Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

2/12/2026 at 3:58:12 PM

So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.

Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.

KSIMET: 2020, FORCEDENTRY: 2021, PWNYOURHOME, FINDMYPWN: 2022, BLASTPASS: 2023

Each time NSO had the next chain ready prior to patch.

I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.

It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

by dudeinhawaii

2/12/2026 at 4:13:00 PM

How much do you think Lockdown Mode + MIE/eMTE helps? Do you believe state actors work with manufacturers to find/introduce new attack vectors?

by whitepoplar

2/12/2026 at 4:20:31 PM

My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.

by walterbell

2/12/2026 at 4:26:56 PM

Are you a person of high interest? I was under the impression that these sorts of breaches only happen to journalists, state officials, etc.

by whitepoplar

2/12/2026 at 4:30:25 PM

Who knows? Does HN count as journalism :)

I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case). I accept that Apple devices will be compromised (keep valuable data elsewhere), but I want fast detection and restore for availability.

GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.

USB with custom Debian Live ISO booted into RAM is useful for generic terminal or web browsing.

by walterbell

2/12/2026 at 7:34:35 PM

could you please elaborate on how you determine that your devices have been breached? e.g. referring to "anomaly free" makes it sound like you might witnessing non-security related unexpected behaviour? sorry for the doubt, i'm curious

by throawayonthe

2/13/2026 at 2:24:53 AM

Explained at length below: after subjective indicator of possible breach, by monitoring, allowlisting and then deleting outbound network traffic sources (i.e. apps) on the device, then look closely at any remaining, non-allowlisted traffic, which should be zero.

apps: https://news.ycombinator.com/item?id=46993016 | https://news.ycombinator.com/item?id=46997970

Apple: https://news.ycombinator.com/item?id=46994394

by walterbell

2/12/2026 at 6:19:50 PM

First idea if great honestly - lots of vendors do this. I use Firefox long term stable and Chrome offers this for enterprise customers. Windows even offers multiple options of this (LTSC being the best by far).

Would also make a great corporate / government product - I doubt they care about charging the average consumer for such a subscription (not enough revenue) but I can see risk averse businesses and especially government sectors being interested.

by Melatonic

2/12/2026 at 7:07:48 PM

You can already do that?

Apple offers that to all customers who open up an enterprise account and direct billing line.

by MichaelZuo

2/12/2026 at 7:37:34 PM

  You can already do that?
  Apple offers that to all customers who open up an enterprise account and direct billing line

What's the name of the feature for Apple Enterprise customers that would allow iOS 18 to be installed on a newly provisioned device today?

Downgrades are not supported by Apple Business Manager MDM and there's no reference to downgrades on the Enterprise page, https://www.apple.com/business/enterprise/

by walterbell

2/13/2026 at 3:13:11 AM

By definition you will have access to things Apple wont publish or support at subsidized rates below the fully loaded hourly cost of a senior engineer.

Because you will be paying the full unsubsidized rate for any support needed for features not available to the mass market.

Its like how IBM will gladly send a team of senior engineers to help enterprise clients resolve every last possible request.

Edit: As compared to mass market features, where the economics dont work unless they’re close to 100% certain most users wont require any costly support.

by MichaelZuo

2/13/2026 at 3:38:32 AM

Would the following be possible, in principle?

  - Signup for Apple Enterprise account with direct billing
  - Buy one hardware device direct via Enterprise account
  - Buy one MDM license for the hardware device
  - Sign contract for support at $500/hr, no minimum commitment
  - Get access to docs & tools for iOS 18 on new hardware (don't need support)

Apple Enterprise Developer account requires 100 employees minimum, but Apple Enterprise does not.

by walterbell

2/13/2026 at 1:04:21 AM

Just to save everyone the read, reading through the replies, this person is very clearly paranoid and has no clear evidence of an actual breach. I have zero idea why people are actually engaging with this.

by UqWBcuFx6NV4r

2/13/2026 at 2:07:12 AM

This thread (on a story about 10 year old 0-day that exposed 2 billion devices to potential breach!) has many comments questioning the mere possibility of repeated breach, yet not a single comment engaging the point of my original post -- that Apple's 2025 introduction of MIE/eMTE changed the observable device behavior vs. Apple devices of the previous five years. On the new iPad Pro, MIE was shipped alongside Apple's $1B investment in modem technology to replace Qualcomm cellular and Broadcom WiFi/BT radios used on billions of existing devices.

"Memory Integrity Enforcement" (2025), 250 comments, https://news.ycombinator.com/item?id=45186265

  Memory Integrity Enforcement (MIE) is the culmination of an unprecedented design and engineering effort, spanning half a decade, that combines the unique strengths of Apple silicon hardware with our advanced operating system security to provide industry-first, always-on memory safety protection across our devices — without compromising our best-in-class device performance. We believe Memory Integrity Enforcement represents the most significant upgrade to memory safety in the history of consumer operating systems.

> has no clear evidence of an actual breach

If the perceived breaches during 5 years of using multiple generations of Apple devices were due to methodology errors leading to false positives, why did they stop after moving to 2025 Apple hardware with MIE and Apple-only radio basebands?

by walterbell

2/12/2026 at 4:27:40 PM

How can you tell that you were breached?

by drakenot

2/12/2026 at 4:28:30 PM

Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware. Then log review.

by walterbell

2/12/2026 at 5:22:21 PM

What are examples of logs that you're considering IOCs? The picture you are painting is basically that most everyone is already compromised most of the time, which is ... hard to swallow.

by amazingman

2/12/2026 at 5:39:04 PM

I reported the experience on my devices, which said nothing about "everyone".

by walterbell

2/12/2026 at 4:38:27 PM

How did you link that traffic to malicious activity?

by acdha

2/12/2026 at 4:44:16 PM

By minimizing apps on device, blocking all traffic to Apple 17.x, using Charles Proxy (and NetGuard on Android) to allowlist IP/port for the remaining apps at the router level, and then manually inspecting all other network activity from the device. Also the disappearance of said traffic after hard-reset.

Sometimes there were anomalies in app logs (iOS Settings - Analytics) or sysdiagnose logs. Sadly iOS 26 started deleting logs that have been used in the past to look for IOCs.

by walterbell

2/12/2026 at 7:54:00 PM

How did you determine that a connection was malicious? Modern apps are noisy with all of the telemetry and ad traffic, and that includes a fair amount of background activity. If all you’re seeing are connections to AWS, GCP, etc. it’s highly unlikely that it’s a compromise.

Similarly, when you talk about it going away after a reset that seems more like normal app activity stopping until you restart the app.

by acdha

2/13/2026 at 3:40:58 AM

Summary: https://news.ycombinator.com/item?id=46998191

by walterbell

2/12/2026 at 6:22:00 PM

Are you sure whatever you have configured in the MDM profile or one of these apps like Charles Proxy is not the source of the traffic?

Are you using a simple config profile on iOS to redirect DNS and if so how are you generating it ? Full MDM or what are you adding to the profile ?

by Melatonic

2/12/2026 at 6:35:46 PM

Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.

Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).

