Hacker News new | ask | show | jobs
by jagger27 371 days ago
Web browser engine, and OpenSSL (or equivalent) patches alone are the main concern in userspace. Those codebases are a constantly moving target. Look at the stream of CVEs and security patches that Apple publishes. Almost every bug affects every product because of how much code is shared up and down the stack.
1 comments
Schiendelman 371 days ago
You know they keep updating Safari and making security updates for old OSes for years, right?
link
smaccona 371 days ago
Apple is definitely not the worst in this regard, but the most recent version of iOS to support the iPad 3rd generation (the device we are discussing which is being used as a PDF reader) is iOS 9.3.5 (a security/bugfix release on August 25, 2016 which supports the WiFi-only version of the iPad 3rd generation) or iOS 9.3.6 (also a bugfix release on July 22, 2019 which supports the WiFi+cellular version of the same device - specifically, this was a fix to keep GPS working).

The iPad 3rd generation was released in 2012, so the 2016 9.3.5 iOS release gave 4 years of security/bugfix support for the WiFi-only version of that device.

link
Schiendelman 371 days ago
Sure, but there haven't been any security exploits in that version of iOS since then. It still works.
link
kennywinker 371 days ago
Not sure what you’re meaning? A CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2025-24201 found in 2025 impacts iOS versions before 18.3.1 (Safari and iOS are shipped together).

Which means there is a decent chance an iPad running 9.3.2 is vulnerable.

And there have been thousands of CVEs since 9.3.2. Most of low severity, but not all.

link
Schiendelman 370 days ago
Apple patches anything with a proven exploit. While it may be vulnerable, no one has written and shown Apple an exploit.
link
kennywinker 370 days ago
Apple patches anything with a proven exploit as long as it’s in a supported version of the OS. E.g. They will not patch versions beyond macos 10.14 i believe, not sure what the cutoff for iOS is but it’s usually about 6 years of security updates. Which means that iOS 9.3.5 is well outside of that and so a bug that impacts that os will not be patched. Which means using an old device like that on the open internet is deeply foolish
link