Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
Edit: I should've read, "Impact: Processing a malicious image file may result in memory corruption."
So simply receiving an image via SMS or loading it in some other way likely accomplishes the initial exploit, so yeah, zero click exploit. Always bad.
That is my assumption, that the result is a pretty severe impact and/or the victim has little to no way to prevent it (zero click situation).
Granted I can't speak for Apple, but I was thinking along the same lines you were.
This isn't thaaaaat far out of support. Their last security update for iOS 15 was just earlier this year, and they only dropped iPhone 6s from new major versions with iOS 16 a few years ago. As someone who has kept my last few iPhones for 5+ years each, I definitely appreciate that they keep a much longer support window than most folks on the Android side of things.
I assume they know just how long their customers keep their phones and maintain them accordingly.
I fully expect to be using my current Android phone into the 2030s.
I'm migrating from my 5 year old flagship (lol) only because vendor decided to stop supporting it. Battery still good for a day, great screen, good enough camera, fantastic sound, ssd card slot...
My next has at least 7 years of mainline support (with all AOSP releases) plus at least couple of years damage control updates.
It's a matter of the choose I think.
I worked at a restaurant chain and I remember it being a whole thing to even consider reworking the POS tables + software due to rising costs.
The 6S was discontinued in 2018, which would give it support until at least 2023, so we aren’t too far beyond that.
Pixels 6-7 got 5 years. I'd say that's on the low end of okay.
For "lol" you have to go back to 2021 or earlier. Or look at some of Motorola's offerings.
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
bigyabai•1h ago
Fucked-up world we live in where a disposable vape can be reused for more purposes than an iPhone with expired software support.
duxup•1h ago
My pile of old android phones ... they sadly do not live long overall as far as a % of survivors goes. A few have lived long lives for sure, but overall not as many as my old iPhones.
MrTrvp•1h ago
duxup•1h ago
galaxy_gas•1h ago
chasil•1h ago
Gigachad•1h ago
chasil•54m ago
Every version of Lineage offers rooted debugging, even without Magisk.
I know that root can be obtained in iOS, but Apple really prefers that users be restrained from this capability.
duxup•1h ago
Granted, there's PLENTY of other good reasons to make that choice even with that condition. So I don't disagree generally.
bigyabai•57m ago
My Android phones still do everything they say on the tin. Regardless, you've worded your entire argument to be orthogonal to my original point so it's clear you're not arguing in good faith. Nothing you ever said was related to the principles I mentioned, just what you consider to be personally valuable. Which is fine, but akin to responding to a health food nut by saying how great burgers taste.