Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works

[otternonsense]

.

"I don't know what's happening in Cupertino. Neither do you. What's making you so "aware" in ways that I am not?"

Being a systems, hardware, and software engineer for many years in Silicon Valley for a handful of both large and small companies.

If you want to believe Apple's "emoji implementation team" and the group that handles the Mail application are the same or share responsibilities and compete for resources, please feel free. I think more knowledgeable people who work in tech in this area would have a good laugh, though.

But you're not in Cupertino, so you don't know by association just because you've worked in Silicon Valley. Your guesses are as good as mine.

By all means, please bring over some more knowledgable people from the area for a coffee and a chat so we can all laugh together.

 

[citysnaps]

But you're not in Cupertino, so you don't know by association just because you've worked in Silicon Valley. Your guesses are as good as mine.

By all means, please bring over some more knowledgable people from the area for a coffee and a chat so we can all laugh together.

I'll take you up on that, maybe with a couple of Apple employees. Let me know when you'll be arriving so I can plan!

Also... Because you may not be aware, Cupertino is part of Silicon Valley.

 

[I7guy]

...It's a luxury to have dedicated teams, and Apple could theoretically afford them.

Large tech companies, dedicated teams who work in parallel are a necessity.

Regardless, the proof is in the pudding, and the reality is a constant whack-a-mole with bugs and languishing core apps, some cosmetic and some quite serious, on a weekly basis.

What proof, that bugs exists and vulnerabilities exist and that hackers and researchers do their best to find them, and companies patch them as found? My windows 10 box gets updates every few days, therefore the quality of windows 10 is terrible and the entire c-level management team is incompetent is what you are arguing.

I said "I presume" it's happening because of a workforce spread thin on tasks with highly pet-project like goals in a company that's now defined more by politics than commitment to design & engineering. Probably they're still under the illusion they're delivering the same quality as back when Steve would decapitate the dev lead for getting an icon wrong.

What pet projects? What is a pet project is clearly your opinion. Apple today is defined by generosity and helping not politics, if you don't see that, you are not following the news. And the mail bug existed since ios 6, so much for that.

I don't know what's happening in Cupertino. Neither do you. What's making you so "aware" in ways that I am not?

It's an educated guess on ops part.

 

[otternonsense]

I'll take you up on that, maybe with a couple of Apple employees. Let me know when you'll be arriving so I can plan!

Also... Because you may not be aware, Cupertino is part of Silicon Valley.

I'm down for it but will have to be Zoom until the quarantine is lifted. I was gonna visit SF after SXSW last March, alas, the pandemic happened

Geographically speaking, yes, it's part of SV. That doesn't mean much.

What pet projects? What is a pet project is clearly your opinion. Apple today is defined by generosity and helping not politics, if you don't see that, you are not following the news. And the mail bug existed since ios 6, so much for that.

I'm talking about internal politics, such as the stark cultural switch away from putting design & engineering above mid-level management. Not social or GOP stuff. Here is just one source though it's pretty clear from the end result.

 

[I7guy]

I'm down for it but will have to be Zoom until the quarantine is lifted. I was gonna visit SF after SXSW last March, alas, the pandemic happened

Geographically speaking, yes, it's part of SV. That doesn't mean much.



I'm talking about internal politics, such as the stark cultural switch away from putting design & engineering above mid-level management. Not social or GOP stuff. Here is just one source though it's pretty clear from the end result.

With Apple being (pre-covid) a trillion dollar company and hundreds of millions of customers, there's (at least) one opinion for every customer. Having said that, Apple had to change with the times and the fruit is in the pudding of their finances. There is no other objective measure of success.

 

[RickDEGH]

Panic panic panic! My university in Germany just sent a mail to all students using Mail app to disable synchronization till 13.4.5 is released.

By the way, Mail notifications never leave the lockscreen even when I have read those mails until I manually swipe them away.

 

[otternonsense]

With Apple being (pre-covid) a trillion dollar company and hundreds of millions of customers, there's (at least) one opinion for every customer. Having said that, Apple had to change with the times and the fruit is in the pudding of their finances. There is no other objective measure of success.

Let's not conflate product quality with financial success. The first is still great, but with increasingly obvious slips, cracks and bursting seams that would have been unthinkable before. The second is also a result of stock buybacks besides the almost comical margin milking.

 

[1144557]

Panic panic panic! My university in Germany just sent a mail to all students using Mail app to disable synchronization till 13.4.5 is released.

By the way, Mail notifications never leave the lockscreen even when I have read those mails until I manually swipe them away.

Lol the uneducated panic. So there are no reports of anyone being exploited but lets overreact.

Are you going to school to learn how to build nuclear weapons or other government secrets? Exploiters are looking for the big fish to take advantage of and leverage, government and CEOs, not some student on their school email account

Total overreaction reading a headline without the content

 

[I7guy]

Let's not conflate product quality with financial success. The first is still great, but with increasingly obvious slips, cracks and bursting seams that would have been unthinkable before. The second is also a result of stock buybacks besides the almost comical margin milking.

The unthinkable happened under Steve. Mail bug existed since ios 6 and the "you're holding it wrong" meme, plus others. In my opinion, I'm not conflating anything, product quality is still great, irrespective of the recent bugs/vulnerabilities, which is a fact of life given for large tech companies across the world.

If people thought Apple was milking their margins and their prices were unfair, they would have stopped buying product, but that hasn't happened.

 

[1144557]

The unthinkable happened under Steve. Mail bug existed since ios 6 and the "you're holding it wrong" meme, plus others. In my opinion, I'm not conflating anything, product quality is still great, irrespective of the recent bugs/vulnerabilities, which is a fact of life given for large tech companies across the world.

If people thought Apple was milking their margins and their prices were unfair, they would have stopped buying product, but that hasn't happened.

Of course, because it exists everywhere. A new Android or Windows 10 security bug is found every week (roughly). It happens, there is no such thing as perfect code; especially when an OS gets as complex as iOs has. It's not iOS 3 anymore or pre App store.

Apple is not special. People just want to make it look that way that Apple should be immune.

 

[I7guy]

..
Apple is not special. People just want to make it look that way that Apple should be immune.

Correct. I'm not sure who wants to make it seem that Apple is immune. However, I think the quality of their code is better than the competitors.

 

[1144557]

Correct. I'm not sure who wants to make it seem that Apple is immune. However, I think the quality of their code is better than the competitors.

Well the people calling for Federighi's head etc. Or the "Apple sucks" crowd. It's preposterous. This existed under Jobs too, and how many people developing iOS for how many years. And everyone was ok, no harm no foul, until a news story- then suddenly Apple sucks (as if Android and Windows dont have HUGE HUGE security bugs all the time, far far worse than Apple's. How many times did Windows 10 "delete" or rather hide people's files on updates? And everyone got past it ok)

If every big tech company (Microsoft, Google, etc) simply replaced people when there was a bug there would be no one left.

 

[otternonsense]

Well the people calling for Federighi's head etc. It's preposterous. This existed under Jobs too, and how many people developing iOS for how many years.

If every big tech company (Microsoft, Google, etc) simply replaced people when there was a bug there would be no one left.

Why is it preposterous? Forstall got booted for less. If you wanna get the Apple C-suite pay check and benefits, paid in part by our $1000 phones and $4000 Macs, you'd better deliver or else.

We're not talking about a bug here, but years of piss poor QA, broken releases and ongoing performance issues.

 

[laz232]

The German Federal Security Agency begs to differ with Apple's press-release:
Dazu BSI-Präsident Arne Schönbohm:


"Das BSI schätzt diese Schwachstellen als besonders kritisch ein. Sie ermöglicht es den Angreifern, weite Teile der Mail-Kommunikation auf den betroffenen Geräten zu manipulieren. Es steht zudem aktuell kein Patch zur Verfügung. Damit sind Tausende iPhones und iPads von Privatpersonen, Unternehmen und Behörden akut gefährdet. Wir sind im Austausch mit Apple und haben das Unternehmen aufgefordert, hier schnellstmöglich eine Lösung zur Sicherheit ihrer Produkte zu schaffen."

TLDR: The BSI considers these weaknesses as especially critical

Bundesamt für Sicherheit in der Informationstechnik

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) ist die Cyber-Sicherheitsbehörde des Bundes und Gestalter einer sicheren Digitalisierung in Deutschland.

www.bsi-fuer-buerger.de

 

[I7guy]

Why is it preposterous? Forstall got booted for less. If you wanna get the Apple C-suite pay check and benefits, paid in part by our $1000 phones and $4000 Macs, you'd better deliver or else.

Yep, sometimes stuff happens in corporate america.

We're not talking about a bug here, but years of piss poor QA, broken releases and ongoing performance issues.

This is so generic that it could be any large tech company. There is no such thing as "just one bug", but as it relates to Apple, here is my take:
- piss poor QA: A normal of amount of bugs turns into piss poor QA
- broken releases: yep, it's happened. Windows, Android, IOS, etc.
- ongoing performance issues: This one has me stumped, since 2013 this has been rectified.

 

[gnasher729]

Why is it preposterous? Forstall got booted for less.

