FilterHN

Since mid-April Chrome showed 302 vulnerabilities patched, 225 of them found by Google. Same period last year was 19 vulnerabilities. They've also become more transparent recently, disclosing vulnerabilities found internally, not just externally (which Apple still doesn't appear to do). From the outside, it's hard to tell if Apple has deployed this tooling as much as Google.

▲

JCattheATM

1 hour ago

[-]

I'd guess they haven't even begun to really utilize them. They've never been a terribly security conscious company, despite the marketing.

▲

xyzzy123

30 minutes ago

[-]

What's your thinking on this? From my perspective Apple security go pretty hard. They have a strong track record of being able to ship architectural mitigations like PACs / MIE / Exclaves first. I guess because Apple control the stack from silicon to userspace.

▲

JCattheATM

14 minutes ago

[-]

My thinking was in a historical context, and for their desktop OS's. I know they've been pretty on top of things with iPhones, and MacOS has become a lot better, but for the longest time MacOS was pretty lacking, coasting very much on promoting how much PCs have viruses and macs didn't, which was a marketshare thing more than a security thing. I don't think they got ASLR until later than pretty much everyone else, for example.

They've improved a lot, especially their phones, but I'd still never consider them a company that has a really strong focus on security.

▲

maximilianburke

12 minutes ago

[-]

I haven't been able to update my iPhone in months because it just does not have enough room available to download the update. I just checked now and it needs 13.2 GB free to be able to update to iOS 26.5 (from 26.3). On a 64gb device!

It just seems like massive software development malpractice to tie together critical operating system updates with whatever else they've bundled.

▲

Aurornis

2 hours ago

[-]

More than 26.5:

> The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.

I’ve already seen a lot of people self-congratulating for not updating to Tahoe but this isn’t exclusive to Tahoe.

▲

tom_

59 minutes ago

[-]

> The affected releases include iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5.

Where does this quote come from? I can't see it in https://support.apple.com/en-us/127115, the article link at time of writing. It mentions CVE-2026-28952, but we're forced to guess why. I'd take the reference to mean that this issue is fixed, but I'm just some internet rando, so what the hell do I know?

If I do a google search for "CVE-2026-28952", it points me to various pages. Here's one, for example: https://www.cve.org/CVERecord?id=CVE-2026-28952 - which is a bit more explicit, though of course this is not from the horse's mouth:

> This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5

▲

dragonsenseiguy

2 hours ago

[-]

Ah thanks! I was only looking at Tahoe since my mac had an update and I usually look at the security release notes.

▲

fosterfriends

3 hours ago

[-]

Kernel Available for: macOS Tahoe

Impact: An app may be able to cause unexpected system termination

Description: An integer overflow was addressed with improved input validation.

CVE-2026-28952: Calif.io in collaboration with Claude and Anthropic Research

▲

ZPrimed

2 hours ago

[-]

This isn't a 26.5 bug, this is a bug fixed in 26.5.

▲

dragonsenseiguy

2 hours ago

[-]

Ah my bad for the wrong wording.

▲

neuronexmachina

2 hours ago

[-]

CVEs:

* https://nvd.nist.gov/vuln/detail/CVE-2026-28952

* https://nvd.nist.gov/vuln/detail/CVE-2026-28942

▲

embedding-shape

2 hours ago

[-]

Claude and Anthropic is mentioned, but not Mythos, I'm guessing this would mean then this was found outside of the whole Mythos thing, or would there be any reason for them not to mention it, if it was involved?

▲

sigmar

2 hours ago

[-]

It was Mythos

>Our engineers, working together with Mythos Preview, built a working exploit in five days.

https://news.ycombinator.com/item?id=48139219

▲

three_burgers

2 hours ago

[-]

CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?

▲

firesteelrain

1 hour ago

[-]

Fuzzing, dynamic analysis or DAST might have found it too.

Assuming Apple has deployed all of these and have invested in the labor/training on how to properly use them.

▲

vessenes

2 hours ago

[-]

For many years my go-to plan has been to stay one point release behind apple's releases, especially the .0 releases -- but, times change. Last night I pushed the button for 26.5, thinking about the Glasswing/Mythos reporting. Seems like staying on bleeding edge is going to be the name of the game.

I wonder if this will change general dynamics -- feels like LTS releases could become even more important, at the same time having reduced maintenance costs since you can have some agentic help on backporting.

▲

mort96

1 hour ago

[-]

Staying one point release behind is weird isn’t it? I get staying a major release behind, Apple’s x.0 releases are often pretty rough so it might be worth staying on x-1 for a while. But point releases mostly just fix the stuff they broke in the major release.. Would you really upgrade from 18.5 or whatever to 26.0 when Apple releases 26.1?

▲

Marsymars

1 hour ago

[-]

Point releases for macOS can be pretty large over the past several years - what often makes sense is waiting a few weeks to upgrade in case there's a .1 patch.

e.g. macOS 15.0, 15.1, 15.3, 15.4, 15.6 and 15.7 all had .1 patches within a few weeks of release.

▲

samtheprogram

1 hour ago

[-]

Security updates still go out for older major releases back 2 versions. You didn’t need to jump to 26 if you weren’t on it.

▲

dragonsenseiguy

1 hour ago

[-]

Same! I almost never updated, now I feel like i need to update. Kinda feels like FOMO but for security updates

▲

fl1pper

2 hours ago

[-]

Where all of this is going? Will there be a dedicated servers running coding agents that iterate throught codebases for each company to find vulnerabilities 24/7?

▲

Aurornis

2 hours ago

[-]

More like: There will be a budget for tokens to be spent on security audits.

1000 different companies will be pitching your CTO their proprietary vulnerability scanning harness as the most cost effective.

▲

colejohnson66

2 hours ago

[-]

So what already happens, but worse?

▲

jeffbee

26 minutes ago

[-]

Why shouldn't there be such things? We already have fuzzing, and responsible software publishers dedicate 24/7 resources to fuzzing.

▲

vessenes

2 hours ago

[-]

Yes

▲

dragonsenseiguy

2 hours ago

[-]

Sidenote but: it's crazy how big this update is. 13 GB is crazy

▲

jshier

1 hour ago

[-]

Update from 26.3 to 26.4 for the Studio Display XDR was 2.4GB. And that's for a variant of iOS designed for screens.

▲

atonse

1 hour ago

[-]

Yeah I’m honestly not sure why macOS updates seem to be so huge. Often gigabytes. Do they actually have thousands of changes, so they basically ship out new versions of almost all system libraries? Or is it that they don’t have good diffing in place? Or is it a BSD thing where you basically ship everyone at once since it’s all sort of “one version” of the base system?

▲

alwillis

1 minute ago

[-]

> Yeah I’m honestly not sure why macOS updates seem to be so huge.

An update to macOS 26.5 contains all the necessary code to update a Mac from 26.0 to 26.5 for both x86_64 and arm64 architectures.

▲

sda2

2 hours ago

[-]

One more reason to avoid upgrading to Tahoe.

▲