MDM was not used to redirect DNS, only toggling features off in Apple Configurator.

by walterbell

2/13/2026 at 2:31:19 AM

Surely you used several USB Ethernet adapters to rule them out as being the source as well right? Those types of dongles are well known for calling home.

by universenz

2/13/2026 at 3:42:11 AM

Good observation :) Multiple ethernet adapters: Apple original (ancient USB2 10/100), Tier 1 PC OEM, plus a few random ones. Some USB adapters emit more RF than others.

by walterbell

2/13/2026 at 4:32:32 AM

And your sure it wasn't some built in Apple service ? I believe they host a ton on GCP

by Melatonic

2/13/2026 at 5:55:51 AM

It excluded the published hostnames for services and CDNs (some of which resolved to GCP, Akamai, etc) published by Apple for sysadmins of enterprise networks, https://news.ycombinator.com/item?id=46994394. It's indeed possible that one of the unknown destination IPs could have been an undocumented Apple service, but some (e.g. OVH) seem unlikely.

by walterbell

2/12/2026 at 4:36:18 PM

To where?

by nickburns

2/12/2026 at 4:52:39 PM

Usually a generic cloud provider, not unique, identifying or stable.

by walterbell

2/12/2026 at 5:51:51 PM

So how did you identify this as a breach? I'm struggling to find this credible, and you've yet to provide specifics.

Right now it comes across as "just enough knowledge to be dangerous"-levels, meaning: you've seen things, don't understand those things, and draw an unfounded conclusion.

Feel free to provide specifics, like log entry lines, that show this breach.

by Someone1234

2/12/2026 at 5:54:33 PM

Please feel free to ignore this sub-thread. I'm merely happy that Apple finally shipped an iPad that would last (for me! no claims about anyone else!) more than a few weeks without falling over.

To learn iOS forensics, try Corellium iPhone emulated VMs that are available to security researchers, the open-source QEMU emulation of iPhone 11 [1] where iOS behavior can be observed directly, paid training [2] on iOS forensics, or enter keywords from that course outline into web search/LLM for a crash course.

[1] https://news.ycombinator.com/item?id=44258670

[2] https://ringzer0.training/countermeasure25-apple-ios-forensi...

by walterbell

2/12/2026 at 8:00:36 PM

I worked at Corellium tracking sophisticated threats. Nothing you’ve posted is indicative of a compromise. If you’re convinced I’d be happy to go through your IOCs and try to explain them to you.

by saagarjha

2/12/2026 at 8:56:27 PM

Thanks. In this thread, I was trying to share a positive story about the recent iPad Pro _NOT_ exhibiting the many issues I observed over 5 years and multiple generations of iPhones and iPad Pros. If any new issues surface, I'll archive immutable logs for others to review.

by walterbell

2/12/2026 at 6:11:00 PM

I think this just further highlights my credibility point.

by Someone1234

2/12/2026 at 6:25:10 PM

With the link I provided, a hacker can use iOS emulated in QEMU for:

  • Restore / Boot
  • Software rendering
  • Kernel and userspace debugging
  • Pairing with the host
  • Serial / SSH access
  • Multitouch
  • Network
  • Install and run any arbitrary IPA

Unlike a locked-down physical Apple device. It's a good starting point.

by walterbell

2/12/2026 at 6:55:56 PM

I'm much more convinced that you're competent in the field of forensics. But I still don't think suspicious network traffic can be categorically defined as a 'device breach.'

For all you know, the traffic you've observed and deem malicious could just as well have been destined for Apple servers.

by nickburns

2/12/2026 at 8:08:31 PM

Apple traffic goes to 17.0.0.0/8 + CDNs aliased to .apple.com, which my egress router blocks except for Apple-documented endpoints for notifications and software update, https://support.apple.com/en-us/101555

appldnld.apple.com configuration.apple.com gdmf.apple.com gg.apple.com gs.apple.com ig.apple.com mesu.apple.com mesu.apple.com ns.itunes.apple.com oscdn.apple.com osrecovery.apple.com skl.apple.com swcdn.apple.com swdist.apple.com swdownload.apple.com swscan.apple.com updates.cdn-apple.com updates-http.cdn-apple.com xp.apple.com

There was no overlap between unexpected traffic and Apple CDN vendors.

by walterbell

2/12/2026 at 8:17:10 PM

'Apple-documented' being operative here.

by nickburns

2/12/2026 at 8:36:49 PM

True, perhaps OVH in Germany (one anomaly example) is an Apple vendor. No way to know.

by walterbell

2/12/2026 at 7:51:39 PM

They said upthread that they had blocked 17.0.0.0/8 ("Apple"), but maybe there are teams inside Apple that are somehow operating services outside of Apple's /8 in the name of Velocity? I kind of doubt it, though, because they don't seem like the kind of company that would allow for that kind of cowboying.

by philsnow

2/12/2026 at 7:55:02 PM

I don't doubt it in the slightest. Every corporate surveillance firm—I mean, third-party CDN in existence ostensibly operates in the name of 'velocity'.

by nickburns

2/12/2026 at 7:59:08 PM

Apple has used AWS and Cloudflare in the past, too, so it’s not like seeing that traffic is a reliable indicator of compromise.

by acdha

2/12/2026 at 4:48:27 PM

LOL. Aren't you a little paranoid?

by meindnoch

2/12/2026 at 5:22:23 PM

Just trying to use expensive tablets in peace. Eventually stopped buying new models due to breaches.

After a few years, bought the 2025 iPad Pro to see if MTE/eMTE would help, and it did.

by walterbell

2/12/2026 at 7:53:44 PM

There’s no hard evidence that you’ve put forward that you’ve been breached.

Not understanding every bit of traffic from your device with hundreds of services and dozens of apps running is not evidence of a breach.

Have you found unsigned/unauthorized software? Have you traced traffic to a known malware collection endpoint? Have you recovered artifacts from malware?

Strong claims require strong evidence imo and this isn’t it.

by radicaldreamer

2/13/2026 at 1:52:49 AM

As mentioned elsewhere in this thread, traffic from each iOS app was traced via Charles Proxy, the endpoints allowlisted for normal behavior, and finally the app was offloaded so it could not generate any traffic from the device. Over time, this provided a baseline of known outbound traffic from the device, e.g. after provisioning a new device with a small number of trusted apps.

Apple traffic was isolated separately, https://news.ycombinator.com/item?id=46994394

Traffic outside that baseline could then be reviewed closely.

by walterbell

2/12/2026 at 7:30:47 PM

Lol 'breaches'.

I agree with other posters that you seem to be capable of network level forensics, but you have said nothing to back up what you consider a device breach other than 'some cloud destined network traffic which disapears after a hard reset'.

In my experience of forensic reports, this link is tenuous at best and would not be considered evidence or even suspected breach based on that alone.

by alt227

2/12/2026 at 5:04:22 PM

[flagged]

by avazhi

2/12/2026 at 6:16:23 PM

I don't think that proves they've been breached. Are you sure your not just seeing keep alive traffic or something random you haven't taken into account ?

by Melatonic

2/13/2026 at 3:51:07 AM

Much time was taken to separate known from unknown traffic, https://news.ycombinator.com/item?id=46998191

by walterbell

2/12/2026 at 7:00:59 PM

Sounds like it is time to drop Apple devices and move to Graphene.

by drnick1

2/12/2026 at 8:17:34 PM

From another comment - I switched phone to Pixel and it has worked well, with a separate profile for apps that require Google Play Services.

> GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is << Apple iPad Pro.

iPad Pro with Magic Keyboard and 4:3 screen is an engineering marvel. The UX overhead of Pixel Tablet and inconsistency of Android apps made workflows slow or even impractical, so I eventually went back to iPad and accepted the cost/pain of re-imaging periodically, plus having a hot-spare device,

by walterbell

2/12/2026 at 10:50:45 PM

Graphene does not use the Pixel UI by default, it's very barebones. IMO, it's much better than the bloated Google UI.

by drnick1

2/12/2026 at 5:31:41 PM

> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator

MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):

Monterey USB installer (or Configurator + IPSW)

Begin installation.

At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.

Continue installation and complete.

Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.

Tada. That's it. I wish there was more to it.

You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.

Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.

by FireBeyond

2/12/2026 at 6:23:42 PM

Do most people even use MDM on laptops or desktops ? I see it mostly used on phones

by Melatonic

2/13/2026 at 3:52:33 AM

Corporate laptops? https://business.apple.com/

by walterbell

2/12/2026 at 5:42:10 PM

Useful, thanks for the contribution to HN/LLM knowledge base!

by walterbell

2/12/2026 at 4:57:55 PM

It appears the iPhone Air and iPhone 16e are the only devices with the Apple radio basebands so far.

https://theapplewiki.com/wiki/C4000

by j45

2/12/2026 at 5:06:12 PM

16e still uses a Broadcom chip for WiFi + Bluetooth, though. iPhone Air is currently the only iPhone that uses both Apple-designed baseband + WiFi/BT chips.

by whitepoplar

2/12/2026 at 5:37:51 PM

Appreciate the clarification.

by j45

2/12/2026 at 4:59:07 PM

+ iPad Pro.

by walterbell

2/12/2026 at 5:57:30 PM

> Do you believe state actors work with manufacturers to find/introduce new attack vectors?

Guaranteed. I find it hard to believe state actors will not attempt this.

Flash paper is king when it comes to secrets I guess.

by 8cvor6j844qw_d6

2/12/2026 at 8:02:18 PM

They might but it’s currently easier to just find exploits.

by saagarjha

2/12/2026 at 4:09:34 PM

Thanks for contributing to our increasing lack of security and anonymity.

by mmmlinux

2/12/2026 at 5:06:59 PM

Meh. It’s up to Apple to write secure software in the first place. Maybe if they spent more time on that instead of fucking over their UI in the name of something different, and less time virtue signalling, their shit would be more secure.

by avazhi

2/12/2026 at 7:36:33 PM

Yes because other operating systems never have a decade old vulnerability?

https://www.sysdig.com/blog/detecting-cve-2024-1086-the-deca...

And yes because their UI folks should be spending time on the kernel. What next? If Apple didn’t have so many people working at the Genius Bar they could use some of those people to fix security vulnerabilities?

by raw_anon_1111

2/12/2026 at 7:50:45 PM

Are you suggesting that money spent on marketing - to the extent that it doesn't actually increase market share/sales - couldn't be spent on hardening or vulnerability payouts, etc?

Apple doesn't have unlimited money. It all gets allocated somewhere. Allocating it in places that don't improve security or usability or increase sales is, in this sense, a wasted opportunity that could be more efficiently allocated elsewhere.

by avazhi

2/12/2026 at 8:05:03 PM

> Are you suggesting that money spent on marketing - to the extent that it doesn't actually increase market share/sales - couldn't be spent on hardening or vulnerability payouts, etc?

Yes?

by saagarjha

2/12/2026 at 7:57:50 PM

Well Apple kind of does have unlimited money for all intents and purposes. It’s net income last year was $112 billion.

by raw_anon_1111

2/12/2026 at 8:37:31 PM

If Apple had unlimited money they’d just buy the exploit makers at whatever asking price. Or they’d set exploit bounties at a price guaranteed to outbid others etc.

No, just like any other company they don’t have unlimited money and my point stands.

by avazhi

2/12/2026 at 9:19:59 PM

Really? You don’t think Apple could “afford” to set aside $500 million dollars for instance to pay off exploit makers? Less than 0.5% of their profit? Or even $1 billion? Less than 1% of their profit?

by raw_anon_1111

2/14/2026 at 2:50:56 AM

I don't know, but I would suspect that they don't purchase these companies out of a sense of principle: not wanting to reward the behavior. Yes, that allows them to keep operating, but it's sorta like why you don't pay a ransomware group.

by alsetmusic

2/12/2026 at 9:46:19 PM

Huh?

Ofc they could afford to, but they don’t. They could alo afford to if they had unlimited money, but in the latter case by definition they’d lose nothing by actually buying.

Given the absurdity of the scenario and its contrivance though I’m not sure what your point is. More money spent on security is good is my point. And if they had more money they’d have more money to spend on security. And if they didn’t spend money on dumb shit like virtue signaling then they’d have more money. That’s the reasoning.

by avazhi

2/12/2026 at 9:57:43 PM

My point is that it’s silly to say that Apple doesn’t have enough money left over after spending money on marketing to pay off people who find security vulnerabilities if they have $110 billion in profit after spending money on marketing.

If you had to spend 0.5% of your income for something in a year, would that adversely affect how you chose to spend the other 99.5%?

by raw_anon_1111

2/12/2026 at 8:04:18 PM

Is it not up to you to not write software that leads to people being killed?

by saagarjha

2/12/2026 at 8:41:08 PM

Ok? Welcome to earth. We are a violent species. Sometimes people die violently. What’s your point?

Lawful killing is, by definition, legal. It’s also justified in certain situations.

Disagree? Cool, so don’t work for the police or Cellebrite lol, but don’t try to impose your idiosyncrasies on others.

by avazhi

2/12/2026 at 8:50:53 PM

If your ethics are “people die so I might as well partake in killing them” I suspect you haven’t really thought this through very thoroughly

by saagarjha

2/12/2026 at 9:41:42 PM

My ethics are that certain people will die in certain circumstances and I’m okay with that. I also have no issues working on something that may result in a person’s death at a later stage. One example might be that if I worked on an automobile assembly line it might occur to me that the car I’m working on would at some point crash and the occupants be killed. But why would I care? There’s a chain of causation that you can surely understand, one that in this case would be broken many times before then (assuming I wasn’t negligent in assembling the car).

But again, your condescending tone proves my point. You and I don’t have the same values. That’s okay. But keep yours to yourself and I’ll keep mine to myself, right? That’s my point.

by avazhi

2/13/2026 at 3:52:16 AM

Ethics is making the chain of causation as long as possible.

by saagarjha

2/13/2026 at 11:11:29 AM

You're confusing ethics with your own personal views. Ethics is a subject concerning right or wrong. It's neither subjective nor objective - it's just a particular subject encompassing particular issues. Your personal opinion on a particular issue might go some way toward describing what YOU think is ethical behaviour. That's subjective. It describes a factual state (viz., your opinion about something). My opinion may be very different from yours. My opinion is also subjective.

If you think never harming any person is the highest human aspiration, then great! I wish you well on that journey. I disagree though, and personally - as a matter of my own morality and philosophy about the world - I think the earth would be a much better place with maybe 1/2 the current population (assuming we could cull the right people). Avoiding causing harm to others isn't really something I care about, and I think there are more important and more interesting things to worry about. I also think killing is absolutely justified under certain conditions and I also think the world would be objectively better off if certain people didn't exist. We disagree about this, but that doesn't mean we aren't both acting ethically. We just have very different ideas about what is good and bad and right and wrong.

Both of us can act ethically despite holding those contrary positions and stay within our own logical frameworks. I hope that makes sense to you.