Excuse me. Bugs happen. Forstall left for a lot more.
[automerge]1587748235[/automerge]

The German Federal Security Agency begs to differ with Apple's press-release:
Dazu BSI-Präsident Arne Schönbohm:


"Das BSI schätzt diese Schwachstellen als besonders kritisch ein. Sie ermöglicht es den Angreifern, weite Teile der Mail-Kommunikation auf den betroffenen Geräten zu manipulieren. Es steht zudem aktuell kein Patch zur Verfügung. Damit sind Tausende iPhones und iPads von Privatpersonen, Unternehmen und Behörden akut gefährdet. Wir sind im Austausch mit Apple und haben das Unternehmen aufgefordert, hier schnellstmöglich eine Lösung zur Sicherheit ihrer Produkte zu schaffen."

TLDR: The BSI considers these weaknesses as especially critical

Mr. Schönbohm either knows something we don't know, or he does greatly exaggerate. I looked at what the security researchers found, and saw that they can crash the Mail app, but not that they can do any manipulations on those phones.

 

[jlseattle]

Mail app on my Mac has been randomly quitting I wouldn't be shocked if it was something more than just a crash.

Apple needs to fix and secure their mail.

 

[H2SO4]

I raised this issue on Apple Community yesterday after reading articles on both the BBC and Guardian web sites.

within 20minutes I received an email from apple stating .....We removed your post "iOS 13.4.1 mail vulnerability" because it was speculative.

That is standard operating procedure.
[automerge]1587754669[/automerge]

.

"I don't know what's happening in Cupertino. Neither do you. What's making you so "aware" in ways that I am not?"

Being a systems, hardware, and software engineer for many years in Silicon Valley for a handful of both large and small companies.

If you want to believe Apple's "emoji implementation team" and the group that handles the Mail application are the same or share responsibilities and compete for resources, please feel free. I think more knowledgeable people who work in tech in this area would have a good laugh, though.

If their resources come from the same pot, they DO share them. Fact.

 

[mi7chy]

Denial worked for COVID-19 too.

 

[citysnaps]

If their resources come from the same pot, they DO share them. Fact.

If you want to believe that Apple implementing the latest edition of emoji (designed by the Unicode Emoji Committee) comes at the expense of Apple needing to pull back technical staff resources that would otherwise be assigned to the Mail app (the thrust of the conversation), please, be my guest.

 

[H2SO4]

If you want to believe that Apple implementing the latest edition of emoji (designed by the Unicode Emoji Committee) comes at the expense of Apple needing to pull back technical staff resources that would otherwise be assigned to the Mail app (the thrust of the conversation), please, be my guest.

Then I’m your guest.
All businesses have a budget and that budget is not limitless. They make decisions based on the cost of ‘sailing the ship’. When one department needs more they take it from another or put more resource in.
What they don’t do is give each department unlimited resource.
If one department can’t have what it wants it’s because of one or both of two things.
They don’t have enough resource in absolute terms or other departments are using what’s available.
Of course the staff are different. Nobody thinks the ones that clean the toilets are the same as those that write the code.
But if code writing needs more money put in it comes from the same pockets as those used to buy the bleach.
They could do both but they look at priority, cost and time abs decide not to.
Why, because resource is not bottomless.

 

[citysnaps]

Then I’m your guest.
All businesses have a budget and that budget is not limitless. They make decisions based on the cost of ‘sailing the ship’. When one department needs more they take it from another or put more resource in.
What they don’t do is give each department unlimited resource.
If one department can’t have what it wants it’s because of one or both of two things.
They don’t have enough resource in absolute terms or other departments are using what’s available.
Of course the staff are different. Nobody thinks the ones that clean the toilets are the same as those that write the code.
But if code writing needs more money put in it comes from the same pockets as those used to buy the bleach.
They could do both but they look at priority, cost and time abs decide not to.
Why, because resource is not bottomless.

Nice obfuscation. You're not saying anything new. Again, if you want to believe Apple implementing the latest emoji addition comes at the expense of technical staff being pulled from Mail, the crux of the conversation, fine.

 

[H2SO4]

Nice obfuscation. You're not saying anything new. Again, if you want to believe Apple implementing the latest emoji addition comes at the expense of technical staff being pulled from Mail, the crux of the conversation, fine.

It’s a fact. Resource used in one area impinges on that in another unless that area has more than it needs.
It might not fit your narrative but it’s true, sorry.

 

[Tomcolgan]

how did the hackers get to the app? wasn't the stock mail app in the sandbox like other apps

 

[I7guy]

Nice obfuscation. You're not saying anything new. Again, if you want to believe Apple implementing the latest emoji addition comes at the expense of technical staff being pulled from Mail, the crux of the conversation, fine.

Hard to believe, we're still at emojis or fix the software.