Slashdot Mirror
iPad Left Vulnerable After Record iPhone Patch Job
CWmike writes "With Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may have been left vulnerable to some or all of the 65 bugs. iOS 4 cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall. The bug count is a record for the iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0. Formerly known as iPhone OS 4, iOS 4 included 35 bugs, or 54% of the total, that were tagged with the phrase 'arbitrary code execution.' It's unclear how many, if any, of the vulnerabilities affect Apple's iPad. The media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April. But according to the Common Vulnerabilities & Exposures database, it's likely that many of the flaws fixed on Monday still exist in 3.2."
I know! How can they talk about how Apple Products don't suffer from viruses or other Malware when they are patching record numbers!
The only time I saw more than 65 windows updates in a single download is an XP that was still on Service Pack 2.
It's a frigging phone. The biggest vulnerability they haven't patched is people leaving it in bars. Who cares if it has vulnerabilities. It's a phone.
If another person claims a "record" on the number of bugs fixed in an apple release out I'm gonna jump off a fucking cliff.
Bugs are not good. Lots of bugs are worse. Fixing them? You don't get a medal, you should have done it right the first time. Yes it's good to patch them, but it's not something to break out the champagne on. When I fix a huge bug list my boss says "about time", not "good job! way to work!".
Doesn't the walled garden protect the users, to a large degree?
Funny how M$ us to be on top and all you'd read about was the security vulnerabilities left unpatched and with apple on top, with their new line of hardware, are having the same issues. I wonder if we'll ever see something like the Melissa virus, or the iJerk.
*DrugCheese rants*
...ever tried improvising on a piano? It's always difficult to find the right way to end, and so you go on and on, frequently repeating yourself. The summary's writer felt the same way.
Fleur de Sel
What is the point of speculating? It would be news if an exploit was in the wild.
I wouldn't call that a bug. :-)
I'm more surprised that a phone is subject to so many vulnerabilities. Yet again, it is a pretty sophisticated piece of software. Hence, thanks for fixing the stuff, Apple; better late security than no security.
Better late than never. And it's rather easy to create mistakes when focusing not on security, but on performance and ease of use.
... it's surprising that a phone is so riddled with security flaws.
That said
There never were and there never will be.
I'm more surprised that a phone is subject to so many vulnerabilities. Yet again, it is a pretty sophisticated piece of software. Hence, thanks for fixing the stuff, Apple; better late security than no security.
According to the article, 50 of the bugs are bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too), so it appears that web browsing is the most sophisticated piece (understandably.)
Track your TV Shows with your iPhone - FREE
There have been no ipad core OS updates of any kind since its release. This includes expected improvements like software tweaks to make wifi more reliable. There were rumors that the ibooks app was released on the App Store so it could get more frequent updates than the core OS, yet it has only had one major update (yesterday's, adding PDF support and a few other features).
Web rendering engines have security vulnerabilities, and webkit is no exception. Since Apple allows no competing renderers (alternative browsers still use webkit), it has an even greater responsibility to push security updates at least as often as they do for Mac OS X. Hopefully the official iOS 4 release means the developers/QA people have some time to work on iOS 3 patching.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
Really? So Android has no bugs/exploits in it? The various phone vendors that add their own code to the Android base also didn't introduce any bugs/exploits? And let me guess, the linux kernel has never had an exploit fixed?
ALL software has this problem. Open Source means it is much easier to bring them to light instead of depending on a proprietary vendor's announcement. Open Source does not mean the software doesn't have bugs/exploits.
"Get a bicycle. You will not regret it, if you live." - Mark Twain, "Taming the Bicycle"
...that I worry about. He's played AniMatch on my iPhone and when he sees the iPad he gets this look in his eyes and I'm scared for the iPad.
That said ... it's surprising that a phone is so riddled with security flaws.
50 of the security flaws were in WebKit, so it's not so much that the phone is riddled with flaws, but that a web browser is.
Track your TV Shows with your iPhone - FREE
This might be a perspective thing, but I read "Company X has patched a record number of security holes" as a negative thing, not as something the OP or company X is reporting to gloat about. I've taken the liberty of reading the links by the OP (shocking, I know), and didn't find any of them to really be coming across as something that anyone is looking for a pat on that back for (and for the record, I didn't see an official comment from Apple on their "record patch job").
Fundamentally, you're right though. It'd be nice if companies could make flawless products, but it seems to be the exception rather than the rule, and when any company addresses a record number of fixes to a product's flaws, I see no reason why it shouldn't make the news. Granted, some fanboys will try and spin it into a positive of some kind, but that's not really shocking and we all know how trustworthy fanboys are.
My $0.02.
Hence, thanks for fixing the stuff, Apple; better late security than no security.
If you replaced Apple with Microsoft and posted that same statement, do you think you would have been rated Interesting or would you have been modded into negative oblivion with Flamebait or Troll? Why is it that Apple gets a free pass on everything it does half-assed regarding security, yet Microsoft's feet are held to the fire instantly?
"But this one goes to 11!"
Really? So Android has no bugs/exploits in it?
Of course Android has bugs. In fact, it's based on WebKit and so it has many of the SAME bugs that the iOS does because many of these patched bugs are in WebKit.
Like you said, bugs are nearly unavoidable. All you can do is try your best to code well in the first place and then fix them when you find out you still have a few that you missed. They key really is the severity of the bugs, are they so blatant that they make the device unusable or trivial to exploit? Obviously the bugs aren't so bad in iOS because the devices still work well and there isn't any serious malware out there yet.
It's most likely that one of these days there will be a major bug/security flaw. We'll see how Apple handles that but so far their track record is fairly decent.
Sapere aude!
Quick question: How many times has your house been broken in to?
Follow up question: If you answered "never" then why do you bother locking your doors when you leave?
Obviously jumping to conclusions, but the irony would be overwhelming.
As a jailbreaker, it is always a little bittersweet to see my arbitrary code execution bugs fixed.
Oops.
A lot of you guys have iPhone envy that's just oozing from your orifices.
Also, your husband only beats you because he loves you, and anyone who says otherwise is just jealous that he's yours.
Not that a patched security vulnerability is anywhere near on the same order of magnitude, but the logic in the argument is as bad.
they can sign up for a $20 /m Premium text club download high cost apps.
In fact, you might have much more trouble getting those bug fixes on your android phone depending on the level of customization your phone requires and the phone manufacturers willingness to roll up a patch with the latest version of Android.
Of course the original iPhone is in a bit of a bind as well.
"In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson
If you have the pre-beta Verizon iPad, the one that is coming out in January 2011 and was shown at E3, you shouldn't have all these vulnerabilities.
The problems so far are only showing up on the AT&T iPad.
-- Tigger warning: This post may contain tiggers! --
but on performance and ease of use.
and in an OS that just added 3rd party (psuedo)multitasking, no less.
bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too
That may be the case, but I wouldn't bet on it. The rendering engine is the same, but everything else is different - Android is based on Linux, iPhoneOS is based on Darwin. Different platforms, different architectures, different builds.
Following that reasoning the bugs should also be in Chrome and Safari on Linux, MacOS, Windows...
No, there aren't. And the malware that takes advantage of them are not exploits, they're jailbreaks (for somebody, not necessarily the owners).
That may be the case, but I wouldn't bet on it. The rendering engine is the same, but everything else is different - Android is based on Linux, iPhoneOS is based on Darwin. Different platforms, different architectures, different builds.
Following that reasoning the bugs should also be in Chrome and Safari on Linux, MacOS, Windows...
Webkit is the rendering engine. If the bugs are in Webkit, then they are in all the products that use Webkit.
Putting moderation advice in your
Mobile browsers based on WebKit are more likely to be similar than desktop browsers. It is more likely that Android and iPhone have issues but not OS X or Chrome.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Hmmm...
