Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I'd say that's a rather extreme statement. You do realize every Mac Apple sells ends up with admin privileges by default, don't you? There may be more Apple can do with that, but most of what anyone would care about on the phone needs to have their permissions anyway. It's not really the kind of device for multiple users. And most people aren't even going to password protect the device. So everything that could be stolen would be available from anyone who stole or found the phone. When you hear people talking about needing to lock down the iPhone to security levels below administrator they're not rally providing any constructive advice. Admin doesn't give anyone root access to the phone. It just give someone the user name of an admin. They'd still need to crack the password.

As it's been said before, this sounds like standard buffer overflow exploit (or maybe more hype than anything). Locking down the user account to a non-admin would still have read access to all of the files they're claiming access to.

An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.
 
I think this says a lot, considering the source. Wildpalms' theory (above) also seems to be a strong possibility.
I agree we should get to the bottom of this. For it's OBVIOUS no one in their right minds - not even people in the computer security industry - would go tampering with their iPhones and looking for exploits. There HAS to be a sick evil hypocritical deep dark motivation for their doing this. There HAS to be! LOL :cool:
 
This sounds more like a Safari vulnerability than the iPhone specifically.
What all you people should do is READ THE PDF. Whatever hole they found now - great. But they DO point out four rather serious security architecture issues that must be addressed. And those, for the record in case there's any doubt, have absolutely nothing to do with Safari. :)
 
:mad: NOTICE TO iPHONE APOLOGISTS: Don't make excuses. Say NOTHING if you can't stop dismissing serious problems. Understand what FUD is. It's not "real problems", its fear and doubt surrounding nothing. It's clear the existing exploit was not "NOTHING"! Downplaying the problem only encourages people to make a much more damaging headline to have it taken seriously. ~ CB
Put another way it gets the gray hats after your butts because they see you just asking for it.

These Cleverboy's words are amongst the sanest tonight and yesterday and with that I wish everyone a good night. Don't stop using your phones; Apple's iPhone is never going to be the kind of joke a Microsoft software product is so just relax a bit, OK? And these professors from Johns Hopkins and the NSA: wait a week and see what they say at Black Hat. Then you'll know.
 
Yes we do. July 17.
Okay, thanks. I still wonder if 5 or 6 days is really enough time for Apple to respond before going public but I suppose they wanted to build some hype for their disclosure on Aug. 2nd. I wish they'd waited longer but I understand their motivation.
 
No Need to Panic Folks...

An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.

All this is true. It's THEORETICALLY possible to run any code behind a buffer overrun (signed or not).

However, everyone here is missing something pretty obvious. We are most likely safe (FOR A WHILE). Not only will Apple fix this particular hole, but there's a larger obstacle facing anyone that wants to actually use this exploit...

There is very little info on the phone and architecture. According to sources in the iPhone dev. hacking community they've made SOME progress, but not anything incredible. There is a toolchain in place atm - they could stick a "HELLO WORLD" app. behind the exploit. They *are* working on the binary tools - they'll come along shortly, but it's still in its infancy.

1) Overwriting my contacts - fixed by sync or restore
2) Change config - fixed by restore
3) Deleting programs - fixed by restore

All of these are minor annoyances. Since the phone currently is "read-only"... i.e. doesn't really contain but a *copy* of your important stuff - it can be wiped at any time without worrying about it too much.

As for tying into all my contacts, taking over my phone and running up charges, good luck. Point is there's a TON of uncharted API and tool building that'll need to happen before someone makes *real* use of any exploit.

I am surprised Apple is compiling their browser code using unsafe string copies, not checking buffers, etc. Most of this is taken care of you if you would just use the newer "secure" compiler functions.

There will always be ways of hacking *any* device. No browser is ever safe.

People are getting their panties in a wad. Let Apple patch their poorly written code.
 
The fanboy-ism on these forums sometimes astound me. It's really amazing to me that some people on here really cannot find or *refuse* to find *ANYTHING* wrong (or potentially) wrong with Apple and their products.

Absolutely amazing. GET YOUR HEAD OUT OF THE SAND.

w00master

I guess it's not that people on here "cannot find" anything wrong with it, but I think as an APPLE FANBOY you actually read the facts not some blown out of proportion version of the story.

It would take pretty impressive circumstances to get yourself into this mess they are describing. There have been no reports of people having their iPHONES "taken over" by malicious people (YET), and Apple (LIKE ALWAYS) will fix the problem before anything becomes a real problem.

NYTimes said:
Mr. Rubin said, “I will think twice before getting on a random public WiFi network now,” but his overall opinion of the phone has not changed.

“You’d have to pry it out of my cold, dead hands to get it away from me,” he said.

I would hardly say there is cause for alarm, but if you want to be completely virus free, I have an Atari 2800 I'm selling - if you're getting nervous.:rolleyes::rolleyes:
 
Actually the exploits make it trivial to complete a serious scenario: load a trojan script and when you sync your iPhone - VOILA! - Your computer has been now infected BEHIND YOUR FIREWALL. And when you join a network, malicious code can start infecting computers on that network because it is BEHIND THE FIREWALL. That's the seriousness of the matter. And most of you people are living in the 90s, exploiting your computer is not about inflicting damage or messing up your data like a schoolboy, it is about using your bandwidth, processor cycles and IP to execute criminal actions en masse over the internet without your knowledge. No reports? I seriously doubt most people running an iPhone or a Mac would have the slightest clue about how to detect it.

Apple products no longer reside in fairyland where no one has to understand security, welcome to the real world fanboys.
 
Put another way it gets the gray hats after your butts because they see you just asking for it.

These Cleverboy's words are amongst the sanest tonight and yesterday and with that I wish everyone a good night. Don't stop using your phones; Apple's iPhone is never going to be the kind of joke a Microsoft software product is so just relax a bit, OK? And these professors from Johns Hopkins and the NSA: wait a week and see what they say at Black Hat. Then you'll know.

If it is just a PR hit job (and I think there are indicators that it might be), then we will all have forgotten about this in a few days. The presentation may or may not happen, but then no one will remember. That's if it's only a PR hit job. This thread will be dead in a day or two.
 
An example of why having admin privileges running everywhere isn't good. Safari runs as admin. I break into Safari, and inject my code. I now have read/write/execute access to pretty much everywhere. I can do the following that I couldn't do without admin privileges:

1) over-write contacts with spam. Or perhaps just change contacts subtely so that the user doesn't notice it, and then when they are synched, they don't stop the iPhone from syncing those changes. (i.e. changing telephone digits by one digit)
2) Change configuration files. This can be done either a minor, harassing manner (constantly reset default ringtone), or in such a way that the iPhone is "bricked" until a restore is done.
3) Delete other programs.

A true security researcher could probably think of more... I'm a mere software engineer and news/rumor editor. But those should be enough to point out that admin privileges should only be given when necessary and never by default.


#1 is true even without admin access: unless you're going to require a password every time a user changes or saves a contact. The other's would be isolated by a less-than-admin, account. However, you fail to address the substance of my post: that every Mac ships with admin privileges by default.
Why is this, all of the the sudden, a major architectural security flaw. And on a phone designed as a single user device, no less. The "security design flaws" (scare quotes) are being blown way out of proportion. This is a buffer overflow exploit issue (if there's even an exploit). Try to bring a little skepticism to this. They'r claiming to be able to add features to the iphone everyone wants and no one has delivered through a buffer overrun exploit.
 
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?
'

You just won my "the most idiotic comment on MacRumors"-award. Should they start their company, and then twiddle their thumbs for about 25 years, because only then will people take you seriously? By your logic:

F-secure is 19 years old. Most 19 -year olds are idiots, would you take security-advice from one? Panda Software is 17 years old. Kaspersky Lab is 10 years old, how can they know anything about viruses or security?! When Apple intruduced the iPod, it used a CPU from PortalPlayer. Back then PP was just two years old, how could Apple buy a CPU from a two-year old?!?!?

They only list two employees on the website.

And Bruce Schneier is just a one guy. Clearly, he's even less useful than these guys!

I phone is a huge hit and those who have a lot to loose will stop at nothing to slow it down. If they can...

It's "lose", not "loose". But you are right: this MUST be some kind of MASSIVE anti-Apple/iphone conspiracy! Nothing else makes sense!

:rolleyes:
 
Yes, I would say they are.

By merely having a similar viewpoint? Anyone who ever agrees with Microsoft on anything is automatically a paid schill of Microsoft?

Yes, I know for a fact.

You do eh? Let's hear them then.

The security differences between Mac OS X and Windows are striking.

Well, that's your opinion. But I asked for _facts_.

Certainly the fact that Mac OS X is a minority OS is significant

So you are agreeing with them? Doesn't that make you a Microsoft sock-puppet? Quick, burn him!

Sure, they have. And in recent years Microsoft has been engaging in these PR hit jobs too.

So, you are claiming that if some company finds a security-flaw in an Apple-product (in this case the iPhone), it's a "Microsoft PR hit job"?

No, I don't care if they make Apple look bad. I have no doubt there are serious bugs in the iPhone.

But if someone else than Apple finds one, they are being paid by Microsoft to make Apple look bad, right?

However, the claims made are a bit far fetched

Are you an expert on this field? Do you have detailed insight to their methods and results? No? Then how can you make a claim like that?

Recording and communicating voice over the internet is functionality many would love to have on their iPhone though Web 2.0 apps.

And maybe such functionality is possible on the iPhone?
 
