Apple releases iPhone 3.0.1 software to fix SMS exploit

>"Apple released an update to its iPhone operating system Thursday"

Pretty sure you mean "Friday", not "Thursday".

downloading it now

Is it snappier?

Mine is only 230.1 MB.

You win first prize for best complaint - EVER!

seems the same, will see. Slacker is working. had some problems with slacker and pandora today with connection timing out. i thought AT&T was cutting me off. 1 week into my billing cycle and i'm up to 428MB of data

Or Saturday, if you're in China, where they're made.

The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?

(I'm not sure about Google Android.)

It affects Android as well.

And I didn't get to go to 3.01 for my touch, and I PAID for my update to OS 3.0, so I'm pouting, even if it doesn't do me any good because I don't have SMS! Wah!

So, my download is only..... ZERO!

Wah!

Wow. All Snappiness jokes aside, it's significantly faster sync-wise for me.

I haven't used the iPhone itself extensively, since the update yet, but After the Update to 3.0.1, my iPhone backed-up, synced a half dozen purchased apps, photo's, songs, notes, etc. in like 35-40 seconds. The sync bars were screaming. On a 16GB 3GS, with 300MB to spare.

Never ever seen that before.

mine seemed to backup faster as well

i have around 23GB of data on mine and usually takes 10 minutes to backup. will see how it goes when i get home

But it seems that Android is fixed--even before Apple did (according to someone posting at MR, anyway). So, everyone but Microsoft has a patch?

As for Touch users... the best feature of a Touch is that it CAN'T get annoying SMS messages from your friends

Apple was notified long before 3.0 came out, and did not issue a patch until over six-weeks later when the OS was released. They did not delay its release to fix this significant flaw, leaving their customers vulnerable for almost two months.

Android had a similar exploit that basically could kick a phone offline indefinitely, which was immediately patched. Microsoft's phone are also affected, but they've only had since Monday (less than a week) to work on it. The WinMo exploit was only found by the guy earlier this week, so they have not had nearly enough time to issue a patch.

Apple, for all their praise and glory, is LAUGHABLE when it comes to security of its products and its customers. It took them 9 months to fix a severe security vulnerability in Java, and that was only because the security researcher released the code to the public. Again, Apple has had ample time to patch a potentially more DANGEROUS flaw in their phones that could give an attacker access to the GPS, knowing exactly where it was in the world. They, once again, only released a patch when the method was known to the public.

Apple sucks at security.

Google and Apple have had months of notification before it was discussed publicly. Microsoft's flaw, however, was only discovered this past Monday, meaning they've had less than a week to work on a patch. So in defense of Microsoft, they just haven't had enough time to patch it yet.

Apple on the other hand waited months after knowing about it before they issued a patch, leaving their customers vulnerable. Android was patched much sooner.

Have there been any documented instances of this flaw being used maliciously?

Is the update "safe" for jailbroken and unlocked i Phones?

eugh! i'm on 3.1, is there a 3.1.1 beta yet??

AI... you missed this text with the update from Apple:

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

Kinda important, no? Charlie Miller is full of crap.

anyone know if this update breaks the IPCC tethering hack? \

This is just not true at all.

They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.


This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also. It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.

it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.

Also wondering if this breaks tethering hack........... anyone?

Wow, Apple didn't put the input validation code in there in the first place? Shame on them.

Finally can turn my 3gs back on lol

Yay!! I drew an attack from Teckstud! That wasn't a complaint, genius. Just an observation for those who might be interested. Geesh you're funny!

I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake? It doesn't seem like there should be shared code like when several operating systems were using the BSD TCP/IP stack, including Microsoft.

Google Android is also affected. It has to do with SMS specifically, not any particular implementation.

http://tools.ietf.org/html/draft-iet...p-01#section-7

Correct... Apple WAS slow in fixing this flaw. Miller first notified the public of the bug's existence a few days before 3.0 was released. My understanding is he gave Apple plenty of time before then to issue a patch. The fact that we waited at least six weeks after a known vulnerability was out there before it was finally patched (essentially forced to, since the flaw is now public) is pretty damning on Apple's part. Again, I say this as an iPhone owner and Mac user.

Google was also notified of a similar, but less-severe SMS exploit around the same time. They, however, managed to patch their Android platform within a few days.


In case you didn't notice, iPhone OS, Android and Windows Mobile are three separate operating systems . Each has their own unique code base and systems that govern the phone. Just because one platform is vulnerable doesn't mean the others are as well.

For example, the iPhone is in the worst shape because of the severe nature of the exploit, vs Android, which only had a minor bug that was more of an annoyance than severe. Windows Mobile was *NOT* vulnerable to either of these exploits, which is why Microsoft wasn't notified of any such problem. However, a *NEW* problem with Windows Mobile was discovered on Monday, and Microsoft hadn't been notified. I'm certain Windows Mobile users can expect a security update to their devices within the coming days, hopefully much sooner than Apple's six-week delay.


