we have.
I’m not sure if it actually means “being used to exploit unknowing devices” given that Apple doesn’t define how they use it on that page. It very well could be referring to news about iPhone 12 jailbreaks (not that there is one yet https://twitter.com/fce365/status/1320691136890109952?s=21)
The other thing to consider is that doing a binary diff on the OS before/after patching puts a big red arrow right at the location of the bug, which means that there's no reasonable expectation that it will remain unexploited after the patch.
It's not really that important, really. It's either being exploited yesterday, or tomorrow.
Catalina runs on all Macs that support Mojave, which I assume influenced the decision. (I didn't see an iOS 13 update, which helps bolster this theory.)
I think it's interesting how iOS exploits are cheaper[1] than Android exploits, because iOS exploits are so plentiful in comparison to Android exploits.
The US isn't representative of the rest of the world in this regard. That's why any discussion of iMessage is filled with half the people arguing that iMessage it the best thing since sliced bread (Americans) and the other half saying they never use it.
Does it matter? A full-chain zero-click remote complete compromise for either system is only $2-3 million. That is absolute chump change. 4-6% of households in the US [1], 5-8 million households, have sufficient assets to fully compromise every iPhone or Android in the world. If we consider businesses, I bet that is within the reach of no less than 50% of the businesses (including small businesses) in the US. That is an absurd number of entities where that price point is totally doable.
If a bad actor can derive just $10 on average per phone they attack, then all they need to do is find a way to deploy their $2-3 million exploit to 1 million phones for less than $5 million to make a tidy profit. Given that we are talking about zero-click remote compromises, which means the victim only needs to receive the payload, this means that it is profitable as long as the cost per victim impression is less than $5, a CPM of $5000. With that sort of budget you can embed your attack into an ad and then outbid everybody else by a factor of 10 for placements. You can buy a mailing list and embed your attack as a "payload pixel". If it is a zero-click text message attack then you can buy access to the spam-callers and mass deploy it that way.
These systems are between a factor of 10-100x off of adequate. To care about their relative differences is like debating whether paper mache or tissue paper is better at stopping bullets. One is probably better than the other, but neither provides meaningful protection, so it hardly matters. You need fundamental, qualitative improvements before differences between the solutions provide meaningful effects on outcomes.
Not really. That is only looking at the demand-side of a supply-demand relationship. Buyers will obviously prefer a cheaper vulnerability with a comparable effect to a more expensive one, so if vulnerabilities are easy to find at a price point where it is profitable to sell them at $2-3MM, then any finder who charges a lower price than others will be more attractive to buyers. This selling competition can easily drive the price down until it is much lower than the potential upside to a buyer of $10MM with a lower bound of the actual cost of discovery (which I already postulated is low enough that $2-3MM is profitable given that Zerodium is able to acquire vulnerabilities for that price) since anything less than the actual cost of discovery is unprofitable. This is the same reason why water is cheap even though it is absolutely essential to human life, it is plentiful and easy to acquire so suppliers compete on price driving it down to a a value much closer to the cost of acquisition rather than the maximal upside to the buyer assuming no other alternatives are present.
Zerodium is not generally paying out $2MM for vulnerabilities and the people who acquire vulnerabilities from Zerodium aren't monetizing them directly off the installed base of phones.
An important thing to know about the market for these things is that the "clearing price" of an exploit chain is usually a cap, not an actual price; you're paid in tranches, until the vulnerability is burned. You're hoping it isn't burned before all your tranches are paid.
That has implications for the hypothetical business model you've proposed.
I think you've misunderstood. iOS exploits are cheaper. If your explanation held, then you'd expect them to be costlier. That said, I'm sure your explanation is a component of their price.
Functionally, iOS is a much more secure platform. Far more people are updated to the latest iOS version, which makes a huge difference. Apple invests tons of money into secure biometrics, privacy initiatives, and lots more.
At the same time, Android might still have fewer vulnerabilities in the latest versions. It's possible that Android's security technology or coding practices result in fewer security bugs. I don't think that Android has any attack surface equivalent to iMessage (which is written in Objective-C and uses some fairly low-level techniques, if I remember correctly).
A lot fewer people use the latest version of Android, though, so most of that effort goes to waste.
Linking to the 14.2 list (https://support.apple.com/en-us/HT211929) might be better? After clicking the headline link, it took me a few seconds to understand why we were caring about updates for the iPhone 5 and 6...
I think it's worth linking the 12.4.9 page because it's impressive that the software update is available going all the way back to the iPhone 5s. That's some serious longevity.
Well, yes, its better than your average Android vendor. But on the other hand Windows 8 was released 2012 (i.e. about a year before iPhone 5s), and is scheduled to get updates until 2023. That is pretty serious longevity. And supporting handful of Apple devices must be comparatively simpler than supporting the hodgepodge fleet of Windows 8 devices.
8.0 which was released in 2012 is no longer supported, with the last updates landing in early 2016. [1]
8.1 on the other hand _is_ supported until 2023. [2]
The majority of 8.0 users immediately upgraded to 8.1 (because 8.0 was slightly terrible), so you're mostly correct. 10 years of support is pretty standard for Windows releases.
Apples (ha!) to Oranges. Personal computers cost, on average 2-4 times what the 5S cost in its day, and are expected to last much longer than a phone (as evidenced by the lack of uproar that all phone vendors including Microsoft drop support within 2-3 years ... except Apple).
The problem with these updates is that it's only for devices that can only support up to iOS 12 (in this case) - if you have another device that supports anything higher but don't want upgrade to the latest iOS, you still won't get these iOS 12 security updates - they force you to upgrade the entire OS to get them.
Not exactly - more like being denied the ability to not have a specific OS version forced on someone if they want their device to stay secured.
Being able to stay secured with the latest patches shouldn’t require one to be forced to get the unwanted memory/resource hogging “features” of newer OS releases.
Anybody get a bitter sweet feeling when ever these reported and fixed security exploits announcements happen?
It's good that users aren't going to risk getting hacked by such vulnerabilities, but its bad that users can no longer uses these exploits to gain administrative control over their property.
Nevermind right to repair, how about right to own...
The fact that you're even being downvoted for this shows just how far the authoritarian control-freaks have taken over and brainwashed everyone with paranoia to jump right into their jail.
Apple doesn't allow downgrading (and it's gotten even harder with Touch/Face ID not being downgradable with SHSH blobs), so people accidentally update, or get their hardware replaced in a repair, are SOL.
Users that care about having control over their devices shouldn't be buying Apple hardware in the first place. Not that I support Apple's anti-consumer practices, but if you buy one of their products, you have to know what you're getting yourself into.
Maybe I got hit with one of these, my phone stopped being able to answer phone calls and auto focus stopped working (like something re flashed the firmware on a bunch of the internal peripherals.)
I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls. I think dumping iOS has done a lot for my mental health and I'm glad to have left it.
Per PZ, the attacks here are targeted, meaning that the people exploiting them spent a fair bit of money to get these exploits, and are presumably very unhappy that they are burned. Unless you are special, it's unlikely that you got hit with one of these.
> I was going to wait until the software on my pinephone was more mature but that pushed me over the edge to get power management working on my own and make sure it could make phone calls.
I guess stress is personal, because this sounds way more stressful than anything I've had to deal with on iOS! And I say that as someone who'd like to get a more open (hardware and software) phone in the future.
iOS wasn't stressing me directly, it was that the UI is built to encourage compulsive media consumption and that was eating into other parts of my life like work (which is stressful.)
