[ghporter]

In this article, Forbes magazine is reporting that security researchers have found that there's a "buffer overflow" flaw in iPhones' handling of SMS messages, that, much like old Windows flaws, allows the attacker to run arbitrary code (that's Very Bad) on the phone. Since text messages don't require action on the part of the receiving phone's owner to display, this attack seems to be the first "OS X-like" arbitrary attack that actually works...

Me, I'm turning off text messages; it's cheaper for me anyway. But what about people who "depend on" texts?

[QSilver]

It'll be very interesting to see what happens after the SMS vulnerability is described at today's Black Hat Conference...

[philm]

This was the front page headline on the free newspaper read by thousands of Manchester commuters this morning ('Metro').

[JKT]

Free yes, but "news"paper? That's a bit of a stretch isn't it?

Anyway, seems that Apple is going to need to pull their fingers out and release a patch for this as soon as possible. Which brings up an interesting question, I wonder how easy it is for them to release Security Updates for the iPhone OS? Is the update mechanism capable of handling small patches or will it require a full OS upgrade meaning that we will have to wait for OS 3.1 before this is fixed?

I also hope that they fix it for any OS 2.x laggards as well.

[JKT]

I guess Apple have answered that question about their ability to produce small update patches for me and it is no, they can't. They've just released a 230.1MB download (OS 3.0.1) to fix a single bug in one small component of the OS.

It doesn't look like a fix is being released for 2.x users either (at least, not yet).

[QSilver]

Originally Posted by JKT 

It doesn't look like a fix is being released for 2.x users either (at least, not yet).

Has anyone verified that this flaw affect v2? Or is it v3 only?

[moep]

Originally Posted by JKT 

I guess Apple have answered that question about their ability to produce small update patches for me and it is no, they can't. They've just released a 230.1MB download (OS 3.0.1) to fix a single bug in one small component of the OS.

I wonder if that is also the reason why they are hesitant to push security fixes until the **** hits the fan.
Getting those updates out to the ~15 million (wild guess) active iPhones via Akamai isn't free after all…

[Simon]

But why does pushing a simple bug fix require them to serve up 230 MB for every phone? Is that really the best way to do it?

[ghporter]

Is that 230MB just to fix the bug they mention? Is it more? I have to think there's a LOT more than just that bug fix.

[turtle777]

The fix is out:

About the security content of iPhone OS 3.0.1

Not bad Apple, that was quick.

-t

[ghporter]

Originally Posted by Apple

Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for reporting this issue.

So it would seem that 3.0.1 does address this vulnerability. The response was actually pretty quick, I think.

But why doesn't iTunes automatically offer to install the update? I had to click the button (that said my next update check was on Tuesday) to get the update installed. Shouldn't a security fix be pushed?

[turtle777]

Originally Posted by ghporter 

But why doesn't iTunes automatically offer to install the update? I had to click the button (that said my next update check was on Tuesday) to get the update installed. Shouldn't a security fix be pushed?

I'm not sure if there's a push mechanism for updates.

iTunes seems to be preset to check only on a weekly basis.

-t

[ghporter]

Originally Posted by turtle777 

iTunes seems to be preset to check only on a weekly basis.

This is problematic at best. Any security issue fix should be pushed; maybe iTunes needs a patch too...

Update just finished, and iTunes still says it'll check for updates on 8/4/09.

[EndlessMac]

Originally Posted by ghporter 

This is problematic at best. Any security issue fix should be pushed; maybe iTunes needs a patch too...

I agree with that. Any important security patch should be notified to the user as soon as it's out. The person could be attacked in the mean time because news travels fast now that we have the internet and the bad people will know about the exploit probably before the average non-computer savvy user would.

[turtle777]

Originally Posted by EndlessMac 

I agree with that. Any important security patch should be notified to the user as soon as it's out. The person could be attacked in the mean time because news travels fast now that we have the internet and the bad people will know about the exploit probably before the average non-computer savvy user would.

I dunno. I would think it would be kind of intrusive if Apple forced those notifications on everybody ASAP. Some people could care less. Others (who are concerned about security) typically find out early on and take measures themselves, until a patch is available.

-t

[EndlessMac]

Originally Posted by turtle777 

I dunno. I would think it would be kind of intrusive if Apple forced those notifications on everybody ASAP. Some people could care less. Others (who are concerned about security) typically find out early on and take measures themselves, until a patch is available.

-t

The notifications I'm talking about is for the security patches being ready to download and install rather than early informing people there is a problem. And Apple should also have the option for users to opt out of the immediate notice for people like you said who are knowledgeable enough to fix the problems themselves. It's more for the non-savvy computer users that will need the immediate notice that there is a patch available and that they should download it.

People like my Dad are the ones I'm thinking of. He would not have patched any of his computers with security updates if I had not turned on automatic updates. Also for some people like a former co-worker of mine it should be immediate because if the list of updates gets too long she just keeps procrastinating the download and install because they take too long. And yes she's not computer savvy enough to understand the full problem of not protecting her computer.

[Simon]

Originally Posted by ghporter 

Is that 230MB just to fix the bug they mention? Is it more? I have to think there's a LOT more than just that bug fix.

Apparently it fixes just this one bug.

I guess the reason the update is so large is because Apple basically has you download the complete OS image file every time regardless of how much difference there is between the two image files.

There must be some risk involved in downloading modifications only and then having clients built the new OS image on the client side. Maybe the chances of getting garbled OS images that way a just too high. I'm guessing it costs Apple loads of money to do it this way so they probably consider avoiding these risks worth the extra cost.

[ghporter]

Originally Posted by EndlessMac 

The notifications I'm talking about is for the security patches being ready to download and install rather than early informing people there is a problem.

Exactly. Whenever you sync the phone, iTunes should tell you if there's a security update and offer to install it right then. Er hem...Windows does this...

Originally Posted by Simon 

Apparently it fixes just this one bug.

I guess the reason the update is so large is because Apple basically has you download the complete OS image file every time regardless of how much difference there is between the two image files.

There must be some risk involved in downloading modifications only and then having clients built the new OS image on the client side. Maybe the chances of getting garbled OS images that way a just to high. I'm guessing it costs Apple loads of money to do it this way so they probably consider avoiding these risks worth the extra cost.

That makes sense. Rather than risk breaking the phone, they reinstall the OS. Time consuming (not that bad), but very safe.

[Big Mac]

But if a machine has bad RAM, couldn't it corrupt the OS installation even if it's a whole package?

It's always somewhat surprising to me when independent programmers find such huge security holes in major corporate software. I know Apple finds a lot of these bugs itself, but these incidents still cause one to wonder whether Apple is insufficiently spending on security audits in the face of record revenues and profits.