Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Firm Reveals iPhone Vulnerability
- Thread starter j/k/Andy
- Start date
- Sort by reaction score
It's kind of the purpose of the NYT and news organizations to inform people. I'd be much more critical of the Times if they didn't report this. It's important to know if insecurities exist so you can behave accordingly. It's also important for potential buyers to weigh the risks of a purchase.
In the same breath you're criticizing the company for not promoting other flaws found and then criticizing them for promoting this one... Of course they're promoting their work here, that's what companies do-- otherwise people look at their websites and say "they don't seem to have done anything"... If they're a new group and this is the first they've done, there's all the more reason to try and get their name out there. This doesn't suggest their claims are invalid at all...
If being able to extract all of your personal details and potentially be able to initiate calls isn't significant, what *do* you consider a significant flaw?
I was thinking the same thing, but this doesn't look like it's a legitimate 2.0 app-- rather it's crashing Safari and executing native code. If you provide a native code dev kit, you're just making this kind of attack that much easier. If Safari were more stable, it would act as a reasonable firewall from the underlying system-- which is what web based apps are meant to do.
Java still strikes me as a reasonable alternative though...
Someone mentioned above that everything on the phone appears to run with admin privileges, and that seems to be the case. That's something they should change if they can do so. This is an embedded device, but it has a window to the network. Besides, it would be kind of cool to be able to fast-user-switch your phone...
Yes, I would say they are.
Yes, I know for a fact. The security differences between Mac OS X and Windows are striking. Certainly the fact that Mac OS X is a minority OS is significant, but to state wholly one-sided is to tout the Microsoft party line.
If you say so.
Sure, they have. And in recent years Microsoft has been engaging in these PR hit jobs too.
No, I don't care if they make Apple look bad. I have no doubt there are serious bugs in the iPhone. The crashing apps attest to that. And Apple should be embarrassed about that. Also, if these are real exploits, Apple should be embarrassed about that. However, the claims made are a bit far fetched (and I noticed you truncated that part of my message; repeated below), because they're claiming they're using javascript to enable functionality (through an exploit) that no one else has been able to enable with the user's permission. Recording and communicating voice over the internet is functionality many would love to have on their iPhone though Web 2.0 apps. It's just not going to happen because Javascript does not support that. Yet these folks claim they did it with javascript because they found an exploit? Be real.
I heard it on WTOP news (www.wtop.com) this morning on my way to work, but I can't find anything posted on their website.
However, I did find this comment:
"These weaknesses allow for the easy development of stable exploit code once a vulnerability is discovered," the researchers wrote in a whitepaper. They said they were unwilling to divulge any more details about the exploits until the Black Hat security conference in Las Vegas in August, because Apple was only notified of their research findings on 17 July.
http://news.zdnet.co.uk/security/0,1000000189,39288165,00.htm
Apple knew about this last week; seems like an established relationship to me.
I'd been predicting this since Apple snubbed the developers and opted for web scripting, which is inherently dangerous. Making an open call and inviting extensively scripted websites to be created for the iPhone was a result of Apple being completely naive about the security environment. OSX had never been a real target for real hackers but the iPhone just made it irresistible and will open up the incentive to exploit both the iPhone and as a result, the Mac. Enjoy!
Every computer in the world faces this type of threat if you go to a bad website of click on the wrong link. What's new about this besides the fact that it can now be done on an iPhone?
The government has the ability and the right to turn on your cell receiver or initiate a call if they want.
Uh, flaws that endanger my personal information and my personal computer network is way significant enough! And the flaws come from an arrogance toward security and computing in general. If they fall, it is from that.
Hardly! Maybe only computers running Safari, it is trivial for me to protect myself from this with Firefox. What's different is that you have been locked out of any ability to control the security of the phone and any exploited iPhone is a potential danger to the network it joins.
Earlier I said Apple should be embarrassed about Safari crashing exploits. That's true. However, I should add that exploits involved with using WiFi hotspots are always there: monkey in the middle exploits. That's why it's a good idea to use SSL for email, VPN for other confidential information and more ubiquitous use of trust certificates would improve things in that situation. That is the monkey in the middle would be able to intercept all your data, but it would do them no good without the decryption keys.
And it's a big deal whenever either of those scenarios are discovered. People concerned about Windows security are mostly concerned about exactly these kinds of problems.
I think it's safe to say the NYT made a bigger deal about the government accessing peoples phones without warrants...
Firefox isn't impervious either...
Good advice. Apple should have file vault enabled on the iPhone as well...
