^^^ That was another (completely different) issue in the mobile Webkit framework of OS 1.0.0. It just happened to be discovered by the same guy, back in 07.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Release Fix for iPhone SMS Vulnerability on Saturday?
- Thread starter aldude
- Start date
- Sort by reaction score
I'm 16, I don't have financial info.
My battery is **** anyway, what more can they do?
I don't have AT&T.
I know the 3rd Beta of 3.1 has only been out for a week but is there any chance they'll push the whole new firmware out tomorrow? I know most people think they'll wait until the new iPod Touch is released in September or whatever, but maybe this will cause them to rush it out (not necessarily a good thing).
Because Google have already patched it and Microsoft were only notified a few days ago (it was first discovered in the iPhone and Android). Apple were the ones dragging their feet so much with fixing it. I also don't hear about Blackberry or the world's biggest maker of smartphones Nokia (S60) being impacted. Hardly most
As for people who believe Apple would have fixed this issue in this time period without the pressure - they wouldn't. As soon as the security researchers said they were going public with it on the 30th July they gave Apple a definitive timeframe to sort out a patch.
From MacRumors:
The flaw reportedly affects not only the iPhone but also other phones running Windows Mobile and Google's Android operating system, although the iPhone has gained the most significant publicity regarding the issue due to its high-profile status.
As disclosed by Charlie Miller and Collin Mulliner, the vulnerability lies in the modification of data that accompanies text messages and is not seen by the user. Because most operating systems use similar mechanisms to handle SMS data, the vulnerability affects a range of operating systems and devices.
The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.
The problem could be fixed by directly patching the vulnerability in smartphones' operating systems, or the network providers could scan for messages that look to be trying to gain access to phones via the malicious code.
Google has reportedly already taken steps to address the issue, but there is no word on whether Microsoft or wireless carriers are also working to prevent the vulnerability from compromising their systems.
But is it the same programming language to hijack an iPhone vs. a Windows Mobile phone? I'm sure you can't control a phone on SMS alone... surely you'd have to write a script that will be able to run in the devices OS right?
It sounds like they were dragging their feet on releasing this one to bundle it in with 3.1 or something.
Um who cares? There's obviously a common hole in the way SMS operates on these phones and there's someone who's been able to exploit it - demonstrate that it's a threat.
If they can prove it's on any smartphone - then obviously they have scripts available. How hard is it to try multiple scripts. I don't see your point at all.
Ah, looks like everyone will soon be using phones like when I was kid (in other words, no cell phones).
This is all much ado about nothing, IMO. News loves stuff like this. Must be because the stock market has been going up, they need to find doom and gloom somewhere else.
Edit: The good news is that we haven't had any new MMS threads (at least that I've seen).
Aggie - I agree. Personally I'm not worried a bit. Don't care. I'll apply the patch when it's available and that's that. And when a new patch or update comes out on software, Ill install that. I like to stay current when possible.
@bfc: Read Again
Sorry, but that's not what it says at all.
"Google has reportedly already taken steps to address the issue." That means they could be holding meetings right now to discuss HOW to solve the problem, doesn't it? So has Apple . . . and a patch is on its way.
Inferences can be a dangerous thing.
Sorry, but that's not what it says at all.
"Google has reportedly already taken steps to address the issue." That means they could be holding meetings right now to discuss HOW to solve the problem, doesn't it? So has Apple . . . and a patch is on its way.
Inferences can be a dangerous thing.
3.1 Beta
I wonder if they will post an update for 3.1 Beta 3. Or, maybe it's already been addressed in the current beta?
I wonder if they will post an update for 3.1 Beta 3. Or, maybe it's already been addressed in the current beta?
Yes this is Apple again dragging there feet.
It will be interesting to see how Microsoft handles this knowing they just learned about this 2 days ago, whereas Apple has known about it for a while now.
It will be interesting to see how Microsoft handles this knowing they just learned about this 2 days ago, whereas Apple has known about it for a while now.
Because Google have already patched it and Microsoft were only notified a few days ago (it was first discovered in the iPhone and Android). Apple were the ones dragging their feet so much with fixing it. I also don't hear about Blackberry or the world's biggest maker of smartphones Nokia (S60) being impacted. Hardly most
As for people who believe Apple would have fixed this issue in this time period without the pressure - they wouldn't. As soon as the security researchers said they were going public with it on the 30th July they gave Apple a definitive timeframe to sort out a patch.
First post here on these forums, this just caught my eye. 1 of 63 of all Nokia SmartPhones running Symbian are infected with spyware, those who dwell in glass houses shouldn't cast stones.
Ouch. I'd hate to give up my 3GS; even my 2G iPod touch feels slow now by comparison ...
Umm... no....
It tells me that, as I suspected before, Apple has already been working on this patch (or maybe already had it essentially finished). The plan was probably just to roll it into OS 3.1, thereby avoiding all the hassles of making people do yet another iPhone flash upgrade. (In the past, these update patches involved a re-download of the entire iPhone firmware package, which is well over 200 megabytes. That's rather inconvenient for a lot of people....)
Apple just doesn't want to be made to look bad with all the hype, so this forces their hand to make the fix a high priority and release it separately from everything else. Is that a "good" thing? I'm not so sure. I tend to side with the idea that the CARRIERS should filter out bad SMS content like this before it even gets to the handsets. Otherwise, all the people who didn't get a chance to upgrade their phones are still at risk. (And we know, statisically, at least 20% of the people out there run their iPhones at least 1-2 firmware versions behind the current one.)
It tells me that, as I suspected before, Apple has already been working on this patch (or maybe already had it essentially finished). The plan was probably just to roll it into OS 3.1, thereby avoiding all the hassles of making people do yet another iPhone flash upgrade. (In the past, these update patches involved a re-download of the entire iPhone firmware package, which is well over 200 megabytes. That's rather inconvenient for a lot of people....)
Apple just doesn't want to be made to look bad with all the hype, so this forces their hand to make the fix a high priority and release it separately from everything else. Is that a "good" thing? I'm not so sure. I tend to side with the idea that the CARRIERS should filter out bad SMS content like this before it even gets to the handsets. Otherwise, all the people who didn't get a chance to upgrade their phones are still at risk. (And we know, statisically, at least 20% of the people out there run their iPhones at least 1-2 firmware versions behind the current one.)
Why are we having to wait on a fix from Apple anyway?
AT&T could fix this, and probably should. Allowing a single sender to blast a phone with 512 SMS messages in a short period? Allowing 8-bit content in an SMS? There are a number of very easy ways AT&T could make this attack unworkable just be setting reasonable sanity restrictions on the usage of SMS.
While they're at it, give me a blacklist and whitelist option for SMS. Given that I'm paying for received SMS messages, I should be able to restrict who is allowed to send them to me.
AT&T could fix this, and probably should. Allowing a single sender to blast a phone with 512 SMS messages in a short period? Allowing 8-bit content in an SMS? There are a number of very easy ways AT&T could make this attack unworkable just be setting reasonable sanity restrictions on the usage of SMS.
While they're at it, give me a blacklist and whitelist option for SMS. Given that I'm paying for received SMS messages, I should be able to restrict who is allowed to send them to me.