Now, once again the main point was that doing work for the police or hacking shit for governments is a legitimate occupation and is legal, even if it leads to somebody being executed or arrested or deported (in fact, those are also legitimate things that plenty of people have no problems with). Laws generally reflect society's overall views on some subject matter. Feel free to Google social facts and Durkheim and Hart and the rule of law and theory of laws. Stating such is to state objective facts. If you dislike those occupations, that's cool - some people dislike prostitution, but it's a legitimate and legalised occupation in many places. But your opinion on the matter doesn't delegitimise it, and frankly nobody wants to hear your casting judgment on others based on your own personal opinions. This is the issue with protestors today - nobody else cares, man. Leave people alone lol.

by avazhi

2/12/2026 at 7:04:50 PM

I totally agree, and it's basically theft that Apple simply doesn't have a standing offer to outbid anyone else for a security hole.

That said, we all get the same time on this earth. Spending your time helping various governments hurt or kill people fighting for democracy or similar is... a choice.

by x0x0

2/12/2026 at 7:44:50 PM

I don't think democracy is the panacea you seem to think it is, but that's another issue. Certainly, cracking software for governments and the police is no less legitimate an existence and occupation as, say, working for an NGO.

by avazhi

2/12/2026 at 4:55:24 PM

Theoretical question. How much more secure will be a Linux device which uses phone as a dumb Internet provider.

by blackoil

2/12/2026 at 8:03:07 PM

Linux has few defenses against the compromise of individual programs leading to the whole system being compromised. If you stick to basic tools (command line) that you can fully trust, it might be somewhat resistant to these types of attacks. The kernel might be reasonably secure but in typical setups, any RCE in any program is a complete compromise.

Things like QubesOS can help, but it's quite high-effort to use and isn't compatible with any phone I know of.

by digiown

2/12/2026 at 10:24:19 PM

It would at least be diverse.

by octoberfranklin

2/12/2026 at 6:58:22 PM

Linux is swiss cheese and your dumb phone is probably full of zero days which will happily mitm you.

by baq

2/12/2026 at 7:35:38 PM

If you care about security, you should try Qubes OS.

by fsflover

2/12/2026 at 7:28:52 PM

There is one non-technical countermeasure that Apple seems unwilling to try: Apple could totally de-legitimize the secondary access market if they established a legal process for access their phones. If only shady governments require exploits, selling access to exploits could be criminalized.

by fweimer

2/12/2026 at 7:58:36 PM

We have a word for this: a backdoor. It wouldn't de-legitimize the secondary access market. It would just delegitimize Apple itself to the same level. Apple seems to care about its reputation as the defender of privacy, regardless of how true it is in practice, and providing that mechanism destroys it completely.

by digiown

2/12/2026 at 7:34:55 PM

It would not completely de-legitimize it. Maybe a government doesn't want anyone to know they are surveilling a suspect. But it definitely would reduce cash flow at commercial spyware companies, which could put some out of business.

by 9cb14c1ec0

2/12/2026 at 7:57:20 PM

Your opinion is that Apple should have just handed over Jamal Khashoggi‘s information to the Saudi Arabian agents who were trying to kill him, because then Saudi Arabia wouldn’t have been incentivized to hack his phone? I think you’ll find most people’s priorities differ from yours.

by ikmckenz

2/12/2026 at 7:57:20 PM

As many people in this space have found out recently, there is no real thing as a non-shady government.

by saagarjha

2/12/2026 at 4:10:47 PM

>It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

I hate these lines. Like yes NSA or Mossad could easily pwn you if they want. Canelo Alvarez could also easily beat your ass. Is he worth spending time to defend against also?

by vonneumannstan

2/12/2026 at 4:15:07 PM

Yes, because Apple can do it at scale.

by high_na_euv

2/13/2026 at 1:06:17 AM

You’re missing the point. If they don’t believe that they’re targeted, how are they going to be able to LARP online?

by UqWBcuFx6NV4r

2/12/2026 at 4:23:52 PM

Yes. If vendors do not take this seriously, these capabilities trickle down to less sophisticated adversaries.

by Eridrus

2/12/2026 at 4:23:44 PM

and if you point out that Apple's approach is security by obscurity with a dollop of PR, you get downvoted by fan bois.

Apple really need to open up so at very least 3rd parties can verify integrity of the system.

by varispeed

2/12/2026 at 5:17:08 PM

They shipped MTE on hundreds of millions of devices. Is that security by obscurity or PR?

by wat10000

2/12/2026 at 6:35:38 PM

Memory Tagging Extension is an Arm architectural feature, not an Apple invention. Apple integrated and productised it, which is good engineering. But citing MTE as proof that Apple’s model is inherently superior misses the point. It doesn’t address the closed trust model or lack of independent system verification.

by varispeed

2/12/2026 at 6:45:48 PM

Your claim wasn't about inherent superiority or who invented what, your claim was "that Apple's approach is security by obscurity with a dollop of PR." The fact that they deployed MTE on a wide scale, along with many other security technologies, shows that not to be true.

by wat10000

2/12/2026 at 8:45:13 PM

Shipping MTE doesn’t refute my point.

MTE is an Arm architectural feature. Apple integrated it, fine. That’s engineering work. But the implementation in Apple silicon and the allocator integration are closed and non-auditable. We have blog posts and marketing language, not independently verifiable source or hardware transparency.

So yes, they deploy mitigations. That doesn’t negate the fact that the trust model is opaque.

Hardening a class of memory bugs is not the same thing as opening the platform to scrutiny. Users still cannot independently verify kernel integrity, inspect enforcement logic, or audit allocator behaviour. Disclosure and validation remain vendor-controlled.

You’re treating ‘we shipped a mitigation’ as proof against ‘the system is closed and PR-heavy.’ Those are different axes.

by varispeed

2/12/2026 at 8:51:44 PM

"Security by obscurity" does not mean "closed." It specifically means that obscurity is a critical part of the security. That is, if you ever let anyone actually see what was going on, the whole system would fall to pieces. That is not the case here.

If what you meant to say was "the system is closed and PR-heavy," I won't argue with that. But that's a very different statement.

by wat10000

2/12/2026 at 7:51:26 PM

[flagged]

by renato_shira

2/12/2026 at 10:26:34 PM

"trust the platform"

yeah stop doing that.

by octoberfranklin

2/12/2026 at 4:11:23 PM

decade-old vulns like this are why the 'you're not interesting enough to target' argument falls apart. commercial spyware democratized nation-state capabilities - now any mediocre threat actor with budget can buy into these exploits. the Pegasus stuff proved that pretty clearly. and yeah memory safety helps but the transition is slow - you've got this massive C/C++ codebase in iOS that's been accumulating bugs for 15+ years, and rewriting it all in Swift or safe-C is a multi-decade project. meanwhile every line of legacy code is a ticking time bomb. honestly think the bigger issue is detection - if you can't tell you've been pwned, memory safety doesn't matter much.

by the_harpia_io

2/12/2026 at 5:17:44 PM

> the bigger issue is detection

Apple could do more for device security forensics.

Meanwhile, user app activity goes into "biome" files for theft by malware, https://bluecrewforensics.com/2022/03/07/ios-app-intents/

by walterbell

2/13/2026 at 12:56:03 PM

yeah that's a good point about biome files - I hadn't thought about how much attack surface that creates. honestly Apple's forensics story feels pretty half-baked compared to their security theater around app store review and sandboxing. like they're great at preventing obvious malware installs but once something gets through (or comes in via MDM/enterprise provisioning) the visibility just isn't there. idk if it's a philosophical thing or just not prioritized, but the gap between 'we detected something' and 'here's what it actually did' is way too big for a company that claims to care about security

by the_harpia_io

2/12/2026 at 8:07:31 PM

I’m pretty sure the dyld code involved was written in the last 5 years if not more recently than that

by saagarjha

2/12/2026 at 4:07:41 PM

Meanwhile Apple made a choice to leave iOS 18 vulnerable on the devices that receive updates to iOS 26. If you want security, be ready to sacrifice UI usability.

by shantara

2/12/2026 at 4:16:24 PM

If you set Liquid Glass to the more opaque mode in settings I find iOS usability to be fine now, and some non-flashy changes such as moving search bars to the bottom are good UX improvements.

The real stinker with Liquid Glass has been macOS. You get a half-baked version of the design that barely even looks good and hurts usability.

by argsnd

2/12/2026 at 4:39:46 PM

Still takes multiple taps to find something on a page in Safari.

by microtonal

2/12/2026 at 7:03:40 PM

You can restore the old UI by changing the “tabs” setting from “compact” to “top” or “bottom”.

by ndiddy

2/12/2026 at 4:51:05 PM

You can just type the text to find in the address bar — “find on page” will be the at the very bottom of the list of suggestions.

by bobbylarrybobby

2/12/2026 at 9:31:05 PM

This is, again, something you can fix in Settings

by argsnd

2/12/2026 at 5:55:19 PM

iOS 26 is a disaster on devices with 4GB RAM though, so I'm not upgrading my iPhone 13 Mini again (that was a traumatic few days).

by JensenTorp

2/12/2026 at 9:20:37 PM

Interesting. I haven't had any noticable problems on my 13 Mini.

What are you seeing?

by doubled112

2/12/2026 at 9:30:32 PM

Are you sure that wasn't just a beta thing?

by argsnd

2/12/2026 at 7:38:14 PM

Imagine running iOS 26 on an iPad Air 3 from 2019…

by raw_anon_1111

2/12/2026 at 5:57:23 PM

Apple released iOS 18.7.5:

https://support.apple.com/en-us/126347

by Someone1234

2/12/2026 at 6:02:00 PM

18.7.3 and newer are not published for most devices that support them in order to coerce people to move to 26.x

by supernes

2/12/2026 at 8:13:05 PM

That's terrible.

by sandinmyjoints

2/12/2026 at 6:10:26 PM

Available for: iPhone XS, iPhone XS Max, iPhone XR, iPad 7th generation

by shantara

2/12/2026 at 7:10:16 PM

It's a rug-pull going against the tradition of supporting the most recent 2 OS versions until the autumn refresh simply to technofascistly force users onto 26 with an artificially-created Hobson's false choice between security and usability. This is bullshit.

by burnt-resistor

2/13/2026 at 4:49:50 PM

No.

They have been doing this every year for the past several years: https://www.macrumors.com/2025/12/19/ios-18-forced-ios-26-up...

It's being noticed just now because iOS 26 has controversial UI/UX and many users don't want to update.

by MYEUHD

2/13/2026 at 1:14:19 AM

I'll never understand how people actually believe that their refusal to adapt, and refusal opening them up to harm, is ever not their own fault

You're choosing to not have the update. And that's fine- own it.

by halJordan

2/12/2026 at 3:17:39 PM

I wonder what the internal conversations are like around memory safety at Apple right now. Do people feel comfortable enough with Swift's performance to replace key things like dyld and the OS? Are there specific asks in place for that to happen? Is Rust on the table? Or does C and C++ continue to dominate in these spaces?

by meisel

2/12/2026 at 3:54:35 PM

Apple is already working on a memory-safe C variant which is already used in iBoot and will be upstream LLVM soon: https://clang.llvm.org/docs/BoundsSafety.html

by ronsor

2/12/2026 at 3:24:31 PM

While not wholesale replacing it, there already is Swift in dyld: https://github.com/search?q=repo%3Aapple-oss-distributions%2...

by gsnedders

2/12/2026 at 8:08:22 PM

This goes into dyld.framework, not dyld the linker

by saagarjha

2/12/2026 at 9:38:17 PM

Whenever plugging a hole like this, the OS should kinda leave it “open” as a kind of honeypot and immediately show a warning to the user that some exploit was attempted. Granted, the malware will quickly adapt but you should at least give some users (like journalists or politicians) the insanely important information about them being targeted by some malicious group.

by riggsdk

2/12/2026 at 4:53:45 PM

Oh great, so is this how Apple forces me to downgrade from iOS 18 to iOS 26?

by jl6

2/12/2026 at 5:11:07 PM

That was my first thought. No backports for older devices?

So left to update to 26.3, device slows, battery life deteriorates and a new device needs to be ~~purchased~~ … errr rented.

Good that apple has a monopole else consumers would have a choice.

by Towaway69

2/12/2026 at 5:24:05 PM

There is a choice. Sent from my GNU/Linux phone Librem 5.

by fsflover

2/12/2026 at 5:39:38 PM

That does universal copy and paste with my linux laptop? Airdrop with my android tablet?

I can copy something on my macbook and paste that on my iphone - nice feature. Or to my iPad. I’m a sucker for interconnected technology, no hassle with transferring data between my devices.

Sure there are alternatives, but none that provide such integration amongst diverse class of devices. That’s the true monopole they have - unfortunately.

by Towaway69

2/12/2026 at 8:05:33 PM

KDEconnect over a VPN works extremely well for clipboard and file and notification sharing. You don't have to use KDE for it. It works with Linux and Android. It also doesn't require an account and accepting terms, so it is strictly superior.

by digiown

2/13/2026 at 3:54:58 AM

Thanks for explaining that, I didn’t know.

So there is a definite alternative. Why doesn’t anyone start Orange Inc. to provide a one-stop hardware solution using Linux. I mean a place where phones, laptops, tablets are sold that are setup to work together?

Why doesn’t Ubuntu (for example) move into selling integrated hardware solutions based on Linux - for the consumer market.

by Towaway69

2/13/2026 at 9:06:37 AM

One company is trying that, https://puri.sm.

by fsflover

2/12/2026 at 7:35:32 PM

Sounds like you value 'features' over privacy and security.

by alt227

2/12/2026 at 6:15:47 PM

> That does universal copy and paste with my linux laptop? Airdrop with my android tablet?

To be fair this can be replicated with LocalSend, albeit not as slick UX wise.

by armadyl

2/12/2026 at 6:12:30 PM

That's a tradeoff you make yourself and in no way a monopoly.

by dundundundun

2/12/2026 at 7:25:01 PM

> That does universal copy and paste with my linux laptop? Airdrop with my android tablet?