Most respectable security researchers report what they find to the vendor and given them time to address the issue before releasing details. The fact that Apple was told about this doesn't imply Apple has any type of partnership with these folks.
The Drudge Report is biased ?! what a shocker.
CNN is also Biased. It happens every where. This forum is very biased. If you have a different opinion they might ban you. I once put a link to a New York Times(a left sided paper) article that was not friendly to people around here and I was banned. I had to open another account. I was mean spirted and full of hate because I linked a story in a fricken news paper. So much for free speech. Drudge is usually right on for the most part. He breaks tons of good stuff. Just because the source is not pro this or that does not mean the story has to be wrong.
As usual if you jump up and down on one foot....
First of all my iPhone is set NOT to ask to join unknown networks.
So you would have to be browsing on a secured website on an open wi-fi access point that a hacker had physically compromised.
What they left out here is whether or not other users of this access point would be just as vulnerable???? Hmmm
The NY Time has been know to make up news in the past. They really should change their motto from "All the news that's fit to print" to the following "All the news we see fit to print" or "All the news, true or not"
The video gives no details or the "exploit" if it exists, nor does it mention if this is something that is iPhone exclusive. As a matter of FACT it doesn't say much of anything. Mostly it just suggest some very serious problem with the iPhone. Kinda like yelling fire in a crowded theater.
CNBC was quick to jump on this story. Most media outlets in this country just ape the stories blindly that appear in the NY Times. The times is quickly loosing ad revenues and influence. And we are a better society as a result.
This rumor knocked the stock down today and it fully recovered, down $2.30 and closed -$.15. Considering that it went up $3.75 on Friday, today was a great day (none of the Friday gains given back). No doubt there will be some after hours idiots selling on the CNBC package that will be aired in the 4pm EDT timeslot. It will be interesting to see if CNBC gives some balance to the point of view by putting someone on to challenge the claims made by the "security" company that no one has even heard of before...
This is bullsh** at its finest...
First of all my iPhone is set NOT to ask to join unknown networks.
So you would have to be browsing on a secured website on an open wi-fi access point that a hacker had physically compromised.
What they left out here is whether or not other users of this access point would be just as vulnerable???? Hmmm
The NY Time has been know to make up news in the past. They really should change their motto from "All the news that's fit to print" to the following "All the news we see fit to print" or "All the news, true or not"
The video gives no details or the "exploit" if it exists, nor does it mention if this is something that is iPhone exclusive. As a matter of FACT it doesn't say much of anything. Mostly it just suggest some very serious problem with the iPhone. Kinda like yelling fire in a crowded theater.
CNBC was quick to jump on this story. Most media outlets in this country just ape the stories blindly that appear in the NY Times. The times is quickly loosing ad revenues and influence. And we are a better society as a result.
This rumor knocked the stock down today and it fully recovered, down $2.30 and closed -$.15. Considering that it went up $3.75 on Friday, today was a great day (none of the Friday gains given back). No doubt there will be some after hours idiots selling on the CNBC package that will be aired in the 4pm EDT timeslot. It will be interesting to see if CNBC gives some balance to the point of view by putting someone on to challenge the claims made by the "security" company that no one has even heard of before...
This is bullsh** at its finest...
Wow, the speculation here.
This is a standard buffer-overrun bug, is it not? It's pretty sad that in this day and age, we still have bugger overrun bugs. Apple ought to be ashamed of themselves for this - in the iPhone and in Safari on the desktop.
However, I expect a fix very soon.
This is a standard buffer-overrun bug, is it not? It's pretty sad that in this day and age, we still have bugger overrun bugs. Apple ought to be ashamed of themselves for this - in the iPhone and in Safari on the desktop.
However, I expect a fix very soon.
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?
They only list two employees on the website. They do have a page for people looking for a job, but they don't mention what the job description is. This creates the illusion that they are a GROWING company.
They also provide their public PGP key for those looking to send them and email. This is also crap. Who would want to spoof an email to a security company. As their website says "Life is too short"
Just saw the CNBC report with Maria "The Babe" Bartoromo, CNBC teased this piece with adjectives like "SERIOUS" and "END OF PRIVACY"
What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators. They informed Apple about the "serious security flaw" and AT THE SAME TIME PROVIDED AT PATCH. So if they were really concerned about helping out their fellow man, as their PR department would have you believe, they would have waited until after Apple had patched the iPhone before going public.
