Slashdot Mirror

← Back to Stories (view on slashdot.org)

New iOS Keylogging Vulnerability Discovered

Posted by timothy on from the it's-called-eye-phone-duh dept.

exomondo writes "Following hot on the heels of the iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system. It is a security bug that can be used as a vector for malware to capture touch screen, volume rocker, home button and (on supported devices) TouchID sensor presses, information that could be sent to a remote server to re-create the user's actions. The vulnerability exists in even the most recent versions of iOS and the authors claim that they delivered a proof-of-concept monitoring app through the App Store."

72 comments

  1. Linux and windows have vulnerabilities by bazmail · · Score: 5, Insightful

    apple software has "bugs".

    1. Re:Linux and windows have vulnerabilities by StripedCow · · Score: 2

      At least Microsoft is conducting research to reduce bugs.
      See for example: http://research.microsoft.com/...

      Not sure where Apple stands.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    2. Re:Linux and windows have vulnerabilities by alen · · Score: 1, Interesting

      this one relies on apps that run in the background and "listen" to touch inputs

      since android is multitasking as well i assume it has the same issues

    3. Re:Linux and windows have vulnerabilities by kthreadd · · Score: 1

      We don't know because Apple never comments on things. It's a black box.

    4. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 5, Funny

      Not sure where Apple stands.

      On a mahogany patio, looking at a gold-plated Olympic-size swimming pool full of cash, smiling before wading in.

    5. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 2, Interesting

      Background tasks don't receive touch input. That's why they are in the background.

      Unless you are iOS and have this vulnerability.

    6. Re:Linux and windows have vulnerabilities by jddeluxe · · Score: 1

      Not sure where Apple stands.

      On a mahogany patio, looking at a gold-plated Olympic-size swimming pool full of cash, smiling before wading in.

      ...On the yacht...

    7. Re:Linux and windows have vulnerabilities by tero · · Score: 1

      You didn't even read the summary? That's very /. of you

      " iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system"

    8. Re:Linux and windows have vulnerabilities by rehtonAesoohC · · Score: 5, Insightful

      You can't assume that because android also has multi-tasking that it also has a security vulnerability... It's a completely different system with completely different designs. That's like saying that because an apple has skin that you should also eat people too.

    9. Re:Linux and windows have vulnerabilities by FlopEJoe · · Score: 2

      apple software has "bugs".

      It's a glitch.

    10. Re:Linux and windows have vulnerabilities by bazmail · · Score: 1

      I tried to be all-inclusive and use the lowest form of wit as the basis for a joke, but it seems to have passed clear over your head.
      I will try to include pie-in-the-face gags and poop in my next humor-based post.

      NO SLASHDOTTER LEFT BEHIND!!!!

    11. Re:Linux and windows have vulnerabilities by idontgno · · Score: 1

      It's a "You're doing it wrong!".

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    12. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 0

      Vulnerabilities usually come with the word "known". An update a day keeps the doctor away. And that's something the Apple guys are doing pretty well.

    13. Re:Linux and windows have vulnerabilities by 0xdeadbeef · · Score: 1

      And if they allow privilege escalation they're called "jailbreaks".

    14. Re:Linux and windows have vulnerabilities by Anubis+IV · · Score: 1

      I shouldn't need to be explaining this on Slashdot, but the two are not necessarily the same, and one is not a polite euphemism for the other. A bug may lead to a vulnerability, or it may not, since it could be as benign as unexpected output for the provided input or as dangerous as the stuff we hear about here each day.

      In contrast, vulnerabilities are always dangerous, though to varying extents, and they may not always be caused by software bugs (though I suppose there is an argument to be made that you cannot have a vulnerability in the absence of bugs, such as bugs in the design spec that lead to vulnerabilities, even when implemented "correctly").

      Anyway, even if we set aside all of that, the summary refers to this issue as both a "vulnerability" and a "bug" in the span of the first two sentences (both of which appear to be applicable in this case), so I don't know why you're getting wound up.

    15. Re:Linux and windows have vulnerabilities by Slashcrunch · · Score: 1

      Hehe you missed a fairly thick joke there :)

      No one is denying that another vulnerability was found. Vulnerabilities will be found in any software.

