When it comes to being proactive about security, Apple *could* take a few lessons.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone SMS Security Vulnerability to Be Disclosed Today
- Thread starter MacRumors
- Start date
- Sort by reaction score
When it comes to being proactive about security, Apple *could* take a few lessons.
Don't know if this has been posted yet, so...
http://news.cnet.com/8301-27080_3-10299378-245.html?tag=TOCmoreStories.0
Looks like it works.
http://news.cnet.com/8301-27080_3-10299378-245.html?tag=TOCmoreStories.0
Looks like it works.
Sometimes I just love MacRumors; lets blame the people responsible for uncovering a huge security threat and giving Apple ample time to fix it. For all of you talking about how long it would take to implement such a fix, you have likely never worked in the software industry -- especially not when millions of customers could potentially be affected. When a security threat is revealed, you fix it quickly -- you even take resources off other projects if need be.
Some of the Apple fanboy excuses I've seen in this thread are truly laughable: it's July so they are on vacation? Are you ****ing kidding me? Or that the threat has been around for two years so to expect Apple to fix it in one month is absurd? This is simply illogical; first of all, the length of time the bug has existed, uncovered, is irrelevant to the length of time it would take to fix such a bug; and secondly, it is a benefit to all of us iPhone owners that the threat wasn't found by someone with malicious intent, but instead was found by people who notified Apple -- pull your heads of of the sand. And lastly, they're are doing this as a publicity stunt? Really?
I say more power to the Black Hat community. If they know how to do it, someone else will figure it out soon enough anyway, whether they go public or not.
Some of the Apple fanboy excuses I've seen in this thread are truly laughable: it's July so they are on vacation? Are you ****ing kidding me? Or that the threat has been around for two years so to expect Apple to fix it in one month is absurd? This is simply illogical; first of all, the length of time the bug has existed, uncovered, is irrelevant to the length of time it would take to fix such a bug; and secondly, it is a benefit to all of us iPhone owners that the threat wasn't found by someone with malicious intent, but instead was found by people who notified Apple -- pull your heads of of the sand. And lastly, they're are doing this as a publicity stunt? Really?
I say more power to the Black Hat community. If they know how to do it, someone else will figure it out soon enough anyway, whether they go public or not.
Mr. Dweller, I think if you look at most of the posts you'll find that almost everyone thinks Apple is being stupid here. Please don't over generalize as it makes you look stupid too.
Thankfully, it seems they've only demonstrated the ability to crash the phone so far. Would be nice if they'd stop doing the "you could" junk on cnet without telling us exactly how likely it is for someone to say, release a virus using this tomorrow.
Thankfully, it seems they've only demonstrated the ability to crash the phone so far. Would be nice if they'd stop doing the "you could" junk on cnet without telling us exactly how likely it is for someone to say, release a virus using this tomorrow.
Anyone that has done some professional programming knows that such bugs are priority no.1, having 6 weeks to fix such a security hole is plenty time for such a big company. This is probably some kind of buffer/stack overflow attack and as such most of the times it's rather easy to fix especially if the guy told them how to exploit the hole (which means he knows exactly where the problem is). What I don't understand is why some people have to defend apple so hardcore as if they are themselves the iphone os programmers...
Technologizer has a different spin on it:
http://technologizer.com/2009/07/30/your-phone-is-probably-vulnerable-to-malicious-text-messages/
So exactly how large is the scope of this vulnerability? Virtually all GSM phones?!?
http://technologizer.com/2009/07/30/your-phone-is-probably-vulnerable-to-malicious-text-messages/
So exactly how large is the scope of this vulnerability? Virtually all GSM phones?!?
For the exact same reason that people like you keep insisting that a month is adequate time for Apple to have identified the problem, developed a solution, regression tested it on all of the different versions of iPhone hardware/software, and get their (and every carrier that supports the iPhone) support folks prepped to help customers.
I agree - I would hope something that is potentially this damaging to their whole phone ecosystem would be fixed a little faster!
I'm no fanboy. I have, however, spent 20+ years in the industry, working for both hardware and software companies. Even if this was a priority 0 situation, there is only so much you can do. Nobody can work miracles, and nobody can plan for every contingency. Not Apple, not Microsoft, nobody.
It's not being an apologist, it's being a realist. Am I annoyed that this problem exists? Yes. Is it the end of my life? No. Given that my phone could be used for a 911 call, I would rather it was fixed right than done in a half-assed manner. But, I could just as easily forget to charge it and not have it work when I needed to make that call. Then the onus would be on me.
But, in the end, nothing is flawless. Bad things happen. We survived before cell phones, before computers, and before many other wonderful things that make our lives safer and more enjoyable. But, they are as flawed as we are, and so we cope.
I'm not trying to wax philosophical, I just think that in general people get too wrapped up in issues like this, and "security researchers" often have the easy task - it is much easier to find a flaw than it usually is to fix it.
Take your pick... Stockholm Syndrome, or just standard cult behavior.
Actually, it is easier to fix the flaw than it is to find them. Finding flaws is generally the hard part. (Excepting the typical Microsoft behavior in the previous decade of creating 'standards' that required inherently stupid behavior.)thogscave said:
When the Microsoft WMF flaw hit right after patch Tuesday(around 1/1/2006), MS fans raved that there was no way MS could be expected to rush out a patch. In the end, MS did rush out a patch about 10 days later. And it turned out the datestamp on the new files was one day after the initial discovery. This was in a complex part of Windows (GDI API) that actually had the possibility of breaking code. But since a big bug is a big bug, there is actually very little chance of regression problems. In the case of this iPhone bug(which appears to just be a buffer overflow), the chances are near zero. If it is a control-message bug, then it becomes similar to the Windows WMF flaw, and you block out what is presumably 'undocumented' functionality.aristrobrat said:
Exactly... finding that overflowing an unchecked variable you can load stuff into the stack and actually implementing a check on said variable is a total different difficulty level. I'm not saying it's something so simple (it could be) but stil 6 weeks are probably enough.
Oh and for the guy that said they have to check the different software and hardware: There are 3(!) hardware versions of the iPhone, the OS and the thousands of apps which Apple isn't going to test every single one of them for compatibility anyways. With that logic it should take M$ about 10 years to fix a flaw since it has to test a billion of different hardware configurations and another 10 billion apps...
such things aren't a snap of the fingers to fix. you have to make sure you don't break something else in the process.
So this bug is being reported as affecting virtually every GSM phone, so does that still make it sound like a buffer-overflow to you?
If that is true, then no, it does not sound like a buffer overflow. It would probably be a control message validation. But since it is reported to corrupt memory, something is going wrong somewhere in a way that is obviously not part of any expected operation.
How are you so sure that one month was enough time to fix this problem, it may be harder then you think. What if they have been working on this really hard for the past month. Aren't you assuming too much information about Apple's work tasks? Seriously!
So many people on here keep claiming Apple has done nothing, are you an Apple employee have you seen Apple's work task, if not how do you know if they have done nothing. They could have been working on this for a month, can you actually prove otherwise?
Not being a fan-boy just pointing out that a lot of people are making some ridiculous claims here, and keep getting angry at Apple, I'm guessing its because they are now scared for their iPhone.
Google already patched Android, so both of your arguments for Apple's lack of attention to the matter fails.
It was actually 6 weeks ago, but who's really counting... certainly not Apple.
The hole they found in Windows Mobile was only discovered a few days ago and they have yet to notify Microsoft of the details. I expect Microsoft will have a patch out pretty quick. They've already proven they can code, test and deploy patches pretty quickly.