I didn't try, but yes: https://linuxphoneapps.org/services/kde-connect/

by fsflover

2/12/2026 at 6:17:11 PM

Ironically this is a security focused thread. The solution here isn’t to switch to a Linux phone, a platform that has absolutely atrocious security, especially compared to even stock iOS/Android. The only alternative that actually increases privacy and security is GrapheneOS. If one doesn’t want to buy a Pixel in order to have it, they can wait and see what the new OEM that will support GOS will be later this year before deciding if it’s worth waiting for in 2027.

by armadyl

2/12/2026 at 7:10:35 PM

You seem to forget that Android and Graphene are built on a Linux kernel.

by drnick1

2/12/2026 at 7:45:51 PM

I think generally when people refer to Linux phones they’re specifically referring to non-Android Linux phones.

by armadyl

2/12/2026 at 6:57:39 PM

Why do linux phones have worse security than android?

by LtWorf

2/12/2026 at 9:41:25 PM

No good application sandboxing, far fewer security mitigations.

by microtonal

2/12/2026 at 9:46:20 PM

Is sandboxing needed when your applications aren't the store crapware though?

I mean it would be nice but it's not quite the same threats.

by LtWorf

2/13/2026 at 12:39:52 AM

Like what the person you replied to said. Sandboxing on Linux phones is incredibly weak outside of non-Flatpak Chromium browsers. And even Flatpak itself is a pretty weak sandbox compared to iOS/Android sandboxing. Part of this stems from Android and iOS being developed as sandbox-first OSes, so this could be said for any desktop operating system really aside from ChromeOS.

Also sure you could avoid crapware from Meta, Google and the likes but you will still could be exposed to nefarious programs via things like supply chain attacks (i.e. npm), or the developer turning coat or not realizing their app has an exploit, etc.

Linux also lacks a thorough permissions system unlike iOS/Android and the even more granular GrapheneOS.

Linux phones lack verified boot meaning persistent malware is trivial on linux devices. There is no MTE/MIE on Linux phones and even Google themselves say like 70% of malware spawns from memory exploits[1].

Also linux only really has block level encryption, not file based encryption like iOS/Android. It would be trivial for LEO to access your device unless it was totally powered off and then the only protection is LUKS. Or really even if you lose your phone and someone was so inclined to they could just extract all the data if it was powered on but on the “lock screen,” as most if not all desktop (and I’d imagine linux phone) environments do not actually do any encryption or anything when the system is locked, it’s just a cosmetic lock for all intents and purposes.

It would maybe be possible to somewhat mitigate that with cryptomator or somehow using fscrypt since that’s what Android uses but I dont know

Also even for basic things like clipboard protection, even with Wayland there are ways around it so that an app can read anything from the clipboard (not usually done for nefarious means in my experience, but it’s possible — see an app like Vicinae’s clipboard history and clipboard-centric features running on Wayland).

There’s more but this is like a short overview.

This doesn’t even get into people preferring Firefox on Linux which is light years behind Chromium based browsers in terms of security.

While it’s not a huge issue on desktop depending on how you view it, I would imagine phones see way more of people’s private data than their computers do and so I think it’s more beneficial to have higher security here than give that up for Linux.

—-

[1] https://security.googleblog.com/2024/10/safer-with-google-ad...

by armadyl

2/13/2026 at 9:45:50 AM

> Linux phones lack verified boot meaning persistent malware is trivial on linux devices.

Librem 5 has a 3FF Smart card reader. Also, it can be completely wiped and reinstalled, ensuring that your phone is cleaned whenever you suspect a compromise.

> supply chain attacks (i.e. npm)

Nobody uses npm on a GNU/Linux phone. As the OP correctly mentioned, the whole security model relies on the trusted apps. See also: https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...

> Or really even if you lose your phone and someone was so inclined to they could just extract all the data if it was powered on but on the “lock screen,” as most if not all desktop

I never heard about such possibility. Could you provide some details or links on how this could be done? AI says it's not really possible without very sophisticated instruments.

> It would maybe be possible to somewhat mitigate that with cryptomator or somehow using fscrypt since that’s what Android uses but I dont know

Indeed, GNU/Linux phones can and probably will improve their security with time taking some things from Android.

> Also even for basic things like clipboard protection, even with Wayland there are ways around it so that an app can read anything from the clipboard

You can't just say this without any evidence.

> This doesn’t even get into people preferring Firefox on Linux which is light years behind Chromium based browsers in terms of security.

Unless you switch off JavaScript, which is what I do.

by fsflover

2/13/2026 at 5:05:13 PM

> Librem 5 has a 3FF Smart card reader. Also, it can be completely wiped and reinstalled, ensuring that your phone is cleaned whenever you suspect a compromise.

What hollerith said.

> Nobody uses npm on a GNU/Linux phone. As the OP correctly mentioned, the whole security model relies on the trusted apps. See also: https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...

npm was just an example of how open source projects can be infiltrated. “Trusted” apps

> I never heard about such possibility. Could you provide some details or links on how this could be done? AI says it's not really possible without very sophisticated instruments.

There’s nothing special here. Linux phones/desktops (including Purism in theory in the future, as it doesn’t have by default FDE yet according to that FAQ if it’s current), typically only utilize Full Disk Encryption via LUKS. Which is also the direction Purism sounds like they’re going as they have no mention of fscrypt or something like systemd-homed and you only enter a decryption PIN on boot (like is currently done with their laptops).

So with LUKS it only encrypts at the block level so the drive is fully unencrypted when it’s mounted and unlocked. A display manager’s lock screen only “locks” the device visually, it doesn’t / can’t re-lock the volume since it operates above LUKS. So if someone were to take your device while it was powered on in theory they could just extract everything without issue (although I’m not sure of what USB protections Purism has — there are things like USBGuard for linux, but that could be easily defeatable, I don’t know).

It’s why I mentioned something like systemd-homed because it provides a way for user directories to be re-encrypted on logout/lock and prevent this. fscrypt also can do this and is part of why LEO can fail to extract user data in AFU on android devices.

Sorry I kind of just dumped this all out I can elaborate more if needed.

> Indeed, GNU/Linux phones can and probably will improve their security with time taking some things from Android.

Ultimately this is my main problem with Linux phones. Eventually you come back to just re-inventing Android, maybe worse because you didn’t have the resources to speed run all of it’s security improvements, so who knows how long it’ll take Linux to catch up. I don’t know if I’m missing something but why not just fork AOSP, migrate it to a newer Linux kernel (since iirc AOSP is based on like a 4.xx linux kernel), and go from there? You’d have all the power management, security features etc and be detached from Google.

> You can't just say this without any evidence.

Maybe I overspoke here. More specifically a GNOME extension can definitely read from the clipboard/selections without a user knowing, like this one for example, which I used on my system running secureblue (which disabled xwayland by default):

https://github.com/dagimg-dot/vicinae-gnome-extension

https://github.com/vicinaehq/vicinae

But there are others like this one:

https://extensions.gnome.org/extension/4839/clipboard-histor...

Now these probably aren’t malicious, but I would now wonder if a “good” extension can turn coat and start doing that. Of course GNOME extensions really aren’t ideal and if you’re on KDE or something else it probably doesn’t affect you.

> Unless you switch off JavaScript, which is what I do.

There are still significantly more security benefits than just disabling JavaScript though (which imo is not realistic for most users just due to how the web is today, really we should just be able to disable V8 and use Drumbrake instead).

For example, Firefox on Android still lacks site isolated processes[1]. It also has no JIT sandbox or content sandbox and no type-based CFI. And unlike Chromium it seems like the Mozilla team doesn’t really have an interest in keeping up with ARMs latest security features and using them, such as Branch Target Identification and Pointer Authentication which Chromium takes advantage of[2]. Firefox has no progress on either of these[3][4].

Firefox also lacks a security-focused memory allocator, and cannot handle one (try using GrapheneOS’ hardened memory allocator (hardened_malloc) with any Mozilla apps on Linux or GOS).

—

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1565196

[2] https://developer.arm.com/community/arm-community-blogs/b/op...

[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1671152

[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1626955

by armadyl

2/13/2026 at 3:31:54 PM

>it can be completely wiped and reinstalled, ensuring that your phone is cleaned whenever you suspect a compromise.

A modern computer or smartphone contains many peripheral CPUs. E.g., the hardware that implements USB probably has one. Each of these peripheral CPUs runs its own software or firmware. "Completely wiping and reinstalling" only works if the compromise did not get into any firmware of any peripheral or did get in, but for some (miraculous) reason cannot reinfect software running on the main CPU.

There is a reason we used to hear constantly the advice to reinstall Windows, but no longer hear it: the old advice no longer works reliably.

So, not only is wiping and reinstalling more laborious and time-consuming than just rebooting a system with a verified boot chain, it is not as reliable at ridding the system of an infection.

by hollerith

2/13/2026 at 7:41:25 AM

> 70% of malware spawns from memory exploits[1].

I think that's because they don't consider the apps in their app store to be malware despite doing things like starting a server on localhost to circumvent sandbox.

by LtWorf

2/12/2026 at 4:25:01 PM

What's never mentioned in posts like this is whether phones in lockdown mode were vulnerable too.

by prodigycorp

2/12/2026 at 5:58:13 PM

Outrageous that this isn't being patched in iOS 18. Genuinely shocked, and indefensible.

by JensenTorp

2/12/2026 at 2:49:16 PM

No updates for ipados17. I guess my ipad pro 10.5 is finally a brick.

by cpncrunch

2/12/2026 at 4:29:45 PM

Feudalism says: buy new hardware, peasant.

I don't know what "equally annoying" would be for a company and its customers, i.e. a fair compromise. But we need a law requiring companies open source their hardware within X days of end of life support.

And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.

Otherwise a company in effect takes back the property, without compensation.

by cmurf

2/12/2026 at 7:28:37 PM

The battery has very little capacity now, so I'm planning on buying a new iPad air with the M chip. It's really a game changer in terms of performance and efficiency.

by cpncrunch

2/12/2026 at 7:31:28 PM

Apple has some of my favorite vulnerabilities, most notably GOTO Fail: https://www.imperialviolet.org/2014/02/22/applebug.html

by zerotolerance

2/12/2026 at 2:55:32 PM

What does "zero-day" even meant?

> ... decade-old ...

> ... was exploited in the wild ...

> ... may have been part of an exploit chain....

by j16sdiz

2/12/2026 at 3:25:29 PM

The vulnerability has been present for more than a decade.

There is evidence that some people were aware and exploiting it.

Apple was unaware until right now that it existed, thus is a 'zero day' meaning an exploit that the outside world knows about but they don't.

by CSMastermind

2/12/2026 at 8:12:22 PM

I don’t see any evidence it was there for a decade

by saagarjha

2/12/2026 at 2:57:27 PM

Meaning unknown to the public/vendor

by buttscicles

2/12/2026 at 2:57:11 PM

https://en.wikipedia.org/wiki/Zero-day_vulnerability

by gruez

2/12/2026 at 3:15:55 PM

Well whatever the zero means, it can't be the number of days that the bug has been present, generally. It should be expected that most zero-days concern a bug with a non-zero previous lifespan.

by alanbernstein

2/12/2026 at 3:10:16 PM

“Zero day” has meant different things over the years, but for the last couple-ish decades it’s meant “the number of days that the vendor has had to fix them” AKA “newly-known”.

by runjake

2/12/2026 at 4:09:58 PM

It still weirds me out that a term w@r3z d00dz from the 90s coined is now a part of the mainstream IT security lexicon.

by EvanAnderson

2/12/2026 at 4:56:59 PM

Consider that there's probably a large overlap between those groups

by sejje

2/12/2026 at 10:36:10 PM

Old-timers, at this point, but I take your point. I guess, for that matter, the terms "social engineering" (as it relates to manipulating people into divulging secrets, etc) and "doxxing" both came from the same community, too. How bizarre. Terms that were bandied about by kids in text files became actual industry jargon (and, in the case of "doxxing", arguably mainstream).

by EvanAnderson

2/12/2026 at 7:32:59 PM

Right, I think the use of "0-day" as "stolen, unreleased software by software pirates" predates the current use.

The other commenter is right, there's a lot of overlap in the communities. It's strange to me that I was in the "field" a good 20 years before I ever thought it would be a career opportunity. This is not a complaint by any means. :-)

by runjake

2/12/2026 at 4:05:46 PM

Did MIE/MTE on 2025 iPhones help to detect this longstanding zero day?

by walterbell

2/12/2026 at 7:18:00 PM

Submit feedback (or radar equivalents) to Apple about the nasty rug-pull of not patching 18 on all devices. Don't expect a response however.

https://www.apple.com/feedback

by burnt-resistor

2/12/2026 at 4:53:51 PM

It's pretty unbeliveable that a zero-day can sit here this long. If one can exist, the likeliehood of more existing at all times is non-trivial.

Whether it's a walled garden of iOS, or relative openneds of Android, I don't think either can police everythign on anyone's behalf.

I'm not sure how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.

by j45

2/12/2026 at 5:50:10 PM

> how organizations can secure any device ios or android if they can't track and control the network layer, period out of it, and there are zero carveouts for the OS itself around network traffic visibility.

The closest I've seen is an on-device VPN like Lockdown Privacy , but it can't block Apple bypassing the VPN.

https://lockdownprivacy.com/ | https://github.com/confirmedcode/Lockdown-iOS

by walterbell

2/12/2026 at 6:25:36 PM

Or the tiny CPU on the networking hardware chip

by Melatonic

2/12/2026 at 6:25:47 PM

You cannot.

iOS is one problem, but it goes for every other device/server/desktop/appliance that you use.

You can take a lot of precautions, and mitigate some risk, and ensure that operations can continue even if something bad happens¹, but you cant ever "be safe".

¹ "" There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know "" (Often attributed to Donald Rumsfeld, though he did not originate the concept.)

Know what bad can happen is difficult.

by ThinkBeat

2/12/2026 at 8:13:01 PM

How do you expect to catch this with network traffic analysis?

by saagarjha

2/12/2026 at 3:42:09 PM

Previously: https://news.ycombinator.com/item?id=46979643

by ChrisArchitect

2/12/2026 at 7:03:06 PM

i wonder if this could be used to make a jailbreak possible :3

by p-t

2/12/2026 at 3:44:05 PM

I wonder if Fil-C would have prevented this.

by erichocean

2/12/2026 at 6:14:45 PM

Doubtful, Apple is one of the largest advocates of safe C already.

by bigyabai

2/12/2026 at 2:59:28 PM

I guess the fix is only for Tahoe?

Edit: I meant iOS 18

by zero0529

2/12/2026 at 3:11:01 PM

The zero-day mentioned in the article doesn't affect macOS.

But there were security updates for macOS 14 and macOS 15 released yesterday:

https://support.apple.com/en-us/126350

https://support.apple.com/en-us/126349

by MYEUHD

2/12/2026 at 3:06:13 PM

There's an update for Sequoia too.

by bzzzt

2/12/2026 at 4:05:14 PM

But not for iOS 18, so this is a forced upgrade to the horrors of Liquid Glass.

