My friend was very quick to point out that Apple controls less than 5% of the OS market and because of that few exploits had been written to cripple Apple systems. Well, the iPhone is predicted to be a huge success for Apple, so it isn't very shocking that hackers would attack it.
The real shock are the types of vulnerabilities that are being fixed. I consider these vulnerabilities to be very fundamental and require little understanding of hacking to actually execute. As the Apple press release states:
- 2 Cross Site Scripting Vulnerabilities in Safari.
- 2 Heap Buffer Overflow flaws in Safari cause arbitrary code execution or application termination.
- 1 Fishing Scam Flaw
- Another MASSIVE flaw allowing any internet programmer to completely take over the device:
"When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker."
Here is a little video showing the MASSIVE iPhone flaw
The guys who found this massive flaw suggest 3 strategies to mitigate risk in using the iPhone:
- Only visit sites you trust. If you don't visit attackers' sites, you give them one less attack vector.
- Only use WiFi networks you trust. If attackers have control of your Internet connection, they have the ability to insert exploits into any website you visit.
- Don't open web links from emails. Many current viruses send links to malicious sites in emails that look like they are from trusted contacts.
Dozens of vulnerabilities and bugs were covered by a total of six downloads for Mac OS 10.3.9 (Panther), Mac OS 10.4.10 (Tiger) on PowerPC, and the Universal version of Mac OS 10.4.10, as well as the server versions of each of those operating systems. Each download contains several patches to correct flaws, and Apple is recommending that all users of those operating systems download the updates.
Also, a class action lawsuit has been filed against Apple over the fact that Apple wasn't sufficiently clear as to whether a user could replace a battery. With soft sales figures for the iPhone, these issues have to be taking their toll on Apple resulting in the stock falling since the iPhone's release.
Over and Out
2 comments:
Dozens of vulnerabilities and bugs were covered by a total of six downloads for
Well, sure. During the same time period I did just as many (more?) downloads to cover my windows servers.
I'm not sure what the point is - secure patches, updates, hot fixes .. they're a fact of life no matter what OS or application you have.
Heck I have version 9 application in my enterprise suite that I manage - the day we upgraded from .13 to .14 we had a hotfix to apply.
Hey Mr. End User - you know the six hours of downtime? We need another hour next weekend ... hey that went over well.
Also, a class action lawsuit has been filed against Apple over the fact that Apple wasn't sufficiently clear as to whether a user could replace a battery.
That ones seems a little goofy.
Note: I am typing this on a MacBook Pro. But I'm not a Mac user so much as a guy who sees it as a nifty workstation with a glossy interface laid over the unix core.
I think it is funny that people always see this as a Mac vs. Windows debate.
Actually this article merely lists the number of fixes Apple had to release immediately after the iPhone release AND all the crap they now have to deal with (i.e., lawsuit) as they become a computer shop that over 3% of the world uses.
Not to mention the security holes found are of the most basic type. Any intermediate JavaScript programmer could exploit the vulnerability. It's not shocking the people at Apple would miss these.
Post a Comment