    16. Re: Linux and windows have vulnerabilities by Anonymous Coward · · Score: 0

      Still waiting for "I'm a Mac" to come back, turn around and see his pants are ripped. Or maybe he's the king with new clothes? :)

    17. Re:Linux and windows have vulnerabilities by PNutts · · Score: 1

      apple software has "bugs".

      It's a glitch.

      And the Bobs fixed it.

  2. No worries by Anonymous Coward · · Score: 0, Funny

    It is a security bug that can be used as a vector for malware to capture...

    Good thing there is no iOS malware. All hail the walled garden!

  3. Goes to show... by jones_supa · · Score: 5, Insightful

    As Apple products keep gaining larger market share, also the number of discovered vulnerabilities increases day after day. Having a UNIX base does not mean that you are automatically invincible.

    1. Re:Goes to show... by Anonymous Coward · · Score: 1

      gaining a larger market share?

      they are going backwards.....

      the only place that buys apple products in a large quantity is the US....

      9% market share..... yep everyone is buy them

    2. Re:Goes to show... by Anonymous Coward · · Score: 0

      iOS has had a massive market share for a long time so your point is stupid.

    3. Re:Goes to show... by Anonymous Coward · · Score: 0

      Futher more, when they use BSD license to release binary only form, where vulnerability is most likely not in the BSD licensed part of software - is in no way different, than usual binary for Microsoft OS. IMHO, IANAP.

    4. Re:Goes to show... by Anonymous Coward · · Score: 1

      Actually, they haven't. They've never dominated the marketplace.

      Their phones only passed Blackberry's highest marketshare only in 2012 / 2013.

    5. Re:Goes to show... by Anonymous Coward · · Score: 0

      so...
      apple had a market share of over 50% at one stage when they brought out a new shiny phone
      android has annihilated apple, and now apple's market share is around 9-12%....android is around 82%.

      even microsoft is gaining in market share, and close to apple..

      but... no... 12% must actually mean billions of their phones are being brought, and they are the highest used phone of all time.

      nokia had a "massive market share for a long time".....

      apple's curiosity factor is but a blip on the mobile phone radar......

      wouldn't want to point out the "stupid" obvious point....hey....

  4. Can we just go back to the gotofail bug for a sec? by Anonymous Coward · · Score: 0

    Sweet pickles... doesn't anyone else think it's INSANE that this hasn't been fixed yet on OS X?! This isn't a minor issue, and there are all kinds of privacy concerns, financial concerns, etc. on the line here, plus this creates uncertainty about the legitimacy of future updates and the security of everything on OS X moving forward....

    Since the offending code is open sourced, has any trusted third party (EFF or someone) built and implemented a fix, signed with GPG?

    Now we find out any app can start keylogging on iDevices?! Security fails are to be expected, but for stuff like this "the flaw remains unfixed in OS X 10.9.0 and 10.9.1. Apple has yet to say when a patch will be released." is absolutely unacceptable and shakes my confidence in Apple's concern for its customers to the core. (NPI)

  5. Re:Can we just go back to the gotofail bug for a s by Cinder6 · · Score: 4, Informative

    They just released the patch for OS X, actually.

    http://appleinsider.com/articl...

    --
    If you can't convince them, convict them.
  6. can you see us? {;^)-)--(-(^;)= by Anonymous Coward · · Score: 0

    no need for malware attacks when using POT (Personal Open Terminal) even textual vdo is viewable by all loggers right on their screen. thanks moms... goes without saying

  7. Is this a real vulnerability or hype? by Ronin+Developer · · Score: 2, Insightful

    The method of how the app was installed on a non-jail broken device was not discussed. While I would say that being able to capture touches and such by an background app is a potential threat, getting the software on a device is easier said than done.

    Mobile Management Systems (MMS) have access to APIs that can also do these sorts of things.

    I would venture that this was one using either developer mode or as an enterprise app and not through the the AppStore. Jailbroken devices are, clearly, more at risk.

    Now...a bigger question. Can the same be done on Android devices? I am betting "Yes"????

     

    1. Re:Is this a real vulnerability or hype? by Anonymous Coward · · Score: 0

      I guess you missed the part about getting it to work on non-jailbroken devices through getting an app into the app store?

    2. Re:Is this a real vulnerability or hype? by R3d+M3rcury · · Score: 1

      Now...a bigger question. Can the same be done on Android devices? I am betting "Yes"????

      I'd be willing to bet that it can as well.

      So what does that mean? iOS is just as vulnerable as Android?