Can’t wait to see how much battery it eats.

by cluckindan

2/12/2026 at 3:33:29 PM

[flagged]

by greenie_beans

2/12/2026 at 3:04:05 PM

as in I now have to upgrade all my children's ancient iphones...?

I'd much rather not do that

by baq

2/12/2026 at 3:47:40 PM

You’d rather they not release updates to support them?

by kstrauser

2/12/2026 at 6:54:45 PM

I'd rather they did so I don't have to upgrade

edit: my original post wasn't clear I see - I meant I don't want to ditch the phones they've got and hope Apple releases an update for ios 16

by baq

2/12/2026 at 8:13:40 PM

Ohhhh, I see what you mean now. I read that as you didn't want to upgrade the software, but you meant you didn't want to replace the hardware.

Yeah, that makes sense. I hope you get an update for them, too.

by kstrauser

2/12/2026 at 7:39:45 PM

Why cant they just release security patches for older versions of iOS instead of forcing to upgrade version?

by alt227

2/12/2026 at 4:08:59 PM

The exploit was always there, you just didn't know about it, but attackers might have. The only thing that changed is that you're now aware that there's a vulnerability.

by lagadu

2/12/2026 at 6:43:00 PM

And now everyone else is aware of it too... including anyone marginally above a scriptkiddie.

by samtheprogram

2/12/2026 at 3:17:11 PM

My suspicion is that. These "exploits" are planted by spy agencies.

They don't appear there organically.

by max_

2/12/2026 at 4:17:29 PM

This kind of mental model only works if you think of things as made huge shadowy blobs, not people.

dyld has one principal author, who would 100% quit and go to the press if he was told (by who?) to insert a back door. The whole org is composed of the same basic people as would be working on Linux or something. Are you imagining a mass of people in suits who learned how to do systems programming at the institute for evil?

Additionally, do you work in tech? You don’t think bugs appear organically? You don’t think creative exploitation of bugs is a thing?

by kenferry

2/12/2026 at 8:14:03 PM

dyld has several people working on it now AFAIK

by saagarjha

2/12/2026 at 4:26:33 PM

I am not saying this one in particular.

Of course no one can admit it publicly.

But it is something that governments are known to proactively do.

You can get dirt on people a la Jeffrey Epstein. And use that to coerce them.

https://en.wikipedia.org/wiki/Backdoor_(computing)

by max_

2/12/2026 at 3:44:52 PM

This vastly overstates both the competence of spy agencies and of software engineers in general. When it comes to memory unsafe code, the potential for exploits is nearly infinite.

by zappb

2/12/2026 at 4:05:02 PM

> overstates both the competence of spy agencies

Stuxnet was pretty impressive: https://en.wikipedia.org/wiki/Stuxnet

by xnx

2/12/2026 at 4:08:14 PM

It was also not a bug to be exploited.

It was a complicated product that many people worked in order to develop and took advantage of many pre-existing vulnerabilities as well knowledge of complex and niche systems in order to work.

by Iolaum

2/12/2026 at 4:20:55 PM

Yeah, Stuxnet was the absolute worst of the worst the depths of its development we will likely truly never know. The cost of its development we will never truly know. It was an extremely highly, hyper targeted, advanced digital weapon. Nation states wouldn't even use this type of warfare against pedophiles.

by blackcatsec

2/12/2026 at 5:24:08 PM

Stuxnet was discovered because a bug was accidently introduced during an update [0]. So I think it speaks more to how vulnerabilities and bugs do appear organically. If an insanely sophisticated program built under incredibly high security and secrecy standards can accidently push an update introducing a bug, then why wouldn't it happen to Apple?

[0] https://repefs.wordpress.com/2025/04/09/a-comprehensive-anal...

by 542354234235

2/12/2026 at 3:31:00 PM

Maybe sometimes? With how many bugs are normally found in very complex code, would a rational spy agency spend the money to add a few more? Doing so is its own type of black op, with plenty of ways to go wrong.

OTOH, how rational are spy agencies about such things?

by bell-cot

2/12/2026 at 4:17:35 PM

Yes. Of course not all.

But some just happen to work too well.

But governments do have blatant back doors in chips & software.

by max_

2/12/2026 at 3:35:14 PM

Some suspect that Apple secretly backs some of these spyware services. I've heard rumors about graykey but only rumors. Thoughts?

by 2OEH8eoCRo0

2/12/2026 at 3:38:56 PM

>Some suspect ...

>I've heard rumors ...

So like, the comment you're replying to? This is just going in circles.

by gruez

2/12/2026 at 2:59:39 PM

Open source wins... again.

by asah

2/12/2026 at 8:14:54 PM

Unfortunately it doesn’t actually

by saagarjha

2/12/2026 at 2:50:01 PM

I am shocked to hear that over these years it was possibl to extract data from a locked iphone. (hardening mode off)

I trusted apple.

by brainzap

2/12/2026 at 2:56:37 PM

>I trusted apple.

To what? Write 100% bug free software? I don't think that's actually achievable, and expecting so is just setting yourself up for appointment. Apple does a better job than most other vendors except maybe GrapheneOS. Mainstream Android vendors are far worse. Here's Cellebrite Premium's support matrix from July 2024, for locked devices. iPhones are vulnerable after first unlock (AFU), but Androids are even worse. They can be hacked even if they have been shut down/rebooted.

https://grapheneos.social/system/media_attachments/files/112...

by gruez

2/12/2026 at 3:44:03 PM

These links working for anyone? 403 for me

by RankingMember

2/12/2026 at 4:07:05 PM

Updated the links. The original were from discuss.grapheneos.org but it looks like they don't like hot-linking.

by gruez

2/12/2026 at 3:15:45 PM

Qubes OS does a much better job though, because it relies on security through compartmentalization, not security through correctness.

by fsflover

2/12/2026 at 3:36:07 PM

The problem with that is it runs on a desktop, which means very little in the way of protection against physical attacks. You might be safe from Mossad trying to hack you from half way across the world, but you're not safe from someone doing an evil maid attack, or from seizing it and bruteforcing the FDE password (assuming you didn't set a 20 random character password).

by gruez

2/12/2026 at 7:20:52 PM

If someone puts passwords shorter than 30 characters on their devices, then everything that happens to them is their own fault.

by user205738

2/12/2026 at 4:42:43 PM

TPM with Heads protects my laptop from such attacks just fine. All based on FLOSS.

> assuming you didn't set a 20 random character password

It doesn't have to be all random characters for good protection.

by fsflover

2/12/2026 at 2:59:40 PM

This is a newly-discovered vulnerability (CVE-2026-20700, addressed along with CVE-2025-14174 and CVE-2025-43529).

Note that the description "an attacker with memory write capability may be able to execute arbitrary code" implies that this CVE is a step in a complex exploit chain. In other words, it's not a "grab a locked iPhone and bypass the passcode" vulnerability.

by CharlesW

2/12/2026 at 3:00:02 PM

I may well be missing something, but this reads to me as code execution on user action, not lock bypass.

Like, you couldn’t get a locked phone that hadn’t already been compromised to do anything because it would be locked so you’d have no way to run the code that triggers the compromise.

Am I not interpreting things correctly?

[edit: ah, I guess “An attacker with memory write capability” might cover attackers with physical access to the device and external hardware attached to its circuit board that can write to the memory directly?]

by jrmg

2/12/2026 at 8:15:34 PM

No your original analysis is fine

by saagarjha