MacUpdate Weekend Sale :This weekend MacUpdate has slashed prices on Painter 12 and Painter Lite. Painter 12 retails for $429, but has been reduced by 54% to $199. Painter Lite has seen a 58% price cut from $69 to $29. Hurry, because these deals are only available until May 19th 2013.      
toggle

AAPL Stock: 433.26 ( -1.32 )

http://www.macnn.com/articles/08/07/16/apple.slow.on.iphone.patch/

Analyst: iPhone patching has been botched

updated 04:35 pm EDT, Wed July 16, 2008

 

Apple slow on iPhone patch


Apple left the iPhone exposed to a serious vulnerability for months despite knowing how to fix it, a security analyst alleges. Charlie Miller of Independent Security Evaluators notes that while the iPhone 2.0 firmware has since fixed the problem, for over three months, the v1.x firmware was vulnerable to the same WebKit exploit used to hack a MacBook Air within two minutes. The feat earned him $10,000 from TippingPoint Technologies.

Miller says that although he attempted to tell Apple about the suspected iPhone vulnerability, the company complained in response as recently as two weeks ago, when he mentioned the flaw to the Washington Post. "They said I should have reported this to Apple security rather than to the Washington Post," according to Miller. "I told them 'I gave you the exploit, what else do you want me to do?'"

Apple is said to have in fact denied the seriousness of the problem in the iPhone OS, labeling it different from the one that affected Mac OS X. The company backed up its statement by saying it had run Miller's exploit without trouble, but Miller claims that Apple neglected to run a final essential line.

Miller also charges that Apple has been slow in coping with iPhone vulnerabilities as rule, given that five of the 13 security holes fixed in iPhone 2.0 were patched for Mac OS X between March and June. ""Not every single Safari bug will also be on the iPhone, but almost every WebKit bug will," he says. "If they're going to patch Mac OS X, I don't see why they can't patch the iPhone at the same time."


by MacNN Staff

Post tools:

TAGS :

 iPhone, security, iPhone 2.0, iPod.iPod touch, Apple

Related Articles

Recent Articles

toggle

Comments

  1. robttwo

    Fresh-Faced Recruit

    Joined: Nov 2005

    +1
    07/16, 05:36pm | report spam | (1 reply) Reply |

    damn serious

    Wow, this must have been damn serious, considering the thousands and thousands of iPhone that fell victim to this exploit. Oh wait, does anyone know of any that did? Raise your hands...uh...anyone?

    These "professional exploiters" are just getting boring. Of course, it doesn't benefit Charlie's company at all if he can manufacture a climate where people are super paranoid now does it??

    Doofuses.

  1. Guest

    Fresh-Faced Recruit

    Joined: Nov 1999

    0
    07/16, 05:37pm | report spam | Reply |

    Security Concerns

    Sounds like he is blowing his own horn. Does anyone know of any problems with this security problem?

  1. horvatic

    Fresh-Faced Recruit

    Joined: Apr 2002

    +1
    07/16, 05:43pm | report spam | Reply |

    Sensationalism story

    Wow, yet not one iPhone was ever compromised. If Apple thought for a second that this security issue was so damn important and so obvious, they would have made a special patch. I really don't think anyone was in danger and in reality this is one of those sensationalist stories trying to make a mountain out of a mole hill.

  1. G4_Kessel

    Fresh-Faced Recruit

    Joined: Jan 2003

    0
    07/16, 08:38pm | report spam | Reply |

    ...

    BLA BLA BLA

  1. ViktorCode

    Fresh-Faced Recruit

    Joined: Jan 2006

    0
    07/17, 07:09am | report spam | Reply |

    Vulnerable or Exploitable

    Mr Miller suggests that any vulnerability means imminent appearance of exploit for it. Statistics prove him wrong though. Writing an exploit is far more complicated task than just discovering unsafe call in open source code that might lead to, say, buffer overflow. Until you actually write the exploit that will work outside of the lab on broad range of configurations you have nothing substantial to boast about.

    Speaking of boasts, why Mr Miller hasn't demonstrated iPhone he hacked by exploiting this "serious vulnerability"? Maybe because this exploit couldn't do nothing more dangerous than crashing Safari if user visited maliciously crafted web page? Or he failed to do even that?

    What you have to remember is that there are hundreds of open vulnerabilities on any OS. The difference is what actual exploit can do. Say, on Windows machine browser vulnerability could cost you all browser stored passwords while on other systems the result will be quite different. Counting vulnerabilities on different OSes and then bluntly comparing the numbers is the worst security analysis I've seen in IT. Yet, "security experts" have to make money for living somehow...

  1. shigzeo

    Fresh-Faced Recruit

    Joined: Mar 2008

    +2
    07/17, 07:39am | report spam | Reply |

    theoretical safety

    still it would be nice if apple did work on patching even theoretical exploits soon. i don't care if all it is bad press and yellow journalism, i am tired of hearing about security problems with our secure os and os phone. i want to be safe, not just be theoretically safe

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -2
    07/17, 08:38am | report spam | (1 reply) Reply |

    Of course

    Leave it to the bashers to complain not about the lack of security patching, but saying "Well, no one was exploited, so it isn't a problem!". You set up a security policy to keep from being exploited, you don't wait until there is actually an exploit and then say "Oh, yeah, we knew about that, I guess we should fix it now".

    Oh, and apparently Apple thought enough to patch it in OS X. Should they not have bothered with that, since no one had an exploit there, either?

    You all would be slamming MS if their policy seemed to be "We'll patch it when an exploit arrives, not just because some doofus says he found an exploit".

  1. jdonahoe

    Fresh-Faced Recruit

    Joined: Jul 2006

    +3
    07/17, 11:44am | report spam | Reply |

    Apple may have gotten

    Apple may have gotten lucky, for now. As the iPhone becomes more ubiquitous, hackers WILL start trying to mess up the phone and people with all manner of exploits. Apple should be vigilant, if only for appearance.

  1. ophiochos

    Fresh-Faced Recruit

    Joined: Nov 2006

    0
    07/26, 08:34pm | report spam | Reply |

    shooting the messenger

    if people like this guy were exploiting instead of publicising, SOMEONE would be worse off. Has it occurred to most of these posters that what he says is correct? What if it is? Or are you informed of all the pertinent facts? Quick to judge, aren't we?

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

Samsung Galaxy S 4

Samsung's new flagship Android smartphone, the Galaxy S 4, faces even stiffer competition than its popular predecessor. With a five-in ...

toggle

Most Commented

 

Popular News