Once again, this is because the flaw in Windows Mobile is a separate one from the iPhone and Android. Miller doesn't mention Microsoft in his "chest pounding" as you put it, because again, this discovery was made less than a week ago, and more than likely hasn't been engineered into an actual exploit yet. I'm certain that Miller has informed Microsoft to the problem, and they'll issue a patch once they properly test it on a wide range of devices.

Remember, its not as easy as writing some code and sending it out. You have to test it properly, or else you could have WORSE problems than you did before. Look up Seagate and the bad firmware update story from a year ago, and see what I mean.


While I do think the carrier has a responsibility to monitor some of this stuff, the fact is millions and millions of text messages are processed every day. The way this exploit works is not sending just one malformed character, but sending nearly 500 of them invisibly.

But even still, how would you filter it out? How do you know its not just a regular text from another customer? Why do they need to worry about filtering when issues like this have never really been brought up before?

There's more to it than just "filter it."

Android was also patched a few weeks ago. If you have an android phone, make sure you accept those updates.

The backup only backs up SMS, settings, notes, application settings, etc, it does not backup applications, photos, music, videos, etc.

Any content that is synced via iTunes is not part of the backup as it can always be resyned to the iPod from iTunes.

still has trouble connecting with wifi, my macbook has 3 bars iphone zero bars.
i guess this is a known problem with weak wifi connection doesn't find my network till i'm in the same room with the router then it will keep it for a while
but update went fine

I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.

You wont brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.

for some odd reason i got a major boost in cell phone reception from 1-2 bar to 3-5 bar 3g on my new 3gs! i dont know if this is a fluke or just that maybe people who jailbroken their phones now have bricks that has freed up AT&T towers from their interference cause by their hacked phonesmaybe apple is onto something by updating software to clear phones periodically of hacked software. i am loving all of my new found freedom of making calls anywhere in my home without worrying about losing quality or dropped calls, for now at least until the jailbroken community comes back online. i wish there was a way for apple and that community to join forces to offer all of the cool apps that seems to be so popular to make people to want to jailbreak in the first place! until then i will wait like a good little mac geek too scared to screw up his new toy. everyone else who has the guts enjoy i hope to be there soon where we can live in peace!

No offence (as I can see you took a while on the response, but this is all just a lot of blah, blah, blah form my perspective. You kind of re-iterate everything you asserted in your first post (the one I replied to), but don't actually add anything substantive to the argument or seriously refute any of my statements.

IMO the nature of the bug(s) is such that MS can be considered to have got it's "warning" at the same time as everyone else which, according to Miller's own words was "a month" (not two) but I'm not going to do research on that to find out exactly what the times were because I just don't really care. Apple fixed the bug in a reasonable amount of time AFAICS, but I'll give you that their wording on "fixing it 48 hours after it was successfully demonstrated" is kind of a lame dodge. The Android *community* (not necessarily just Google), did fix it faster and I never doubted that. Microsoft still hasn't fixed their bug and I don't think they have any real excuse to hang that on, but on the other hand this is really not that dangerous a bug in the real world.

The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.

I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.

I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.

No Not a One. Its a wonder what everyone is crying about.


This is a pretty strong statement with nothing whatsoever to back it up. Why does apple suck at security any more then anyone else. \

I doubt Android and Windows Mobile will be patched as T-Mobile has patched the network side of things and I assume all carriers will eventually.

I think Apple obviously had to patch the iPhone due to the fact of all the bad press.

The fact is Android is not patched and the only reason Google said its taken care of is because T-Mobile has done something with their network. Thats what I have heard.

Accept the facts. Apple didn't fix the security Flaw. If you don't believe it was a flaw then I would expect that you are smarter than the Apple Team that rushed to get this out ASAP after this guy gave them more than enough time to FIX IT and called them on it and made them look foolish for letting this go.

Windows found about it on Monday (I would expect they are working on a fix).
If not he will likely do the same thing for Microsoft as hes concerned with the security of the end user.

Android fixed the security Flaw.

Sleep well this weekend knowing that you are smarter than Apple and would have left the security flaw go unfixed.

yuusharo and many others on the forum did an excellent job explaining the entire history and when & who was notified and who took action. They put it in terms the average 3rd grader could understand.

Yes, actually you will brick your phone. I was told this by the guy who jailbroke my phone, and now as of today people are updating and bricking their phones. The link is below. Dfu mode does NOT work, restoring, hard reset etc., they all don't work with a jailbroken 3GS so be warned everybody that had their 3GS jailbroken/unlocked.

http://forums.macrumors.com/showthread.php?t=756956