iPad Left Vulnerable After Record iPhone Patch Job

CWmike writes "With Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may have been left vulnerable to some or all of the 65 bugs. iOS 4 cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall. The bug count is a record for the iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0. Formerly known as iPhone OS 4, iOS 4 included 35 bugs, or 54% of the total, that were tagged with the phrase 'arbitrary code execution.' It's unclear how many, if any, of the vulnerabilities affect Apple's iPad. The media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April. But according to the Common Vulnerabilities & Exposures database, it's likely that many of the flaws fixed on Monday still exist in 3.2."

Re:It's a phone

[heruvian]

Yes, a phone that you can use to access your bank account on the internet.

Stop with the "record number of bugs fixed" please

[e2d2]

If another person claims a "record" on the number of bugs fixed in an apple release out I'm gonna jump off a fucking cliff.

Bugs are not good. Lots of bugs are worse. Fixing them? You don't get a medal, you should have done it right the first time. Yes it's good to patch them, but it's not something to break out the champagne on. When I fix a huge bug list my boss says "about time", not "good job! way to work!".

Re:It's a phone

[Lundse]

Who cares if it has vulnerabilities. It's a phone.

A phone which is able to broadcast your real-time location.
A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.
A phone with verified contact information for all your friends, and sellable information on yours and their preferences.
A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

Funny

[DrugCheese]

Funny how M$ us to be on top and all you'd read about was the security vulnerabilities left unpatched and with apple on top, with their new line of hardware, are having the same issues. I wonder if we'll ever see something like the Melissa virus, or the iJerk.

Re:Funny

[magsol]

With Apple finally gaining in the markets, it's becoming profitable to create exploits. While the fanbois would have you believe that Apple products simply weren't exploitable, the simple facts are that 1) there simply weren't enough Apple products in the wild to justify an exploit, and 2) Apple seems to prefer the "silent failure" route (which, admittedly, is less obvious than a BSOD) so users don't know they've been compromised.

Now that devices like the iPhone, iPad, even iPods have become all but ubiquitous, I bid Apple a very warm welcome to the malware-infested playing field M$ has been inhabiting all this time.

Re:Funny

[phantomfive]

In the old days, in addition to Microsoft's OS being an open door, a lot of those computers were left on the open internet, making it easy for viruses to find computers to attack. Also, OS distributors didn't really catch on to the idea that leaving services open was a bad idea (it just seemed like being a good netizen to leave your finger port open). For example, I don't think RedHat stopped shipping with the FTP port open by default until 2001 or 2002. And that was a secure OS, Windows was much worse.

In comparison, most iPads and iPhones are hidden behind a firewall, or are natted. You can't randomly probe ip addresses hoping to find one that is an iPad with a vulnerability that you're looking for. Maybe the best you can do is hope someone with the right device will surf to your web page with the exploit.

That doesn't stop email viruses, but given that iPads are only a fraction of the computers out there, I think we're more likely to see a serious email virus from a bug in Outlook than one on an iPad.

Re:Funny

[BarryJacobsen]

2) Apple seems to prefer the "silent failure" route

What do you mean?

Apple's Human Interface Guidelines for Malware on OS X and iOS specifically state not to inform the user of their presence.

Arbitrary Code Execution

[aaaaaaargh!]

I wouldn't call that a bug. :-)

Re:It's a phone

[dhanson865]

A phone which is able to broadcast your real-time location.
A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.
A phone with verified contact information for all your friends, and sellable information on yours and their preferences.
A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

On top of calling pay phone numbers (900 numbers and such) if it copies all your data to a server somewhere you may go over your data plan and have to pay $15 per 200MB transferred or $10 per 1GB transferred depending on your plan.

DataPlus - 200 MB of data for $15 per month

        * Designed for people who primarily surf the Web, send email, and use social networking apps.
        * On average, 65% of AT&T smartphone customers use less than 200 MB per month
        * If you use more than 200 MB, you'll receive an additional 200 MB of data usage for $15, replenished as often as necessary during the billing cycle.

DataPro - 2 GB of data for $25 per month

        * Designed for people who regularly download or stream music and video, or use other high bandwidth applications
        * 98% of AT&T smartphone customers use less than 2 GB in a month on average
        * If you exceed 2 GB, you'll get an additional 1 GB of data for only $10. Each time an additional 1 GB is used up during a cycle, you will automatically receive another 1 GB at the same low price.

Re:They're no bugs in Apple products!

[BarryJacobsen]

I'm more surprised that a phone is subject to so many vulnerabilities. Yet again, it is a pretty sophisticated piece of software. Hence, thanks for fixing the stuff, Apple; better late security than no security.

