Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A tricky thing about flagging "in the wild exploited vulnerabilities" in a title like this is that it suggests that sev:crit vulnerabilities in other updates that aren't flagged like this aren't being exploited in the wild. We get confirmation of only a subset of exploited vulnerabilities.

We'd be better off with a more neutral title, like "fixing severe vulnerabilities" or something like that.



I still think it's important to say that we know they are being actively exploited, even if all vulns might be


That's the kind of thing you can say in a comment, rather than in the title.


We've changed the title above to that of the page. (Submitted title was "Apple releases iOS 14.2 and 12.4.9, fixing in-the-wild exploited vulnerabilities".)


I think this is a bad decision. The "in-the-wild" part is the interesting part because it is not the norm at all and it implies an interesting story.


Happy to change it to a better title, i.e. something more accurate and neutral. We're particularly happy to do that with corporate press releases, which often deliberately obscure the situation. But usually that requires a suggestion (and at least partial consensus) from users who understand the story.

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...


Yeah, Apple's page titles generally suck, especially when they are presented without context. The big things in this one is that they're pushing fixes to devices that people had considered abandoned for almost two years, and that these fixes explicitly mention that they have been exploited in the wild in what I believe is Apple's second admission of this, and the first time they did so without blaming Google Project Zero of a mischaracterization. That's clearly a bit too much to put in a title, but something like "Apple releases iOS 12.4.9, backporting fixes for severe security vulnerabilities". I'd like to put "exploited in the wild" in there somewhere as well since I think it's an important part of the story, but I am not sure if this would keep it neutral.


It's an idiosyncrasy of the site that we avoid highlighting things in titles ("stories are community property, and submitting one doesn't give anyone the right to editorialize them").

I agree that the title we ended up with is suboptimal! "Exploitable" is a word I'd have been comfortable seeing there. But you take the good with the bad with the HN title rule; the site is primarily about discussion, not about being a noticeboard, and titles determine the discussion we have.


I’m not sure if it actually means “being used to exploit unknowing devices” given that Apple doesn’t define how they use it on that page. It very well could be referring to news about iPhone 12 jailbreaks (not that there is one yet https://twitter.com/fce365/status/1320691136890109952?s=21)


The other thing to consider is that doing a binary diff on the OS before/after patching puts a big red arrow right at the location of the bug, which means that there's no reasonable expectation that it will remain unexploited after the patch.

It's not really that important, really. It's either being exploited yesterday, or tomorrow.


Disagree, if we have proof that it is currently being exploited then that’s the news more than anything else.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: