Apple patches decade-old iOS zero-day, possibly exploited by commercial spyware

www.theregister.com

beardyw

2 hours ago

117points

61 comments

Comments

dudeinhawaii•45 minutes ago

So the exploiters have deprecated that version of spyware and moved on I see. This has been the case every other time. The state actors realize that there's too many fingers in the pie (every other nation has caught on), the exploit is leaked and patched. Meanwhile, all actors have moved on to something even better.

Remember when Apple touted the security platform all-up and a short-time later we learned that an adversary could SMS you and pwn your phone without so much as a link to be clicked.

KSIMET: 2020, FORCEDENTRY: 2021, PWNYOURHOME, FINDMYPWN: 2022, BLASTPASS: 2023

Each time NSO had the next chain ready prior to patch.

I recall working at a lab a decade ago where we were touting full end-to-end exploit chain on the same day that the target product was announcing full end-to-end encryption -- that we could bypass with a click.

It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

whitepoplar•30 minutes ago

How much do you think Lockdown Mode + MIE/eMTE helps? Do you believe state actors work with manufacturers to find/introduce new attack vectors?

walterbell•23 minutes ago

My iOS devices have been repeatedly breached over the last few years, even with Lockdown mode and restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator. Since moving to 2025 iPad Pro with MIE/eMTE and Apple (not Broadcom & Qualcomm) radio basebands, it has been relatively peaceful. Until the last couple of weeks, maybe due to leakage of this zero day and PoC as iOS 26.3 was being tested.

whitepoplar•16 minutes ago

Are you a person of high interest? I was under the impression that these sorts of breaches only happen to journalists, state officials, etc.

walterbell•13 minutes ago

Who knows? Does HN count as journalism :)

I would happily pay Apple an annual subscription fee to run iOS N-1 with backported security fixes from iOS N, along with the ability to restore local data backups to supervised devices (which currently requires at least 2 devices, one for golden image capture and one for restore, i.e. "enterprise" use case).

GrapheneOS on Pixel and Pixel Tablet have been anomaly free, but Android tablet usability is about 20% of Apple iPad Pro.

drakenot•16 minutes ago

How can you tell that you were breached?

walterbell•15 minutes ago

Presence of one or more: unexpected outbound traffic observed via Ethernet, increased battery consumption, interactive response glitching, display anomalies ... and their absence after hard reset key sequence to evict non-persistent malware.

acdha•5 minutes ago

How did you link that traffic to malicious activity?

nickburns•7 minutes ago

[delayed]

mmmlinux•34 minutes ago

Thanks for contributing to our increasing lack of security and anonymity.

vonneumannstan•32 minutes ago

>It's worth doing (Apple patching) but a reminder that you are never safe from a determined adversary.

I hate these lines. Like yes NSA or Mossad could easily pwn you if they want. Canelo Alvarez could also easily beat your ass. Is he worth spending time to defend against also?

high_na_euv•28 minutes ago

Yes, because Apple can do it at scale.

Eridrus•19 minutes ago

Yes. If vendors do not take this seriously, these capabilities trickle down to less sophisticated adversaries.

varispeed•19 minutes ago

and if you point out that Apple's approach is security by obscurity with a dollop of PR, you get downvoted by fan bois.

Apple really need to open up so at very least 3rd parties can verify integrity of the system.

shantara•36 minutes ago

Meanwhile Apple made a choice to leave iOS 18 vulnerable on the devices that receive updates to iOS 26. If you want security, be ready to sacrifice UI usability.

argsnd•27 minutes ago

If you set Liquid Glass to the more opaque mode in settings I find iOS usability to be fine now, and some non-flashy changes such as moving search bars to the bottom are good UX improvements.

The real stinker with Liquid Glass has been macOS. You get a half-baked version of the design that barely even looks good and hurts usability.

microtonal•3 minutes ago

Still takes multiple taps to find something on a page in Safari.

the_harpia_io•32 minutes ago

decade-old vulns like this are why the 'you're not interesting enough to target' argument falls apart. commercial spyware democratized nation-state capabilities - now any mediocre threat actor with budget can buy into these exploits. the Pegasus stuff proved that pretty clearly. and yeah memory safety helps but the transition is slow - you've got this massive C/C++ codebase in iOS that's been accumulating bugs for 15+ years, and rewriting it all in Swift or safe-C is a multi-decade project. meanwhile every line of legacy code is a ticking time bomb. honestly think the bigger issue is detection - if you can't tell you've been pwned, memory safety doesn't matter much.

meisel•1 hour ago

I wonder what the internal conversations are like around memory safety at Apple right now. Do people feel comfortable enough with Swift's performance to replace key things like dyld and the OS? Are there specific asks in place for that to happen? Is Rust on the table? Or does C and C++ continue to dominate in these spaces?

ronsor•1 hour ago

Apple is already working on a memory-safe C variant which is already used in iBoot and will be upstream LLVM soon: https://clang.llvm.org/docs/BoundsSafety.html

gsnedders•1 hour ago

While not wholesale replacing it, there already is Swift in dyld: https://github.com/search?q=repo%3Aapple-oss-distributions%2...

prodigycorp•18 minutes ago

What's never mentioned in posts like this is whether phones in lockdown mode were vulnerable too.

j16sdiz•2 hours ago

What does "zero-day" even meant?

> ... decade-old ...

> ... was exploited in the wild ...

> ... may have been part of an exploit chain....

CSMastermind•1 hour ago

The vulnerability has been present for more than a decade.

There is evidence that some people were aware and exploiting it.

Apple was unaware until right now that it existed, thus is a 'zero day' meaning an exploit that the outside world knows about but they don't.

buttscicles•2 hours ago

Meaning unknown to the public/vendor

alanbernstein•1 hour ago

Well whatever the zero means, it can't be the number of days that the bug has been present, generally. It should be expected that most zero-days concern a bug with a non-zero previous lifespan.

gruez•2 hours ago

https://en.wikipedia.org/wiki/Zero-day_vulnerability

runjake•2 hours ago

“Zero day” has meant different things over the years, but for the last couple-ish decades it’s meant “the number of days that the vendor has had to fix them” AKA “newly-known”.

EvanAnderson•33 minutes ago

It still weirds me out that a term w@r3z d00dz from the 90s coined is now a part of the mainstream IT security lexicon.

max_•1 hour ago

My suspicion is that. These "exploits" are planted by spy agencies.

They don't appear there organically.

kenferry•26 minutes ago

This kind of mental model only works if you think of things as made huge shadowy blobs, not people.

dyld has one principal author, who would 100% quit and go to the press if he was told (by who?) to insert a back door. The whole org is composed of the same basic people as would be working on Linux or something. Are you imagining a mass of people in suits who learned how to do systems programming at the institute for evil?

Additionally, do you work in tech? You don’t think bugs appear organically? You don’t think creative exploitation of bugs is a thing?

max_•17 minutes ago

I am not saying this one in particular.

Of course no one can admit it publicly.

But it is something that governments are known to proactively do.

You can get dirt on people a la Jeffrey Epstein. And use that to coerce them.

https://en.wikipedia.org/wiki/Backdoor_(computing)

zappb•1 hour ago

This vastly overstates both the competence of spy agencies and of software engineers in general. When it comes to memory unsafe code, the potential for exploits is nearly infinite.

xnx•38 minutes ago

> overstates both the competence of spy agencies

Stuxnet was pretty impressive: https://en.wikipedia.org/wiki/Stuxnet

Iolaum•35 minutes ago

It was also not a bug to be exploited.

It was a complicated product that many people worked in order to develop and took advantage of many pre-existing vulnerabilities as well knowledge of complex and niche systems in order to work.

blackcatsec•22 minutes ago

Yeah, Stuxnet was the absolute worst of the worst the depths of its development we will likely truly never know. The cost of its development we will never truly know. It was an extremely highly, hyper targeted, advanced digital weapon. Nation states wouldn't even use this type of warfare against pedophiles.

bell-cot•1 hour ago

Maybe sometimes? With how many bugs are normally found in very complex code, would a rational spy agency spend the money to add a few more? Doing so is its own type of black op, with plenty of ways to go wrong.

OTOH, how rational are spy agencies about such things?

max_•26 minutes ago

Yes. Of course not all.

But some just happen to work too well.

But governments do have blatant back doors in chips & software.

2OEH8eoCRo0•1 hour ago

Some suspect that Apple secretly backs some of these spyware services. I've heard rumors about graykey but only rumors. Thoughts?

gruez•1 hour ago

>Some suspect ...

>I've heard rumors ...

So like, the comment you're replying to? This is just going in circles.

walterbell•37 minutes ago

Did MIE/MTE on 2025 iPhones help to detect this longstanding zero day?

cpncrunch•2 hours ago

No updates for ipados17. I guess my ipad pro 10.5 is finally a brick.

cmurf•13 minutes ago

Feudalism says: buy new hardware, peasant.

I don't know what "equally annoying" would be for a company and its customers. We need a law requiring companies open source their hardware within X days of end of life support.

And somehow make sure these are meaningful updates. Not feature parity with new hardware, but security parity when it can be provided by a software only update.

Otherwise a company in effect takes back the property, without compensation.

erichocean•1 hour ago

I wonder if Fil-C would have prevented this.