According to the article, 50 of the bugs are bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too), so it appears that web browsing is the most sophisticated piece (understandably.)

Re:Stop with the "record number of bugs fixed" ple

[sphantom]

This might be a perspective thing, but I read "Company X has patched a record number of security holes" as a negative thing, not as something the OP or company X is reporting to gloat about. I've taken the liberty of reading the links by the OP (shocking, I know), and didn't find any of them to really be coming across as something that anyone is looking for a pat on that back for (and for the record, I didn't see an official comment from Apple on their "record patch job").

Fundamentally, you're right though. It'd be nice if companies could make flawless products, but it seems to be the exception rather than the rule, and when any company addresses a record number of fixes to a product's flaws, I see no reason why it shouldn't make the news. Granted, some fanboys will try and spin it into a positive of some kind, but that's not really shocking and we all know how trustworthy fanboys are.

My $0.02.

Re:They're no bugs in Apple products!

[Mister+Whirly]

Hence, thanks for fixing the stuff, Apple; better late security than no security.

If you replaced Apple with Microsoft and posted that same statement, do you think you would have been rated Interesting or would you have been modded into negative oblivion with Flamebait or Troll? Why is it that Apple gets a free pass on everything it does half-assed regarding security, yet Microsoft's feet are held to the fire instantly?

Re:holy shit!

[Graff]

Really? So Android has no bugs/exploits in it?

Of course Android has bugs. In fact, it's based on WebKit and so it has many of the SAME bugs that the iOS does because many of these patched bugs are in WebKit.

Like you said, bugs are nearly unavoidable. All you can do is try your best to code well in the first place and then fix them when you find out you still have a few that you missed. They key really is the severity of the bugs, are they so blatant that they make the device unusable or trivial to exploit? Obviously the bugs aren't so bad in iOS because the devices still work well and there isn't any serious malware out there yet.

It's most likely that one of these days there will be a major bug/security flaw. We'll see how Apple handles that but so far their track record is fairly decent.

But I *like* to execute arbitrary code.

[customizedmischief]

As a jailbreaker, it is always a little bittersweet to see my arbitrary code execution bugs fixed.

Re:No ipad updates of any kind

[proxima]

I'd hope that instead of spending that time patching iOS 3 they just try to release iOS 4 for iPad much sooner (that'd probably be the largest gain, after that if they really want they can work on porting the changes so the people with an original iPhone have security fixes, but I don't actually know the if the numbers would make it worthwhile).

You have to support recent releases of your operating system with security updates, as not everyone is going to upgrade to the latest and greatest OS for any number of reasons. Lots of people with the 3G are reporting performance issues with iOS 4 (and few benefits). Until this release, OS updates for the ipod touch weren't free as well.

This becomes extremely important in the enterprise, where changes are handled more carefully. These mobile platforms seem to be way too fast of a moving target, though. Even Mac OS X gets deprecated fairly quickly relative to enterprise schedules. It's clear that Apple just isn't targeting them, which I think is a shame.

Re:They're no bugs in Apple products!

[ivucica]

Obviously it doesn't, seeing how I ended up with a 0 score. Not only that, your flamebait ended up with +4 insightful.

And yes, I can honestly say that replacing Apple with Microsoft would yield almost same response from me. "Sloppy, Microsoft, but better late than never! Thanks". Not the same, but close.

Did Chrome crash while you were typing your reply?

[Brannon]

Did Chrome crash while you were typing your reply?

Re:It's a phone

[Stray7Xi]

A phone which is able to broadcast your real-time location.
A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.
A phone with verified contact information for all your friends, and sellable information on yours and their preferences.
A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

Worse, how as a user can you even mitigate this risk?
You can't stick it behind a firewall (except on wifi) to detect weird traffic patterns.
There is no task manager of any kind (yes stock has very limited multitask but malware can jailbreak to rootkit)
There is no booting off a bootdisk to get a checksum of firmware.
It's like being logged onto windows with a locked down user account, unable to view the OS in any way.

The only thing as a user you can do is monitor your bills closely for unusual patterns.

Another patch that creates a more annoying bug

[GreenSquirrel2]

Upgraded my iPhone to v4 last night, now it doesn't work with my Pioneer (DEH-3200UB) car audio deck. Talked to Pioneer and they pointed to Apple. Spoke with Apple and was told "sorry". Maybe the iPad users are the lucky ones.

Glad I shelled out for premium hardware!

[PeanutButterBreath]

65 bugs that I won't get patches for in my 1st Generation Ipod Touch. What is the point of paying a premium for hardware, when the control-freak sole arbiter of software patches renders it functionally obsolete long before its useful life has expired?