Issue on Cisco router, do a google search including "IOS" and get back something about some app that goes "mooooooo."
Very helpful Apple
Someone is going to post some long justification about exploits in the wild and some blah blah about monopoly. Whereas when it's about MS it's 'M$ can't code'. Apple gets a free pass on everything, including DRM in the iPhone and Trusted Computing.
Apple seems to have a particularly strong fanbase even amongst geeks which can't take valid criticism and does not hesitate to use their mod points for days after a story to stamp out any posts that can be construed as negative towards Apple.
This space for rent.
Microsoft has tastier feet. Duh.
they can sign up for a $20 /m Premium text club download high cost apps.
Hrm, that does remind me that I get unlimited texting for cheaper than their data plans...has anyone come up with an HTTP over SMS solution? :P
Track your TV Shows with your iPhone - FREE
Microsoft's iPad is their worst product yet. I mean, shit, they even managed to fuck up and put a competitor's logo on it!
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Your iCrap isn't so perfect now, Steve Jobs.
It's true. We are more secure than all of Apple's products.
- PC
Yes like 50 of the bugs were with WebKit. If WebKit was open source, someone would have found it sooner. Oh wait, it IS open source. And Android uses WebKit. . . so I guess that defeats your arguments.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Apple seems to have a particularly strong fanbase even amongst geeks which can't take valid criticism and does not hesitate to use their mod points for days after a story to stamp out any posts that can be construed as negative towards Apple.
Eh, I posted a few things the other day that weren't positive towards Apple but they were knocking down a few overzealous anti-Apple rumors and myths. I got modded down for it. It happens on both sides, a lot of people here are overly emotionally-invested in things and they tend to lash out rather than use reason.
The funny thing is that I've been capped at the highest level of karma forever and the downmods were reversed in a few days by upmods and meta-moderation. It's no biggie and I never find it useful to complain about moderation. Just keep posting reasonable statements and it will all take care of itself, post like a troll and you'll get smacked down a lot.
As for Microsoft, Apple, or whatever, all companies do stuff that is in their best interest but which might not be great for the consumer/public. It's good to be informed about their actions because that allows us to do the right thing: vote with our dollars. If you don't like how a company is run then don't buy from it.
Sapere aude!
Perhaps because Apple is patching these before they are exploited in the wild, rather than after? TIf the phone OS follows the same pattern as the desktop updates, they will continue to support the 3.x branch for quite a few years with security patches just as Apple continues to support Leopard as well as Snow Leopard. There is absolutely nothing preventing Apple from pushing the same patches to the 3.x line. It's also not a sure thing that these patched vulnerabilities that have been patched in 4.0 exist in 3.0. No where in the article does it claim as much. It simply hints that they might exist in both (and I agree it's likely that some do).
I read that the iPad might, possibly, maybe kill it's owner after 30 days of non-use. I know there haven't been any cases of iPhones, iPads or iPod touches attacking and killing their owners, but that doesn't mean you shouldn't fear it. Better safe then sorry!
--- What?
Modded down to a Troll???? LOL! The iPhone envy is gushing, not oozing.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
Obviously it doesn't, seeing how I ended up with a 0 score. Not only that, your flamebait ended up with +4 insightful.
And yes, I can honestly say that replacing Apple with Microsoft would yield almost same response from me. "Sloppy, Microsoft, but better late than never! Thanks". Not the same, but close.
Go ahead...I'll wait.
Calm down, chief. One mod gave him an interesting nod, two others downrated him. The amount of freak out about moderation in the last couple years is getting pretty annoying.
Did Chrome crash while you were typing your reply?
has anyone come up with an HTTP over SMS solution? :P
That'd work at about 80 bytes per second with a ping of about 10 seconds! You'd be better to use it to synchronise your email & contacts at that rate..
> Quick question: How many times has your house been broken in to?
> Follow up question: If you answered "never" then why do you bother locking your doors when you leave?
The more analogous and honest question to ask is: Has anyone's house ANYWHERE ever been broken into?
A Pirate and a Puritan look the same on a balance sheet.
...has anyone come up with an HTTP over SMS solution?
Yeah, it's called WAP http://en.wikipedia.org/wiki/Wireless_Application_Protocol
WSP - wireless session protocol http://en.wikipedia.org/wiki/Wireless_Session_Protocol is the top layer of the protocol. It's kind of an optimised binary HTTP running over WTP. Since it's session-based, you set up the agreed data formats and associated headers etc. at the beginning and reuse them for every request. Much better than HTTP on a high-latency network, but not that important now we have megabit connections on mobiles.
WTP is basically TCP redesigned to handle frequent and long lasting packet loss episodes without getting it's knickers in a twist. WTP is layered on top of WDP (wireless datagram protocol) which is transport-agnostic and used to mostly run over SMS or a dial-up data connection. It was briefly hyped about ten or twelve years ago.
Say what you like about how crap WML was (and it was really crappy...) but the WAP protocol stack was very well designed. WAP protocols are behind most of the MMS functionality - message delivery is essentially a connectionless push datagram.
You could do fantastic things using the WAP protocol which still aren't easily possible today on IP networks. Unsolicited push messages could be addressed to a particular subscriber, and not only that to a particular application running on the subscriber's handset. It was really powerful, mostly because the phone number was the network address. If only they had stuck with HTML as the markup language and GIF/Jpeg as the image formats.
What truth? That software has bugs?
I have known that truth for a long time - OS X is patched quite frequently, and the knowledgebase articles about just what has been patched and who discovered it are quite informative. Since iOS is based on OS X it does not surprise me that it also has bugs. Nice to see them fixed.
A lot of these were bugs in Webkit, so expect updates for Android too, assuming your phone manufacturer offers an update. How many of them have got around to offering 2.2?
Upgraded my iPhone to v4 last night, now it doesn't work with my Pioneer (DEH-3200UB) car audio deck. Talked to Pioneer and they pointed to Apple. Spoke with Apple and was told "sorry". Maybe the iPad users are the lucky ones.
Do you have to agree to have your location information sold to unspecified third parties before you can get the patch?
65 bugs that I won't get patches for in my 1st Generation Ipod Touch. What is the point of paying a premium for hardware, when the control-freak sole arbiter of software patches renders it functionally obsolete long before its useful life has expired?
... and they don't allow any other (real) browser on the phone, either. I might be parroting comments from above, but if this was a certain other large technology company the vitriol here would have been through the roof.
Man who leaps off cliff jumps to conclusion.
House has never been broken into, I live in the middle of nowhere and have half a dozen geese as watchdogs.
I don't bother locking my door when I leave, often don't bother locking the car.
Last night I was putting oil into the car and got distracted doing something else, left the bonnet up and the keys on top of the engine. Next morning, everything still exactly where I'd left it.
...If only they had stuck with HTML as the markup language and GIF/Jpeg as the image formats.
Wasn't that also abour severe hardware limitations of handsets back then?
One that hath name thou can not otter
I viewed an idle.slashdot.org page, Safari crashed, and my iPhone rebooted on its own. I wonder if I got hit. Yay.
No different than the above being marked troll. It is certainly not 'trolling' under any definition. There have been no mass exploits for Apple since they moved to Intel unless someone would be kind enough to point one out? The modding has nothing to do with the content in the post, but rather the fact that someone dared to defend Apple. Anymore it's become a total waste of time to even read Apple threads. They are full of vitriol and hate. Not from the expected Apple fans, but from the anti-Apple (droid?) crowd.
Nice UID. Nice of the slashdot community to blindly follow this crap.
The critical difference is that Google and FOSS are pretty damn quick in fixing bugs. Apple and to a lesser extent Microsoft are happy to leave known bugs and vulnerabilities unpatched for months or even years. Google fixes Android bugs in short order. Bugfix versions like 1.1 and 2.01 dropped very quickly after their parent releases.
