Even if there was no mention of this or the implication that it’s linked to the notifications Apple sends for targeted attacks, is it fair to say this kind of backdated security patch implies a lot about the severity of the vulnerability? What’s Apple’s default time frame for security support?
Edit: I should've read, "Impact: Processing a malicious image file may result in memory corruption."
So simply receiving an image via SMS or loading it in some other way likely accomplishes the initial exploit, so yeah, zero click exploit. Always bad.
That is my assumption, that the result is a pretty severe impact and/or the victim has little to no way to prevent it (zero click situation).
Granted I can't speak for Apple, but I was thinking along the same lines you were.
This isn't thaaaaat far out of support. Their last security update for iOS 15 was just earlier this year, and they only dropped iPhone 6s from new major versions with iOS 16 a few years ago. As someone who has kept my last few iPhones for 5+ years each, I definitely appreciate that they keep a much longer support window than most folks on the Android side of things.
I assume they know just how long their customers keep their phones and maintain them accordingly.
I fully expect to be using my current Android phone into the 2030s.
I'm migrating from my 5 year old flagship (lol) only because vendor decided to stop supporting it. Battery still good for a day, great screen, good enough camera, fantastic sound, ssd card slot...
My next has at least 7 years of mainline support (with all AOSP releases) plus at least couple of years damage control updates.
It's a matter of the choose I think.
I worked at a restaurant chain and I remember it being a whole thing to even consider reworking the POS tables + software due to rising costs.
Also my company, as well as at least 1 other I know of that uses iPads, don’t sell the iPads to the stores, they replace or buy their iPads directly from Apple. Smaller places handle it all themselves, larger might use MDM but they are buying them at-cost.
I’m not saying everyone does that, just that I’m not aware of it.
The 6S was discontinued in 2018, which would give it support until at least 2023, so we aren’t too far beyond that.
The full exploit chain seems to target WhatsApp directly using a second bug in WhatsApp; although this vulnerability is definitely present anywhere this kind of image is processed using Apple’s native image support, it would usually be aggressively sandboxed (in iMessage by BlastDoor and in Safari by the web content sandbox), so you’d need a lot more vulnerabilities than those that are currently disclosed to make it useful in those places. A bug in WhatsApp itself is particularly bad in terms of spyware actors, since it leaves one of their most popular targets, WhatsApp, vulnerable without a significantly more complex kernel escalation and sandbox bypass.
Pixels 6-7 got 5 years. I'd say that's on the low end of okay.
For "lol" you have to go back to 2021 or earlier. Or look at some of Motorola's offerings.
It seems to me that this exploit was used in a chain with a WhatsApp issue that would trigger the malicious DNG data to be loaded as a zero click, presumably just into WhatsApp. It’s unclear to me if there was a sandbox escape or kernel vulnerability used along with this; it might have been used to exfiltrate WhatsApp messages only.
This would explain why there’s only a single patch for a simple memory corruption issue; usually an attacker would need a lot of chained vulnerabilities to bypass mitigations on iOS, but if the vulnerability is in the exact target application to begin with, it sure does make things easier.
bigyabai•1h ago
Fucked-up world we live in where a disposable vape can be reused for more purposes than an iPhone with expired software support.
duxup•1h ago
My pile of old android phones ... they sadly do not live long overall as far as a % of survivors goes. A few have lived long lives for sure, but overall not as many as my old iPhones.
MrTrvp•1h ago
duxup•1h ago
galaxy_gas•1h ago
chasil•1h ago
Gigachad•1h ago
chasil•1h ago
Every version of Lineage offers rooted debugging, even without Magisk.
I know that root can be obtained in iOS, but Apple really prefers that users be restrained from this capability.
duxup•1h ago
Granted, there's PLENTY of other good reasons to make that choice even with that condition. So I don't disagree generally.
bigyabai•1h ago
My Android phones still do everything they say on the tin. Regardless, you've worded your entire argument to be orthogonal to my original point so it's clear you're not arguing in good faith. Nothing you ever said was related to the principles I mentioned, just what you consider to be personally valuable. Which is fine, but akin to responding to a health food nut by saying how great burgers taste.
rgovostes•14m ago
The latest release of Xcode, Xcode 26, still allows you to build apps for iOS 15. At some point you will have the secondary problem of needing an older Xcode which only runs on an older macOS, though Apple has been doing the minimum to make it possible to acquire both of these.
With a free Apple Developer account, you can sign and side load your apps, but they expire every 7 days, and you wouldn't be able to add any restricted entitlements. But the TrollStore exploit (https://github.com/opa334/TrollStore), which I cannot vouch for, seems to work around these limits.
So: It seems like if you are the kind of person who keeps disposable vapes to reprogram the microcontrollers, the iPhone 6S should actually be an attractive device worth keeping:
- Runs an operating system released in September 2021 and received regular bug fixes and security updates through July 2024. Still receives occasional security updates as of September 2025. Not completely end-of-life.
- Supported by the latest developer tools, probably through June 2026, with older downloads available (https://xcodereleases.com/).
- Known jailbreaks and exploits to maximize utility.
It's not surprising that the trade-in value for a 10-year-old device is nil, but on the secondary market they fetch about $60 (https://swappa.com/prices/apple-iphone-6s) which is not bad if you consider the device capabilities compared to most hobbyist devkits.