But then that would not have been SERIOUS and AN END TO PRIVACY AS WELL KNOW IT! Come on, no one is falling for this. IF we made this big of deal about all the windows security flaws, CNBC would have the have a "BREAKING NEW" report two or three times a week.
And where is the disclosure for this Independent Security Evaluators? I don't trust any company or group that has works like Independent, or Fair, or Truth in their names. Because they usually aren't .
Have any of Independent Security Evaluators's profits ever come from Apple's competitors? We may never know? Follow the money, people.
I phone is a huge hit and those who have a lot to loose will stop at nothing to slow it down. If they can...
They only list two employees on the website. They do have a page for people looking for a job, but they don't mention what the job description is. This creates the illusion that they are a GROWING company.
They also provide their public PGP key for those looking to send them and email. This is also crap. Who would want to spoof an email to a security company. As their website says "Life is too short"
Just saw the CNBC report with Maria "The Babe" Bartoromo, CNBC teased this piece with adjectives like "SERIOUS" and "END OF PRIVACY"
What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators. They informed Apple about the "serious security flaw" and AT THE SAME TIME PROVIDED AT PATCH. So if they were really concerned about helping out their fellow man, as their PR department would have you believe, they would have waited until after Apple had patched the iPhone before going public.
But then that would not have been SERIOUS and AN END TO PRIVACY AS WELL KNOW IT! Come on, no one is falling for this. IF we made this big of deal about all the windows security flaws, CNBC would have the have a "BREAKING NEW" report two or three times a week.
And where is the disclosure for this Independent Security Evaluators? I don't trust any company or group that has works like Independent, or Fair, or Truth in their names. Because they usually aren't .
Have any of Independent Security Evaluators's profits ever come from Apple's competitors? We may never know? Follow the money, people.
I phone is a huge hit and those who have a lot to loose will stop at nothing to slow it down. If they can...
I heard it on WTOP too, but I've heard WTOP report unreliably several times about Apple-related things in the past. I don't know how much stock I'd put in the report unless you've heard it elsewhere as well.
Let me put my comment here
I guess this is a side effect of apple's triple-platform-safari strategy. Apple apparently needs to put more effort into safari's security.
I come to realize apple's developing strength is weak. Very incompatible with its strength in designing.
I guess this is a side effect of apple's triple-platform-safari strategy. Apple apparently needs to put more effort into safari's security.
I come to realize apple's developing strength is weak. Very incompatible with its strength in designing.
We actually took it easy on Apple in our interpretation of the white-paper. see this:
There are some kind of damning points from a security perspective. There is no way that Apple should have written every app with admin privileges. That's just stupid.
This is a very silly statement! For starters, I don't think Microsoft gives a crap about finding vulnerabilities in the iPhone, so to suggest that they are paying people to do so is very weird and conspiratorial. Secondly, two years is old enough in the IT industry to be considered respectable. And I'm sure the employees of the said company are not actually two years old themselves. Age doesn't seem to matter so much anyway - some people in these forums continuously trash Symantec's security advice - and they are 25 years old - so go figure. (eg, https://forums.macrumors.com/threads/308363/)
Really? Safari is 99.9% secure on Macs and fairly unproven on Windows. As with Firefox though, I would be very surprised if Safari on Windows was less secure than IE7.
There are always going to be exploits uncovered for every browser occasionally. This particular story appears vague and any vulnerability on Safari is well reported (and soon to be plugged by Apple apparently), whereas there are tens of these things uncovered for IE7 every week, yet not well publicised as it's old news.
It's the old 'Macs don't get viruses because nobody bothers and the market share is too small anyway' addage. The truth is that even a fairly unserious piece of malware for OS X would get a lot of publicity (as this thread proves), which is what a lot of hackers would love to infamous for.
Which is a good reason why Apple haven't allowed native 3rd party applications.
As I've always said and suspected, mobile OSX isn't up to scratch yet. Its still a very 'immature' OS.
Not going to bother to read all the nonsense.
I have an iPhone, Safari crashes at times, but I haven't had any security problems with my iPhone. Regardless, I still have no regrets. The iPhone is a great product and it isn't like there aren't some bugs to be worked out. Apple will fix the bugs in due timing, and all my information is backed up.
I have an iPhone, Safari crashes at times, but I haven't had any security problems with my iPhone. Regardless, I still have no regrets. The iPhone is a great product and it isn't like there aren't some bugs to be worked out. Apple will fix the bugs in due timing, and all my information is backed up.
...and all my information is backed up.
...and your "friends" at Starbucks are making backup copies of your private information too....
You should feel really safe!