Calling someone a "hater" only means you can not rationally rebut their argument.
How can they talk about how Apple Products don't suffer from viruses or other Malware when they are patching record numbers!
How? Well, first, they've never said this. But they have said any such problem is way less than on Windows, which it is. And the iPhone/iPad? Aside from that exploit a while back that affected jailbroken iPhones with a default ssh password, what malware is there for iOS?
None?
Hmm... Perhaps that's how they can say the things they actually do say.
How is the parent a troll? Then again, that's the only reason I read this article, for the ad hominem attacks on Apple users. And the anti-Apple crowd does not disappoint. :-)
http://www.rootstrikers.org/
Somebody has a strange concept of trolls.
Sorry your boss sucks so bad, man.
HTML & GIF, not so much. JPeg definitely. It wasn't very long until phones started running smart OS' though - Nokia's 7650 was released only 3 years after the WAP standard ratification. Ericsson had their R380 earlier.
Mod parent frustrated.
If it makes you feel better, I thought the summary was calling out Apple for the flaws.
I know its a shallow and pointless sentiment but I still hope and prey somewhere in the world an Apple fanboy is thinking twice about spouting another hollow comment on the security picture of Apple.
For the love of god they can't even write a media player (quicktime) without dozens of critical security bugs. If you ask me they suck just as bad as the other OS vendors.
We just all need to come together and hate everyone equally.
Apple seems to be getting more and more like Microsoft every day. I agree; bug fixes shouldn't be "look how great I am, I'm fixing bugs" it should be "We're sorry for the inconvienience and will try to program less incompetently next time. We hope these bug fixes don't brick your hardware." Plus, TFS says the upgrade is not slated to reach iPad owners until this fall. WTF???
Free Martian Whores!
Granted, some fanboys will try and spin it into a positive of some kind
Well yes, that's the problem. Companies just kind of matter of factly send out patches, and the kool aid crowd turns every negative into a positive. Every time I see one of those comments I wonder if the poster is an employee of that company, heavily invested in its stock, or is just a batshit insane loser.
Free Martian Whores!
This was already spun against Apple: "iPad left vulnerable". Why not just report it as "iOS4 patches security flaws" or something like that? It's not just the "fanboys" who spin headlines - this one was already spun but the other way.
While I suspect the iPhone envy comment was designed to get under their skin a bit, I doubt it's necessarily envy. I think it's more like blind Apple hatred that is driving much of this. While some complaints have some minor grains of truth to them, most of them seem blown ridiculously out of proportion. I imagine that most of the people who are so vocal against it have never used an Apple product, don't have an understanding of why people love them so much and so they make fun of what they don't understand.
They have said this. Not in some press release or an interview from Jobs, but in other adverts like radio. They have a Mac commercial airing right now that says Macs are virus-free. If I can get a recording of it I'll host it and link it.
If you are worried about exposing your personal data, don't jailbreak. I've tried it in the past and I'll never jailbreak again.
Jesus was a compassionate social conservative who called individuals to sin no more.
Except the problem is that the exploits in iOS that jailbreaking software uses to break in to your phone in the first place are still there. Someone could easily write a piece of malware that infects your PC, waits for your iPhone to connect via USB, then silently slips in a malicious payload in the same manner. Your phone has no measure of security to stop or even alert you of anything that makes it in.
Being aware that my phone is vulnerable no matter what but having more transparency like being able to sift through my phone's filesystem gives me just a little more peace of mind.
They have said this. Not in some press release or an interview from Jobs, but in other adverts like radio. They have a Mac commercial airing right now that says Macs are virus-free. If I can get a recording of it I'll host it and link it.
Apple does not have radio advertisements. Definitely not in the US, perhaps in another locale (although I wouldn't expect it).
But by all means, snag a recording and put it up somewhere.