07/16/2008, 4:35pm, EDT
Wednesday, July 16th
Analyst: iPhone patching has been botched
Apple left the iPhone exposed to a serious vulnerability for months despite knowing how to fix it, a security analyst alleges. Charlie Miller of Independent Security Evaluators notes that while the iPhone 2.0 firmware has since fixed the problem, for over three months, the v1.x firmware was vulnerable to the same WebKit exploit used to hack a MacBook Air within two minutes. The feat earned him $10,000 from TippingPoint Technologies.
Miller says that although he attempted to tell Apple about the suspected iPhone vulnerability, the company complained in response as recently as two weeks ago, when he mentioned the flaw to the Washington Post. "They said I should have reported this to Apple security rather than to the Washington Post," according to Miller. "I told them 'I gave you the exploit, what else do you want me to do?'"
Apple is said to have in fact denied the seriousness of the problem in the iPhone OS, labeling it different from the one that affected Mac OS X. The company backed up its statement by saying it had run Miller's exploit without trouble, but Miller claims that Apple neglected to run a final essential line.
Miller also charges that Apple has been slow in coping with iPhone vulnerabilities as rule, given that five of the 13 security holes fixed in iPhone 2.0 were patched for Mac OS X between March and June. ""Not every single Safari bug will also be on the iPhone, but almost every WebKit bug will," he says. "If they're going to patch Mac OS X, I don't see why they can't patch the iPhone at the same time."
Filed under: iPhone, security, Apple
Other story tags: iPhone 2.0, iPod.iPod touch
, 
, 9
, 
, 
, 
, 
, 
Top
subscribe to comments
for this article
damn serious
Wow, this must have been damn serious, considering the thousands and thousands of iPhone that fell victim to this exploit. Oh wait, does anyone know of any that did? Raise your hands...uh...anyone?
These "professional exploiters" are just getting boring. Of course, it doesn't benefit Charlie's company at all if he can manufacture a climate where people are super paranoid now does it??
Doofuses.
Security Concerns
Sounds like he is blowing his own horn. Does anyone know of any problems with this security problem?
Sensationalism story
Wow, yet not one iPhone was ever compromised. If Apple thought for a second that this security issue was so damn important and so obvious, they would have made a special patch. I really don't think anyone was in danger and in reality this is one of those sensationalist stories trying to make a mountain out of a mole hill.
...
BLA BLA BLA
Vulnerable or Exploitable
Mr Miller suggests that any vulnerability means imminent appearance of exploit for it. Statistics prove him wrong though. Writing an exploit is far more complicated task than just discovering unsafe call in open source code that might lead to, say, buffer overflow. Until you actually write the exploit that will work outside of the lab on broad range of configurations you have nothing substantial to boast about.
Speaking of boasts, why Mr Miller hasn't demonstrated iPhone he hacked by exploiting this "serious vulnerability"? Maybe because this exploit couldn't do nothing more dangerous than crashing Safari if user visited maliciously crafted web page? Or he failed to do even that?
What you have to remember is that there are hundreds of open vulnerabilities on any OS. The difference is what actual exploit can do. Say, on Windows machine browser vulnerability could cost you all browser stored passwords while on other systems the result will be quite different. Counting vulnerabilities on different OSes and then bluntly comparing the numbers is the worst security analysis I've seen in IT. Yet, "security experts" have to make money for living somehow...
theoretical safety
still it would be nice if apple did work on patching even theoretical exploits soon. i don't care if all it is bad press and yellow journalism, i am tired of hearing about security problems with our secure os and os phone. i want to be safe, not just be theoretically safe
Of course
Leave it to the bashers to complain not about the lack of security patching, but saying "Well, no one was exploited, so it isn't a problem!". You set up a security policy to keep from being exploited, you don't wait until there is actually an exploit and then say "Oh, yeah, we knew about that, I guess we should fix it now".
Oh, and apparently Apple thought enough to patch it in OS X. Should they not have bothered with that, since no one had an exploit there, either?
You all would be slamming MS if their policy seemed to be "We'll patch it when an exploit arrives, not just because some doofus says he found an exploit".
Apple may have gotten
Apple may have gotten lucky, for now. As the iPhone becomes more ubiquitous, hackers WILL start trying to mess up the phone and people with all manner of exploits. Apple should be vigilant, if only for appearance.
shooting the messenger
if people like this guy were exploiting instead of publicising, SOMEONE would be worse off. Has it occurred to most of these posters that what he says is correct? What if it is? Or are you informed of all the pertinent facts? Quick to judge, aren't we?