|
|
Forbes Reports SMS Bug Allows Attacker to Take Over iPhone
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
In this article, Forbes magazine is reporting that security researchers have found that there's a "buffer overflow" flaw in iPhones' handling of SMS messages, that, much like old Windows flaws, allows the attacker to run arbitrary code (that's Very Bad) on the phone. Since text messages don't require action on the part of the receiving phone's owner to display, this attack seems to be the first "OS X-like" arbitrary attack that actually works...
Me, I'm turning off text messages; it's cheaper for me anyway. But what about people who "depend on" texts?
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jun 2006
Location: Chicago
Status:
Offline
|
|
It'll be very interesting to see what happens after the SMS vulnerability is described at today's Black Hat Conference...
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: May 2001
Location: Manchester, UK
Status:
Offline
|
|
This was the front page headline on the free newspaper read by thousands of Manchester commuters this morning ('Metro').
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
Free yes, but "news"paper? That's a bit of a stretch isn't it?
Anyway, seems that Apple is going to need to pull their fingers out and release a patch for this as soon as possible. Which brings up an interesting question, I wonder how easy it is for them to release Security Updates for the iPhone OS? Is the update mechanism capable of handling small patches or will it require a full OS upgrade meaning that we will have to wait for OS 3.1 before this is fixed?
I also hope that they fix it for any OS 2.x laggards as well.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
I guess Apple have answered that question about their ability to produce small update patches for me and it is no, they can't. They've just released a 230.1MB download (OS 3.0.1) to fix a single bug in one small component of the OS.
It doesn't look like a fix is being released for 2.x users either (at least, not yet).
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jun 2006
Location: Chicago
Status:
Offline
|
|
Originally Posted by JKT
It doesn't look like a fix is being released for 2.x users either (at least, not yet).
Has anyone verified that this flaw affect v2? Or is it v3 only?
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Nov 2003
Status:
Offline
|
|
Originally Posted by JKT
I guess Apple have answered that question about their ability to produce small update patches for me and it is no, they can't. They've just released a 230.1MB download (OS 3.0.1) to fix a single bug in one small component of the OS.
I wonder if that is also the reason why they are hesitant to push security fixes until the **** hits the fan.
Getting those updates out to the ~15 million (wild guess) active iPhones via Akamai isn't free after all…
|
"The road to success is dotted with the most tempting parking spaces."
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
But why does pushing a simple bug fix require them to serve up 230 MB for every phone? Is that really the best way to do it?
|
•
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Is that 230MB just to fix the bug they mention? Is it more? I have to think there's a LOT more than just that bug fix.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by Apple
Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for reporting this issue.
So it would seem that 3.0.1 does address this vulnerability. The response was actually pretty quick, I think.
But why doesn't iTunes automatically offer to install the update? I had to click the button (that said my next update check was on Tuesday) to get the update installed. Shouldn't a security fix be pushed?
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by ghporter
But why doesn't iTunes automatically offer to install the update? I had to click the button (that said my next update check was on Tuesday) to get the update installed. Shouldn't a security fix be pushed?
I'm not sure if there's a push mechanism for updates.
iTunes seems to be preset to check only on a weekly basis.
-t
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by turtle777
iTunes seems to be preset to check only on a weekly basis.
This is problematic at best. Any security issue fix should be pushed; maybe iTunes needs a patch too...
Update just finished, and iTunes still says it'll check for updates on 8/4/09.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2005
Status:
Offline
|
|
Originally Posted by ghporter
This is problematic at best. Any security issue fix should be pushed; maybe iTunes needs a patch too...
I agree with that. Any important security patch should be notified to the user as soon as it's out. The person could be attacked in the mean time because news travels fast now that we have the internet and the bad people will know about the exploit probably before the average non-computer savvy user would.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by EndlessMac
I agree with that. Any important security patch should be notified to the user as soon as it's out. The person could be attacked in the mean time because news travels fast now that we have the internet and the bad people will know about the exploit probably before the average non-computer savvy user would.
I dunno. I would think it would be kind of intrusive if Apple forced those notifications on everybody ASAP. Some people could care less. Others (who are concerned about security) typically find out early on and take measures themselves, until a patch is available.
-t
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2005
Status:
Offline
|
|
Originally Posted by turtle777
I dunno. I would think it would be kind of intrusive if Apple forced those notifications on everybody ASAP. Some people could care less. Others (who are concerned about security) typically find out early on and take measures themselves, until a patch is available.
-t
The notifications I'm talking about is for the security patches being ready to download and install rather than early informing people there is a problem. And Apple should also have the option for users to opt out of the immediate notice for people like you said who are knowledgeable enough to fix the problems themselves. It's more for the non-savvy computer users that will need the immediate notice that there is a patch available and that they should download it.
People like my Dad are the ones I'm thinking of. He would not have patched any of his computers with security updates if I had not turned on automatic updates. Also for some people like a former co-worker of mine it should be immediate because if the list of updates gets too long she just keeps procrastinating the download and install because they take too long. And yes she's not computer savvy enough to understand the full problem of not protecting her computer.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status:
Offline
|
|
Originally Posted by ghporter
Is that 230MB just to fix the bug they mention? Is it more? I have to think there's a LOT more than just that bug fix.
Apparently it fixes just this one bug.
I guess the reason the update is so large is because Apple basically has you download the complete OS image file every time regardless of how much difference there is between the two image files.
There must be some risk involved in downloading modifications only and then having clients built the new OS image on the client side. Maybe the chances of getting garbled OS images that way a just too high. I'm guessing it costs Apple loads of money to do it this way so they probably consider avoiding these risks worth the extra cost.
(
Last edited by Simon; Aug 2, 2009 at 08:09 AM.
Reason: typo)
|
•
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Originally Posted by EndlessMac
The notifications I'm talking about is for the security patches being ready to download and install rather than early informing people there is a problem.
Exactly. Whenever you sync the phone, iTunes should tell you if there's a security update and offer to install it right then. Er hem...Windows does this...
Originally Posted by Simon
Apparently it fixes just this one bug.
I guess the reason the update is so large is because Apple basically has you download the complete OS image file every time regardless of how much difference there is between the two image files.
There must be some risk involved in downloading modifications only and then having clients built the new OS image on the client side. Maybe the chances of getting garbled OS images that way a just to high. I'm guessing it costs Apple loads of money to do it this way so they probably consider avoiding these risks worth the extra cost.
That makes sense. Rather than risk breaking the phone, they reinstall the OS. Time consuming (not that bad), but very safe.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
But if a machine has bad RAM, couldn't it corrupt the OS installation even if it's a whole package?
It's always somewhat surprising to me when independent programmers find such huge security holes in major corporate software. I know Apple finds a lot of these bugs itself, but these incidents still cause one to wonder whether Apple is insufficiently spending on security audits in the face of record revenues and profits.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|