...
1) Overwriting my contacts - fixed by sync or restore
...
All of these are minor annoyances. Since the phone currently is "read-only"... i.e. doesn't really contain but a *copy* of your important stuff - it can be wiped at any time without worrying about it too much.
...

You can edit contacts on the phone. As I described in my post above, a malicious program could be written in such a way that it mildly edits your contacts so you don't notice the change, and then when you sync, your address book on your computer is changed as well. You would then have to manually change it back unless you have a backup copy.

My point is not so much regarding the current state of matters. Obviously, the only current exploits are not in the wild. However, Apple needs to do a better job in programming with a security-based mindset, or such exploits as I described are very possible by any hacker worth his/her weight (as we have seen on the windows world).
 
Independent Security Evaluators has a sparse website. No mention of exactly what they do, or how they make a profit. (Microsoft payments?) They are all of 2 years old. Would you take security advice from a 2 year old?

They only list two employees on the website. They do have a page for people looking for a job, but they don't mention what the job description is. This creates the illusion that they are a GROWING company...<cut>


What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators. <cut>

"What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators."

- Exactly what I believe is going on. Its just a cheap publicity exploit. Its pointless arguing about whether its a flaw in iPhones, Apples, p.c. or every man made device and too many people here are focusing on that side too much.

Its about how this itty-bitty startup is grasping at a chance for 15 minutes of free publicity riding on another companies' reputational coat tails.... thats the real rub.
 
"What this all boils down to is a simple publicity play for these yahoos at Independent Security Evaluators."

- Exactly what I believe is going on. Its just a cheap publicity exploit. Its pointless arguing about whether its a flaw in iPhones, Apples, p.c. or every man made device and too many people here are focusing on that side too much.

Its about how this itty-bitty startup is grasping at a chance for 15 minutes of free publicity riding on another companies' reputational coat tails.... thats the real rub.

If this is the level of security knowledge of Apple users - let the games begin! I mean this is bypassing the koolaid and going right to sucking on Jobs' nipple. :D
 
If this is the level of security knowledge of Apple users - let the games begin! I mean this is bypassing the koolaid and going right to sucking on Jobs' nipple. :D


Perhaps, I've had to much Jobs milk, but my impression is that what David Blaine does isn't real either. But I'm sure you think it looks so real.

Safari has crashing issues which indicates that a buffer overrun exploit might be possible. However, the claims made by this company just border on the absurd. The machinations they go through to show they love the iPhone are a bit over acting (thou doth protest too strongly). Finally, we Mac users have seen this b*llsh*t for decaades. Step 1) put out a sensationalist press release; Step 2) get lots of press and fame over nothing; Step 3) there's no step (3). No one ever follow up to see what all the hype was about.

On the other hand we also see lots of vulnerabilities go through the normal channels. Step 1) Report them to through OIS or other usual vulnerability reporting channel; Step 2) no fame for the reporter except an acknowledgment buried in a software update FAQ somewhere; Step 3) vulnerability hole is plugged by the vendor (Apple in this case).
 
Are you an expert on this field? Do you have detailed insight to their methods and results? No? Then how can you make a claim like that?

I don't know about Rob, but I am an expert in the field of information security. This company's claims are extremely suspect. Let's take a look at exactly what they claim and what they show, shall we?

First, they claim arbitrary code execution. They then break this down into two sub-exploits. The first is an information disclosure flaw. "The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection." Doesn't sound like code execution to me, but whatever.

The second sub-exploit they list involves "[performing] physical actions on the phone". They specifically state they were able to "make a system sound and vibrate the phone for a second".

Second, they claim these exploits can be delivered via the phone automatically connecting to WiFi access points.



Now, what they actually show.

They show a video of someone retrieving data off of the iPhone. That much is clear. What isn't clear is whether they used the information disclosure technique that hit Full Disclosure (a security mailing list) a week ago. It looks very much like they do. If so, this isn't a "remote code execution" flaw, but instead a simple information disclosure flaw, albeit a rather serious one. Even so, the people on Full Disclosure largely dismissed it, since other phones have similar functionality.

They don't actually show the phone performing any "physical actions", but their described accomplishment and the theoretical scenarios that follow sound an awful lot like the things that Apple's web API was described as allowing. You know, having a web-based contact list and dialing the phone app directly from it. Things like that. Yes, they are literally crediting themselves with discovering Apple's public API for the phone. "Alternatively, by using other API functions we discovered, the exploit could have dialed phone numbers, sent text messages, or recorded audio ..." (emphasis mine).

Now, for perhaps the most irritating part of their claims. They act like the iPhone is somehow magically vulnerable to attacks involving associating to malicious APs. Look up AirPwn some time. That tool does exactly what they describe. It inserts malicious code into every page. This isn't an iPhone flaw. If anything, it's a flaw in the 802.11* suite of protocols.