    3. Re:Is this a real vulnerability or hype? by fsck-beta · · Score: 2

      iOS is just as vulnerable as Android?

      Not quite. It just means that iOS isn't as invulnerable as many claim.

    4. Re:Is this a real vulnerability or hype? by Anonymous Coward · · Score: 0

      Well as the article says: "FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue." My guess would be that the appstore was used ;)

    5. Re:Is this a real vulnerability or hype? by Anonymous Coward · · Score: 0

      Explain. Not quite? Software is software. A bug that is exploitable will compromise the platform it's on.

      As a matter of fact, if you can root or jailbreak a device, that means there's a privilege escalation bug / security hole ready to be exploited in said platform.

      How long has any platform gone without being hacked?

  8. virus too by fluffythdestroy · · Score: 0

    it has viruses in flash too. be warned apple users, your not invulnurable as you think. You'll need an anti-virus, anti-malware and anti everything to protect your so called inpenetrable OS. "Resistance is futile" lol

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:virus too by Anonymous Coward · · Score: 1

      Quite a number of applications use Adobe AIR as their framework, which is effectively Flash.

      Flash in a Browser is, of course, a different story.

  9. This site sucks by Anonymous Coward · · Score: 0

    Probably less bugs than Beta has:

    "Shazbot! We ran into some trouble getting the comments.
    Try again... na-nu, na-nu!"

  10. Slashdot is dying and it is good by Anonymous Coward · · Score: 0

    This site has become so enamored with Apple that when a vulnerability is discovered in one of its products, Apple praised for fixing it so quickly instead of receiving criticism. I'm glad Dice took over Slashdot and fucked it over, it was a long time coming. This site is nothing like its roots back in the early 1990s-2000s era. It is full of stupid and should die a horrible death.

    1. Re:Slashdot is dying and it is good by Anonymous Coward · · Score: 0

      If you leave, you'll be part of the cure.

  11. stfu and learn noob by fluffythdestroy · · Score: 2

    http://news.cnet.com/8301-2707...

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:stfu and learn noob by Slashcrunch · · Score: 3, Informative

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux. The same can't be said for Windows.

      So far I've never been hit on OSX, iOS or Linux. I've had plenty of Windows machines go down in flames though. I still have friends of family for which this is a fairly regular occurrence. Even myself, I had a fully patched Windows VM just for testing websites in IE. No antivirus installed. Visited some legitimate news and html/css sites... Boom. Malware installed.

    2. Re:stfu and learn noob by Anonymous Coward · · Score: 0

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux.

      Are you kidding? The biggest malware epidemic in modern times in terms of percentage of user base infected was Mac Flashback, infecting 1% of OSX users.

    3. Re:stfu and learn noob by Gunboat_Diplomat · · Score: 1

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux. The same can't be said for Windows.

      So far I've never been hit on OSX, iOS or Linux. I've had plenty of Windows machines go down in flames though. I still have friends of family for which this is a fairly regular occurrence. Even myself, I had a fully patched Windows VM just for testing websites in IE. No antivirus installed. Visited some legitimate news and html/css sites... Boom. Malware installed.

      Mac Malware Outbreak Is Bigger than 'Conficker'

    4. Re:stfu and learn noob by AmiMoJo · · Score: 1

      By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux.

      Actually iOS seems to be a very popular target for NSA malware. Check out their malware catalogue, they have a lot of stuff targeting iOS.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:stfu and learn noob by TheGrimmReaper · · Score: 1

      The biggest? Really? I'm hope your using humor.

    6. Re:stfu and learn noob by Anonymous Coward · · Score: 0

      The biggest? Really? I'm hope your using humor.

      Yes, really, in terms of percentage of user base infected. It infected 1% of OSX users. Second biggest was Windows Conficker, infecting 0.7% of Windows users. Now someone will say that this is more users, of course it is, but percentage of user base affected is the relevant metric for assessing infection risk for users of that platform.

      Now, I'm not saying that Mac users have higher infection risk than Windows users in total, because Windows still have significant more malware adding to the risk. But that Mac users still think it hardly happens to their platform after a massive outbreak like Flashback is very naive.

      Btw. versions of Mac Flashback infected with completely drive-by infection, no users intervention or notice, something many Mac users still believe can't happen on OSX.

