Apple Patches Critical Security Flaws in Older iPhones, iPads & Macs – Edge Browser Exposes Password Risks
- Apple has released a series of targeted security updates for its oldest supported iPhone, iPad, and Mac models—an unusual move that underscores the company’s rare but necessary intervention...
- The patches—labeled as "minor" by Apple—are part of a broader trend of security-first updates for legacy hardware, a practice that contrasts with the company’s typical approach of phasing...
- The updates address what Apple describes as "security improvements" without disclosing specific vulnerabilities, a standard practice to prevent exploitation before fixes are widely deployed.
Apple has released a series of targeted security updates for its oldest supported iPhone, iPad, and Mac models—an unusual move that underscores the company’s rare but necessary intervention to patch critical vulnerabilities on devices that no longer receive major software upgrades. The updates, announced on Monday, May 18, 2026, focus on models that are too outdated to run iOS 26 or macOS Sequoia, including the iPhone XR (released in 2018), iPhone 8 and 8 Plus (2017), and iPhone 6s and 7 (2015–2016).
The patches—labeled as “minor” by Apple—are part of a broader trend of security-first updates for legacy hardware, a practice that contrasts with the company’s typical approach of phasing out support for older devices once they fall behind by two major OS versions. This time, however, Apple has explicitly excluded newer devices (those running iOS 26) from receiving these fixes, directing users of compatible models to install the updates immediately. The decision reflects a growing recognition that even older devices remain in active use, particularly in markets where newer hardware adoption lags.
Why These Updates Matter
The updates address what Apple describes as “security improvements” without disclosing specific vulnerabilities, a standard practice to prevent exploitation before fixes are widely deployed. However, the timing and scope suggest the patches may be responding to actively exploited flaws, particularly in components related to notification handling—a category that has historically been a target for zero-day attacks. For context, Apple’s most recent major security bulletin (iOS 26.4.2, released April 24, 2026) highlighted a logging issue in notification services that could inadvertently retain deleted alerts, though that update was limited to newer devices.
For users of older iPhones and iPads, the updates are critical. Devices like the iPhone XR, which turns eight years old this year, are still used by millions globally, particularly in regions where Apple’s flagship models are less accessible due to cost or availability. The security patches ensure these users are not left exposed to exploits that could compromise personal data, financial transactions, or device integrity. Apple’s decision to prioritize these fixes—even for hardware that has long been considered “end-of-life” by most standards—sends a clear message: security is not contingent on a device’s age.
Technical Details and Affected Devices
The updates are distributed as follows:
- iOS 18.7.9: iPhone XS, XS Max, XR; iPad 7th generation
- iPadOS 17.7.11: iPad Pro (12.9″ 2nd gen, 10.5″), iPad 6th generation
- iOS 16.7.16: iPhone 8, 8 Plus, X; iPad 5th generation, iPad Pro (9.7″, 12.9″ 1st gen)
- iOS 15.8.8: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st gen); iPad Air 2, iPad mini 4; iPod touch (7th gen)
Notably, these updates are not available for devices running iOS 26, even if they are otherwise compatible. Apple has explicitly stated that users on the latest OS version will not receive these patches, a rare departure from its usual policy of offering security fixes to all supported devices. This suggests that the vulnerabilities in question may have been mitigated in iOS 26 through broader architectural changes, or that Apple is conserving resources by focusing fixes on legacy hardware.
Broader Context: Security for Legacy Hardware
Apple’s approach to legacy device security has evolved in recent years. While the company typically drops support for devices after two major OS updates, it has made exceptions in the past—most recently with iOS 18.7.7, which was released to address a zero-day exploit (codenamed “DarkSword”) affecting a wide range of devices. That update was notable for its broad scope, including even older hardware like the iPhone 6s and iPhone SE (1st gen), which are now nearly a decade old.
This latest round of updates aligns with that trend, though the exclusion of iOS 26-compatible devices is a significant shift. It may indicate that Apple is increasingly treating legacy hardware as a lower priority for security investments, or that the vulnerabilities in question are specific to older software stacks. For users, the message is clear: if your device is too old for the latest OS, you must still stay vigilant about applying security patches.
The updates also come amid a broader industry reckoning with the security risks of outdated hardware. In the Linux world, for example, the creator of the kernel, Linus Torvalds, has recently criticized the pace of bug fixes in open-source projects, arguing that security patches for older codebases are often deprioritized in favor of new features. While Apple’s approach is proprietary and centralized, the underlying challenge—balancing security with the practical limits of supporting decades-old hardware—is universal.
What Users Should Do
For owners of the affected devices, the recommendation is straightforward: install the updates as soon as possible. Apple’s security patches are typically delivered over-the-air (OTA) via the Software Update mechanism in Settings. Users who have disabled automatic updates should manually check for updates under General > Software Update.
If a device is no longer capable of receiving updates—either due to hardware limitations or because Apple has discontinued support—users may need to consider alternative measures, such as:
- Enabling full-disk encryption to protect stored data.
- Using a separate, more secure device for sensitive transactions.
- Exploring third-party security tools designed for legacy hardware (though these may introduce their own risks).
Apple has not provided a timeline for when—or if—older devices will be cut off from security updates entirely. Historically, the company has maintained support for at least five years for most iPhone models, though the pace of updates slows significantly after the first two OS generations. For now, these patches represent a temporary reprieve for users clinging to older hardware.
Looking Ahead
The updates also raise questions about Apple’s long-term strategy for legacy device support. As hardware becomes increasingly powerful, the company may face pressure to extend the lifespan of older devices—not just for security, but for environmental and ethical reasons. However, the exclusion of iOS 26-compatible devices from this round of fixes suggests that Apple may be drawing a harder line between “supported” and “unsupported” hardware in the future.
For now, the focus remains on the immediate threat: users of older iPhones and iPads must act quickly to protect their devices. The updates, while minor in scope, are a reminder that even the most outdated technology can become a target in an era where cyber threats are evolving at an unprecedented pace.
