Apple Withdraws iOS 18 Security Updates

https://www.forbes.com/sites/zakdoffman/2025/12/27/apples-iphone-upgrade-hundreds-of-millions-of-users-must-act-now/

40•zaltekk•3w ago

Comments

OkGoDoIt•3w ago

iOS 18 with glaring, actively-exploited security holes is still better than iOS 26.

alephnerd•3w ago

This is very bad advice given that this CVE allows DCE.

Unless you are someone with significant security experience (which most HNers don't have), do not roll the dice with out-in-the-wild exploits, especially given how most people rely on their smartphones to a significant degree.

theogravity•3w ago

If I'm on 18.7.1, do I still need to upgrade?

https://www.cvedetails.com/version/2021355/Apple-Iphone-Os-1...

seems to be the same as 18.7.2

https://www.cvedetails.com/version/2037518/Apple-Iphone-Os-1...

alephnerd•3w ago

Most likely. This is a WebKit issue whose patch is only shipped with iOS 26.2 or iOS 18.7.3 (but that's only available to a subset of iPhone and iPadOS devices).

gruez•3w ago

See: https://support.apple.com/en-us/125885

nazgu1•3w ago

Apple artificial move to encourage people to upgrade… if they could release security update for older iPhones they can release it for the rest of models…

schmuckonwheels•3w ago

Absolutely. This reeks.

My iPads on 18.7.3 just yesterday started pushing notifications to upgrade to 26.2 again.

Guess Apple wants to pump up those numbers. If they really cared, if they had an ethical bone in their body, they would release 18.7.3 to the public WHICH THEY ALREADY HAVE STAGED.

This is more like blackmail where they are dangling these security issues over everyone's head as some scare tactic to upgrade, instead of giving everyone access to the iOS 18 security patch which already exists.

gruez•3w ago

>If they really cared, if they had an ethical bone in their body, they would release 18.7.3 to the public WHICH THEY ALREADY HAVE STAGED.

>This is more like blackmail where they are dangling these security issues over everyone's head as some scare tactic to upgrade, instead of giving everyone access to the iOS 18 security patch which already exists.

18.7.3 was released a month ago. Anyone who cared about security updates would have already gotten it using the beta workaround. Anyone who's apathetic about updates isn't going to be swayed by 18.7.3 vs 26.2.

nabbed•3w ago

Odd, I have an iPhone 11 on 18.6.2 and the Software Update page offers me nothing, just says "iOS is up to date".

A few weeks ago it was offering me iOS 26, but not anymore.

nabbed•3w ago

OK, I had iOS 18 beta selected. I turned that off and IOS 26.2 magically reappeared as an offering. I guess since 18.7.3 is not going to be offered to me, I must install 26.2.

schmuckonwheels•3w ago

18.7.3 is no longer available as beta? It was as of a few weeks ago. Public or Developer beta?

nabbed•3w ago

A few weeks ago, with 18 Developer Beta selected. 18.7.3 was offered to me. But not now.

1over137•3w ago

Guess some high up at Apple noticed iOS 26 adoption is low:

https://mjtsai.com/blog/2026/01/09/slow-ios-26-adoption/

neuralkoi•3w ago

Forced obsolescence due to the iOS 26 bloat triggers a forced upgrade cycle.

More iPhone sales! Some VP up there is popping champagne after getting the genius idea to disguise it as a security feature and force it down people's throats.

sillywalk•3w ago

I don't know if it still works, but there was a way to get 18.7.3, for devices pushed to "upgrade" to Tahoe by enabling ios 18 beta releases.

DustinEchoes•3w ago

They closed that loophole a couple weeks ago. 18.7.3 is no longer available for phones that can run 26.

kasabali•3w ago

> CVE-2025-43529 allows threat actors a direct code execution capability, while CVE-2025-14174 provides the much needed sandbox escape and privilege escalation capabilities which makes it devastating

Good news for people wanting to run the code they want on their own devices?

alephnerd•3w ago

Yep! It's good for jailbreaking, but it's a double edged sword because it's a similar approach that offensive actors use.

Most users lack the domain experience needed to protect and maintain hygiene against threat actors.

red-iron-pine•3w ago

you and your friends can both run code on your device!

this assumes your friends are actually a North Korean APT

gruez•3w ago

Note the CVEs discussed were patches almost a month ago with iOS 18.7.3. If you used the beta workaround[1] to get that, you're safe and don't have to upgrade to iOS 26... for now.

[1] eg. https://news.ycombinator.com/item?id=46264741

handsclean•3w ago

I rejected iOS 26 for a while and boy did my opinion on whether Apple forces version changes do a 180. Everything people lambast Windows for was there. Nags with no “no” option, a red notification badge you can’t dismiss, scare dialogs, and disabling unrelated features. This latest slimy behavior is unfortunately quite consistent with how Apple treats disobedient iOS users.

On macOS they still seem to be stopped by firm enough non-consent, but they really try to force you first, and I get the impression they may do worse any year now.

trashface•3w ago

Jokes on them, I ran android for years, I'm used to no security updates. iOS 18 forever!

bob1029•3w ago

> Take this seriously. If your iPhone does not have Apple’s new update, you must install it now. We know attacks on iPhones have started. We have been warned the threat will extend well beyond those highly targeted initial attacks. And hundreds of millions of iPhone users are also now facing down an unwelcome surprise.

It's hard to take this seriously.

randyrand•3w ago

If you’re in the public beta program you’ll already have this update.

ryuzaburo•2w ago

We need to stop viewing these iOS 18 patches as mere "fixes." For sophisticated attackers, these release notes serve as "CVE Feature Catalogs" to weaponize simple human errors.

I’m currently finalizing a detailed forensic report on a real-world incident where I was the target of this exact attack chain. It began with a casual social encounter—a classic shoulder-surfing of my 6-digit passcode—but escalated through the unpatched vulnerabilities I’m now documenting.

As an IT architect, I’ve spent the last few weeks performing a deep-dive into the device logs to understand the "Authorization Gap" that allowed this to happen. What I found is terrifying: a single unpatched CVE combined with a stolen passcode effectively turns an iPhone into an identity-theft kit. Leaving these updates unpatched isn't just a security risk; it’s providing the final components for your own identity’s subversion. I’m sharing this because this isn't theoretical—it’s a systemic failure that is already being exploited.

The AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

I'm 15 and built a free tool for reading Greek/Latin texts. Would love feedback

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

How Meta Made Linux a Planet-Scale Load Balancer

A Turing Test for AI Coding

How to Identify and Eliminate Unused AWS Resources

A2CDVI – HDMI output from from the Apple IIc's digital video output connector

CLI for Common Playwright Actions

Would you use an e-commerce platform that shares transaction fees with users?

Show HN: SafeClaw – a way to manage multiple Claude Code instances in containers

The Future of the Global Open-Source AI Ecosystem: From DeepSeek to AI+

The Evolution of the Interface

Azure: Virtual network routing appliance overview

Seedance2 – multi-shot AI video generation

Πfs – The Data-Free Filesystem

Go-busybox: A sandboxable port of busybox for AI agents

Quantization-Aware Distillation for NVFP4 Inference Accuracy Recovery [pdf]

xAI Merger Poses Bigger Threat to OpenAI, Anthropic

Atlas Airborne (Boston Dynamics and RAI Institute) [video]

Zen Tools

Is the Detachment in the Room? – Agents, Cruelty, and Empathy

The purpose of Continuous Integration is to fail

Apfelstrudel: Live coding music environment with AI agent chat

What Is Stoicism?

What happens when a neighborhood is built around a farm

The AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

I'm 15 and built a free tool for reading Greek/Latin texts. Would love feedback

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

How Meta Made Linux a Planet-Scale Load Balancer

A Turing Test for AI Coding

How to Identify and Eliminate Unused AWS Resources

A2CDVI – HDMI output from from the Apple IIc's digital video output connector

CLI for Common Playwright Actions

Would you use an e-commerce platform that shares transaction fees with users?

Show HN: SafeClaw – a way to manage multiple Claude Code instances in containers

The Future of the Global Open-Source AI Ecosystem: From DeepSeek to AI+

The Evolution of the Interface

Azure: Virtual network routing appliance overview

Seedance2 – multi-shot AI video generation

Πfs – The Data-Free Filesystem

Go-busybox: A sandboxable port of busybox for AI agents

Quantization-Aware Distillation for NVFP4 Inference Accuracy Recovery [pdf]

xAI Merger Poses Bigger Threat to OpenAI, Anthropic

Atlas Airborne (Boston Dynamics and RAI Institute) [video]

Zen Tools

Is the Detachment in the Room? – Agents, Cruelty, and Empathy

The purpose of Continuous Integration is to fail

Apfelstrudel: Live coding music environment with AI agent chat

What Is Stoicism?

What happens when a neighborhood is built around a farm

Apple Withdraws iOS 18 Security Updates

Comments