So in short, based on the evidence they have given us so far, there is no remote code execution exploit. At the very least, all of their exploits require user interaction and are therefore local. Even using the contorted version of "remote" used to classify OpenBSD's second hole (a flaw that could only be exploited from the same network segment), these still are in no way remote. Calling them that is disingenuous at best, and in this case, more like an outright lie. They should know better.
 
They're not the jokers but there's definitely a major joker in this scenario. :p

Yes, the joke was, "Hey JHU students/grads, first 3 people to hack into an iPhone all get FREE iPhones!"

"YAAAAAAAY"

2 Weeks later......... iPhone hacked. Professor out $1800.

And no, JHU is not owned by Bill Gates or Microsoft, although you could make a good case that they are owned by the Federal Government as I believe they receive more Federal research grant money than any other university in the nation and the professor in this case is an ex-NSA (National Security Agency) employee (it's right near Baltimore, shhhhh, seeeecret).

Doubtful they got a research grant for this though. :)
 
No, that is not a "big difference". Besides: which company wrote the software (OS X) that has this bug? I believe the name starts with "A" and ends with "e".

Well, technically, making a flaw and missing a flaw are pretty different significantly, since they didn't actively go out and say "hey, let's make this flaw!" but rather it's a failing on a certain design that they overlooked. But anyway, I nitpick :p

Well I'd say it's better to have ethical hackers find this flaw before virtual lowlifes start messing with people's phones. This is just like the Quicktime and OS X security updates for our computers. What's all the hubbub? Not sure if it's real or not, but since I don't own an iPhone, I guess I'll live if it is.
 
I don't know about Rob, but I am an expert in the field of information security. This company's claims are extremely suspect. Let's take a look at exactly what they claim and what they show, shall we?

First, they claim arbitrary code execution. They then break this down into two sub-exploits. The first is an information disclosure flaw. "The compromised iPhone then sent personal data including SMS text messages, contact information, call history, and voice mail information over this connection." Doesn't sound like code execution to me, but whatever.
.

Wow... you are an expert in information security but you just really don't get it. What do you think arbitrary code execution is? It's a crafted buffer overflow that allows the execution of arbitrary (e.g. whatever the exploit author chooses) machine code. This is a textbook security vulnerability and this first sub-exploit you mention is just that -- arbitrary code execution. The personal information sent from the iPhone isn't transmitted over any "web API calls", it's done by instructing the phone/machine (via the buffer overflow) to open a socket (via a system call) and send the data as bytes to an IP address of their choosing (via more system calls). Did you actually read the tech report?
 
Wow... you are an expert in information security but you just really don't get it. What do you think arbitrary code execution is? It's a crafted buffer overflow that allows the execution of arbitrary (e.g. whatever the exploit author chooses) machine code. This is a textbook security vulnerability and this first sub-exploit you mention is just that -- arbitrary code execution. The personal information sent from the iPhone isn't transmitted over any "web API calls", it's done by instructing the phone/machine (via the buffer overflow) to open a socket (via a system call) and send the data as bytes to an IP address of their choosing (via more system calls). Did you actually read the tech report?

Yes, I certainly did read the report. They made no mention of how they got the information off of the phone. The CVE likewise does not explain it. Various groups claimed to have found a set of web API calls that send information to arbitrary servers.

Where exactly did you read that it was done through a buffer overflow? The entire document that they published makes no reference to "buffer", "overflow", "overrun" or any combination thereof. In fact, the main reason I call this simple fearmongering is that they provide literally no details about their exploit. They go to the media and say that they have an exploit, but then they don't let the rest of the community see it so we can't evaluate the real risks. CVE lists the severity as a 9.3 out of 10, and it's completely unconfirmed at this point! No details. No proof of concept. It certainly hasn't been seen in the wild yet as far as I can tell.

So now, we are left with a series of questions. Do you have some inside information? Have they published something besides what is on their websites? Has another group somehow discovered the same exploit and published a more detailed description (this is entirely possible, though I haven't heard anything about it yet)?

My information was based on what they have released to the public. What's yours based on?
 
I don't have any more information than you do. A few points:

  1. Use Google to query the string "iphone buffer overflow".
  2. Maybe you don't understand what is happening in the video that was posted... they load a web-page that simultaneously crashes Safari and runs their code. Seems what's going on is pretty clear to me.
  3. Another clue: the report says the vulnerability also exists in OS X Safari and Windows Safari. If this doesn't mean anything to you - you don't get it.
  4. The full vulnerability will be revealed at Black Hat. By then Apple can patch Safari. That's why you can't see it now -- not because it doesn't exist.

Denial doesn't make systems any more secure. This could have happened on any other device just as easily. There is no need to get excited or defensive about it.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.