  12. Get out of your tower of Illusion by fluffythdestroy · · Score: 1

    Its incredible how a mac user (I presume you are but I could be wrong with your antivirus answer) but to think that mac don't need an anti-virus is simple stupid and arrogant at the same time. It's not because you got a mac that your invulnurable on viruses. Phishing works with a browser and every OS as one. my recent link in my post was about the flashback bot which works in browsers. Guess what ? Mac has browsers too and since people know mac don't have an anti-virus guess what will hackers or people with bad intention do ? They' ll probably attack mac users especially since Apple got more popularity in recent years. So mac users should get out of their tower of illusion and embrace reality before its too late. Cause right now WIndows users or most of them made their research, work and studies on viruses and antiviruses and most are ready. How much mac users are ready against the upcoming threats ?

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:Get out of your tower of Illusion by BasilBrush · · Score: 2

      You seem confused as to the topic. I repeat. OSX is not iOS. iOS doesn't have flash, nor flashback, nor any need for anti-virus. Anti-virus could only check for know malware, and known malware is removed by Apple anyway.

    2. Re: Get out of your tower of Illusion by Anonymous Coward · · Score: 0

      you seem to be living in a dream
      world and obviously uneducated about the topic

    3. Re:Get out of your tower of Illusion by AmiMoJo · · Score: 1

      So iOS does have anti-virus, in the form of Apple's ability to remotely delete malware based on signatures.

      If (app_id == KNOWN_MALWARE_72) uninstall();

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Get out of your tower of Illusion by BasilBrush · · Score: 1

      Well probably not based on signatures, no. There's no need when each app has a unique App ID.

      Now as anyone interested in security knows, security is not a single defensive wall. It's a series of walls, such that whilst an attacker might break through one, they are then met with another wall. As a final wall in the iOS security, Apple does have the ability to kill malware remotely. There's not been the need to use it as yet.

  13. So far /. is at 3% reading comprehension rate by JohnnyComeLately · · Score: 2
    35 messages on this thread as I read it, and only ONE says in any detail anything that shows the issue and what the vulnerability has as an underlying assumption. Here it is for those who did read the article (RTFA), you have to install a rogue app. So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs. This isn't a security vulnerability as most responses on here opine about. My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed. Press hard on gas, go faster. App installed and running in background, can accept device inputs. For example, have a GPS app? It is allowing inputs from other applications (e.g. you can listen to music on the GPS app I have without kicking out to Music app) and inputs (buttons).

    Nothing significant to see here. Yeah, more restrictions from Apple development guidelines coming due to asshats being asshats. *sigh*

    1. Re:So far /. is at 3% reading comprehension rate by Anonymous Coward · · Score: 2, Interesting

      So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs.

      Oh so it's not a security vulnerability if it's against the Terms of Service, wow Microsoft should implement a ToS and then most of their Windows security issues will cease to exist.

      This isn't a security vulnerability as most responses on here opine about.

      Of course it is, how do you figure that a process running in the background being able to break out of the sandbox restrictions and capture all inputs is not a security vulnerability? You would have to be a complete Apple shill to be in such denial about a bug like this.

      My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed.

      Yet the application sandboxing in iOS is clearly not working as designed as it is allowing background processes to capture all inputs. Since you clearly don't understand the concept of sandboxing it is obvious why you would not see the security problem here.

    2. Re:So far /. is at 3% reading comprehension rate by Anonymous Coward · · Score: 1

      you have to install a rogue app.

      That is how most malware works, unless you have a privilege escalation bug. And iOS has had at least one such web-based drive-by bug (jailbreakme.com) so there are probably more undiscovered ones.

      So, someone who's breaking the ToS

      I can't imagine people looking to infect devices with keylogging malware are living in fear of the terms of service.

      This isn't a security vulnerability as most responses on here opine about.

      Of course it is. Background processes capturing touch input most certainly is a bug in the iOS application sandbox.

      My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)??

      No. Just because it does not prevent you from doing something illegal does not make it defective. Your analogy certainly is defective though, the application sandbox defines what an application can and cannot do, in this case an application can subvert those restrictions hence the sandbox is defective.

      For example, have a GPS app? It is allowing inputs from other applications (e.g. you can listen to music on the GPS app I have without kicking out to Music app) and inputs (buttons).

      Wrong! The GPS app isn't accepting music input at all and the music application is playing in the background but is not accepting inputs. The volume is a system level process, the button presses are handled by the system to control the volume, not by the app in the background.

    3. Re:So far /. is at 3% reading comprehension rate by AmiMoJo · · Score: 1

      You entirely missed the point. There is no "log all keyboard input" permission for apps to request. I don't think the TOS are very likely to prevent a black hat deploying the exploit. Since Apple doesn't examine every line of code in apps they approve they now need to either close the hole or develop a tool to detect when compiled code tries to make use of it.

      I expect a few apps will be getting updates to remove this exploit now, before Apple closes it off and notices them crashing.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. How to get compromised .. by DTentilhao · · Score: 1

    01. Download malware .. 02. Install malware ... 03. Get infected ....

    1. Re:How to get compromised .. by DougOtto · · Score: 2

      04. Wipe hands on pants.

      --
      Solving Unix problems since 1989...
    2. Re:How to get compromised .. by Anubis+IV · · Score: 1

      The real danger here is the ability for the system to automatically update apps to the latest version, which has been a feature since the release of iOS 7. The threat comes from when a developer of an existing app sells it to another company intent on updating that app to include this piece of malware. Suddenly, that little-known game you play every day is a trojan just waiting to infect you the next time you play it. So while the steps that you outlined are still the same, the change here is that steps 1 and 2 are transparent to the user in situations like these, making it all the easier to get infected.

      We've seen this form of attack more recently in the last few months, notably with Chrome extensions that were being purchased by third-parties and then updated to include adware or malware. I'd expect that we'll be seeing similar reports coming from Android and other platforms that allow auto-updating.

    3. Re:How to get compromised .. by Smerta · · Score: 1

      Yes, but isn't that under the user's control? The iOS user decides if apps auto-update or not, correct?

    4. Re:How to get compromised .. by Sancho · · Score: 1

      You can opt-out, certainly. How many will? How many will not just hit the "update all" button if they do opt out?

  15. But how are users treated? by jbn-o · · Score: 1

    Any complex software has bugs and perfection is never available. The important question remains: how are the users treated? If the software respects a user's freedoms to run, inspect, share, and modify the software, users are treated well. If these freedoms are not respected, the user is subjugated. This is an ethical issue with technical ramifications.

    Non-free programs (such as Microsoft Windows and Apple's OSes) are designed and licensed to prohibit anyone but the proprietor from understanding how the software works. Nobody but the proprietor can fix bugs or improve the program (I use the word "improve" purposefully subjectively here). And the proprietor could have included a variety of other problems (from the user's perspective) because proprietary software is often malware. A free software system (such as a GNU/Linux system on which nothing but free software is installed) can be fully inspected, shared, and modified by the users. Free software lets users treat each other ethically, non-free software leaves even the most expert users who are willing to do technical inspection/bugfixing work in the dark and prevents them from sharing with others, thus preventing them from helping others.

    Software freedom is a far better arrangement for the user. Where non-free software users have to wait for a proprietary binary to patch a problem (possibly introducing new problems and leaving other known problems unfixed such as Apple did for over 3 years with an exploitable iTunes bug during which time governments used the hole to invade people's computers), a free software user has additional options. One can choose to learn to program and fix bugs themselves, one can get someone else to fix software for them (even commercially, by hiring someone trustworthy and appropriate just as one would do to fix other things). No one person can understand all the software they need, there's way too much software to do that. But together we can (and do!) maintain free software systems very well.

    --
    Digital Citizen
    1. Re:But how are users treated? by Anonymous Coward · · Score: 0

      The important question remains: how are the users treated? If the software respects a user's freedoms to run, inspect, share, and modify the software, users are treated well. If these freedoms are not respected, the user is subjugated.

      That is just your subjective opinion and given that users are not "subjugated" - because that is just a gross over-exaggeration - your opinion has little value, users are not under "complete control", that is just FUD and you know it. Try presenting your argument in a more balanced way. The reason people often (but not always) choose proprietary software is that choosing to not exercise a particular freedom for a period of time in the context of using a particular product (sometimes even just a particular feature of that product) is more beneficial to them than using an inferior product (I am not saying free software as a whole is inferior but if a non-free product is functionally superior users will choose that) and having that freedom in that context at that time that they do not want/need anyway.

      People would rather have a product that works well and does not offer them the freedom to change it than a product that does not work well and offers them the freedom to fix it themselves. You do not need to pontificate about software freedom, if the software is good enough then people will use it, if not then your product is obviously not good enough.

      This is an ethical issue with technical ramifications.

      Ethics are subjective and if people do not see things from your point of view (and demonstrably most do not) then arguing ethics is obviously pointless.

      A free software system (such as a GNU/Linux system on which nothing but free software is installed) can be fully inspected, shared, and modified by the users.

      The benefit for most end users there is very little because the systems are so complex that even the original architects and key developers often do not fully understand them much less end users with no development experience at all, this is why the vast majority of people do not choose systems based on whether it is open or not. We have seen privilege escalation bugs exist in both free Linux and non-free Windows for over a decade before being fixed for example.

      Free software lets users treat each other ethically, non-free software leaves even the most expert users who are willing to do technical inspection/bugfixing work in the dark and prevents them from sharing with others, thus preventing them from helping others.

      Use of non-free software does not preclude your ability to help others, that is just more FUD.

      Software freedom is a far better arrangement for the user.

      In theory yes I agree but in practice it is a lot less so.

      One can choose to learn to program and fix bugs themselves

      And therein lies the problem. End users want a tool to do a job, they do not want to develop and repair it themselves.

      one can get someone else to fix software for them (even commercially, by hiring someone trustworthy and appropriate just as one would do to fix other things).

      How much is a person expected to pay for this? And while you correctly point out that with non-free software a patch could "possibly introducing new problems and leaving other known problems unfixed" you fail to mention this is exactly the same with patching free software, so more biased arguments.

      All of these supposed benefits could be realized now, there is nothing stopping you from building free software that is better than proprietary software and that is what will win over users. Pontificating about software freedom will not win people over even if you think it should, just as proprietary vendors need to unseat the incumbents with products that are significantly better so does free software.

  16. Re:Can we just go back to the gotofail bug for a s by jo_ham · · Score: 2

    How do we know that this "patch" don't open up a new "NSA backdoor" somewhere else?

    Because the piece that was patched is open source.

    Go have a look through the code if you like.

  17. Not a new thing by rabtech · · Score: 1

    There have always been holes in the App Store and sometimes you can sneak things through.

    The difference is if you try such things and you app becomes even remotely popular, Apple can pull your app and even your developer account so the actual window where your fraud or evil tricks can result in some kind of gain is very small.

    I'm not sure why people constantly fail to recognize this.

    Similarly with the SSL flaw... Apple pushes iOS updates in a way Android users can only dream of; within a month more than 90% of all iOS devices still in use will have the patch applied. Compare that with the web view remotely exploitable hole just revealed for Android... at least half of all Android devices will still have that hole a year from now!

    So in theory yes, Apple is just the same as everyone else. In reality, the actual user experience will be quite different.

    --
    Natural != (nontoxic || beneficial)
  18. Re:Can we just go back to the gotofail bug for a s by Anonymous Coward · · Score: 0

    Sweet pickles... doesn't anyone else think it's INSANE that this hasn't been fixed yet on OS X?!

    It has been fixed on OS X. The update was released this morning.

  19. Yep. I concur. by Wild_dog! · · Score: 1

    No virus' or trojans on any of my OSX or Linux boxes over the past 8 or so years. Lots on the windows boxes in the past.
    But times are changing as they will.
    The higher OSX gets or iOS gets the more likely folks will be seriously targeting these platforms.
    Just simple economics really.

  20. Re:So far /. is at 2.5% reading comprehension rate by Dr.+Evil · · Score: 1

    FTFY

  21. It only works on jailbroken phones by Anonymous Coward · · Score: 0

    It only runs on Jailbroken phones. Once you Jailbreak your phone, you have no expectation of it running properly, reliably or securely. This exploit does NOT work on non-jailbroken phones.

    So sandboxing on non-jailbroken phones works just fine.

    Jailbreaking a phone allows you to read the keychain and such and do other things that are not possible on non-jailbroken phones.

    Since probably 99% or more of iOS users run non-jailbroken phones, this isn't a major issue. And since jailbreaking a phone renders any security guarantees null and void, it's not really a bug since Apple doesn't make any promises about how jailbroken phones behave ...

    1. Re:It only works on jailbroken phones by Anonymous Coward · · Score: 0

      FFS, the title of TFA is "Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation" you dense fucktard