toggle

AAPL Stock: 100.58 ( + 0.01 )

Printed from http://www.macnn.com

Analyst: iPhone patching has been botched

updated 04:35 pm EDT, Wed July 16, 2008

Apple slow on iPhone patch

Apple left the iPhone exposed to a serious vulnerability for months despite knowing how to fix it, a security analyst alleges. Charlie Miller of Independent Security Evaluators notes that while the iPhone 2.0 firmware has since fixed the problem, for over three months, the v1.x firmware was vulnerable to the same WebKit exploit used to hack a MacBook Air within two minutes. The feat earned him $10,000 from TippingPoint Technologies.

Miller says that although he attempted to tell Apple about the suspected iPhone vulnerability, the company complained in response as recently as two weeks ago, when he mentioned the flaw to the Washington Post. "They said I should have reported this to Apple security rather than to the Washington Post," according to Miller. "I told them 'I gave you the exploit, what else do you want me to do?'"

Apple is said to have in fact denied the seriousness of the problem in the iPhone OS, labeling it different from the one that affected Mac OS X. The company backed up its statement by saying it had run Miller's exploit without trouble, but Miller claims that Apple neglected to run a final essential line.

Miller also charges that Apple has been slow in coping with iPhone vulnerabilities as rule, given that five of the 13 security holes fixed in iPhone 2.0 were patched for Mac OS X between March and June. ""Not every single Safari bug will also be on the iPhone, but almost every WebKit bug will," he says. "If they're going to patch Mac OS X, I don't see why they can't patch the iPhone at the same time."




by MacNN Staff

toggle

Comments

  1. robttwo

    Joined: Dec 1969

    +1

    damn serious

    Wow, this must have been damn serious, considering the thousands and thousands of iPhone that fell victim to this exploit. Oh wait, does anyone know of any that did? Raise your hands...uh...anyone?

    These "professional exploiters" are just getting boring. Of course, it doesn't benefit Charlie's company at all if he can manufacture a climate where people are super paranoid now does it??

    Doofuses.

  1. Guest

    Joined: Dec 1969

    0

    Security Concerns

    Sounds like he is blowing his own horn. Does anyone know of any problems with this security problem?

  1. horvatic

    Joined: Dec 1969

    +1

    Sensationalism story

    Wow, yet not one iPhone was ever compromised. If Apple thought for a second that this security issue was so damn important and so obvious, they would have made a special patch. I really don't think anyone was in danger and in reality this is one of those sensationalist stories trying to make a mountain out of a mole hill.

  1. G4_Kessel

    Joined: Dec 1969

    0

    ...

    BLA BLA BLA

  1. ViktorCode

    Joined: Dec 1969

    0

    Vulnerable or Exploitable

    Mr Miller suggests that any vulnerability means imminent appearance of exploit for it. Statistics prove him wrong though. Writing an exploit is far more complicated task than just discovering unsafe call in open source code that might lead to, say, buffer overflow. Until you actually write the exploit that will work outside of the lab on broad range of configurations you have nothing substantial to boast about.

    Speaking of boasts, why Mr Miller hasn't demonstrated iPhone he hacked by exploiting this "serious vulnerability"? Maybe because this exploit couldn't do nothing more dangerous than crashing Safari if user visited maliciously crafted web page? Or he failed to do even that?

    What you have to remember is that there are hundreds of open vulnerabilities on any OS. The difference is what actual exploit can do. Say, on Windows machine browser vulnerability could cost you all browser stored passwords while on other systems the result will be quite different. Counting vulnerabilities on different OSes and then bluntly comparing the numbers is the worst security analysis I've seen in IT. Yet, "security experts" have to make money for living somehow...

  1. shigzeo

    Joined: Dec 1969

    +2

    theoretical safety

    still it would be nice if apple did work on patching even theoretical exploits soon. i don't care if all it is bad press and yellow journalism, i am tired of hearing about security problems with our secure os and os phone. i want to be safe, not just be theoretically safe

  1. testudo

    Joined: Dec 1969

    -2

    Of course

    Leave it to the bashers to complain not about the lack of security patching, but saying "Well, no one was exploited, so it isn't a problem!". You set up a security policy to keep from being exploited, you don't wait until there is actually an exploit and then say "Oh, yeah, we knew about that, I guess we should fix it now".

    Oh, and apparently Apple thought enough to patch it in OS X. Should they not have bothered with that, since no one had an exploit there, either?

    You all would be slamming MS if their policy seemed to be "We'll patch it when an exploit arrives, not just because some doofus says he found an exploit".

  1. jdonahoe

    Joined: Dec 1969

    +3

    Apple may have gotten

    Apple may have gotten lucky, for now. As the iPhone becomes more ubiquitous, hackers WILL start trying to mess up the phone and people with all manner of exploits. Apple should be vigilant, if only for appearance.

  1. ophiochos

    Joined: Dec 1969

    0

    shooting the messenger

    if people like this guy were exploiting instead of publicising, SOMEONE would be worse off. Has it occurred to most of these posters that what he says is correct? What if it is? Or are you informed of all the pertinent facts? Quick to judge, aren't we?

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented