Originally Posted by Virgil-TB2
This is just not true at all.
They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not
. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.
Correct... Apple WAS slow in fixing this flaw. Miller first notified the public of the bug's existence a few days before 3.0 was released. My understanding is he gave Apple plenty of time before then to issue a patch. The fact that we waited at least six weeks after a known vulnerability was out there before it was finally patched (essentially forced to, since the flaw is now public) is pretty damning on Apple's part. Again, I say this as an iPhone owner and Mac user.
Google was also notified of a similar, but less-severe SMS exploit around the same time. They, however, managed to patch their Android platform within a few days.
This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also.
In case you didn't notice, iPhone OS, Android and Windows Mobile are three separate operating systems
. Each has their own unique code base and systems that govern the phone. Just because one platform is vulnerable doesn't mean the others are as well.
For example, the iPhone is in the worst shape because of the severe nature of the exploit, vs Android, which only had a minor bug that was more of an annoyance than severe. Windows Mobile was *NOT* vulnerable to either of these exploits, which is why Microsoft wasn't notified of any such problem. However, a *NEW* problem with Windows Mobile was discovered on Monday, and Microsoft hadn't been notified. I'm certain Windows Mobile users can expect a security update to their devices within the coming days, hopefully much sooner than Apple's six-week delay.
It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.
Once again, this is because the flaw in Windows Mobile is a separate one from the iPhone and Android. Miller doesn't mention Microsoft in his "chest pounding" as you put it, because again, this discovery was made less than a week ago, and more than likely hasn't been engineered into an actual exploit yet. I'm certain that Miller has informed Microsoft to the problem, and they'll issue a patch once they properly test it on a wide range of devices.
Remember, its not as easy as writing some code and sending it out. You have to test it properly, or else you could have WORSE problems than you did before. Look up Seagate and the bad firmware update story from a year ago, and see what I mean.
it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.
While I do think the carrier has a responsibility to monitor some of this stuff, the fact is millions and millions of text messages are processed every day. The way this exploit works is not sending just one malformed character, but sending nearly 500 of them invisibly.
But even still, how would you filter it out? How do you know its not just a regular text from another customer? Why do they need to worry about filtering when issues like this have never really been brought up before?
There's more to it than just "filter it."