Another Pegasus-like spyware tool called 'Reign' was used to spy on iPhones

Posted:
in iOS
Echoing NSO Group's Pegasus debacle, another spyware tool that could attack the iPhone was sold to governments, and has only now been discovered.




Spying software is often used by security agencies and governments to monitor individuals of interest. This was most famously demonstrated by the discovery of Pegasus, spyware by NSO Group that was sold and used to spy on political opponents, activists, and journalists.

While the Pegasus discussion has died down, it seems that NSO Group wasn't the only organization selling tools capable of surveilling an iPhone to interested parties.

A report from Citizen Lab based on analysis of samples shared by Microsoft Threat Intelligence revealed the existence of a spying tool that was very similar to Pegasus in many ways. Known as "Reign," the spyware by the Israeli company QuaDream offers ways for governments to, again, keep tabs on their potential opposition.

Much like Pegasus, Reign has been sold to governments including Singapore, Saudi Arabia, Mexico, and Ghana. It was pitched to others including Indonesia and Morocco.

The tool has also been used in at least five cases. To date it has been used against political opposition figures, journalists, and others in North America, Central Asia, Southeast Asia, Europe, and the Middle East.

Zero-click and devastating

Binaries scanned by the team reveal the spyware was deployed to target devices by using a suspected iOS 14 zero-click exploit, including against iOS 14.4 and iOS 14.4.2. The exploit, which researchers refer to as "Endofdays," used invisible iCloud calendar invitations sent to victims.

Once installed, Reign had a considerable amount of access to the various components of iOS and iPhone features, much like Pegasus did. This included:

  • Recording audio of calls

  • Recording the microphone

  • Taking photographs using cameras

  • Exfiltrating and removing items from the Keychain

  • Generating iCloud 2FA passwords

  • Searching through files and databases on the device

  • Tracking the device's location

  • Cleaning up traces of the software to minimize detection.

A self-destruct feature cleaned up the traces of the spyware, but also helped researchers identify if a victim was attacked using the surveillance tool.

A continuing privacy danger

QuaDream continues to operate. It managed to avoid being discovered for a considerable period of time because of efforts to avoid scrutiny.

The firm is also in a legal dispute with InReach, a Cyprus-based entity used to sell QuaDream's products outside of Israel. The dispute, over an apparent failure to transfer funds in 2019, helped researchers discover more about the companies, including their officers.

QuaDream is believed to have "common roots" with NSO Group, according to Citizen Lab, along with other companies within the Israeli commercial spyware industry, as well as intelligence agencies within the Israeli government.

Among the key individuals is a co-founder who was a former Israeli military official, and former NSO employees.

Citizen Lab says the report is "a reminder that the industry for mercenary spyware is larger than any one company, and that continued vigilance is required by researchers and potential targets alike."

Read on AppleInsider

Comments

  • Reply 1 of 9
    lkrupplkrupp Posts: 10,557member
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    danoxwatto_cobra
  • Reply 2 of 9
    danoxdanox Posts: 3,284member
    Washington DC where are you?
    watto_cobra
  • Reply 3 of 9
    avon b7avon b7 Posts: 7,972member
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
  • Reply 4 of 9
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    watto_cobra
  • Reply 5 of 9
    avon b7avon b7 Posts: 7,972member
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    There is little to consider. 

    We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all. 

    Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.

    Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem. 

    I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance. 

    It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes. 
    muthuk_vanalingam
  • Reply 6 of 9
    avon b7 said:
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    There is little to consider. 

    We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all. 

    Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.

    Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem. 

    I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance. 

    It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes. 
    Your rant has nothing to do with this bug. You keep saying bugs should be fixed within the same linages, yet this bug only was only confirmed with the 14.4 series of iOS and suspected of other versions. This spyware was only confirmed infecting between January and November of 2021. 14.5 had fixes for root level exploits. 14.8 had a fix for the Pegasus spyware exploit. Where is the evidence that this wasn’t fixed in the same linage? Apple does security point updates, not just for the current major version but several previous versions also, not all but some. Moreover, the current version has a mechanism to implement quick security updates. You keep saying major yearly updates are the problem and yet you conclude only Apple really knows. Sticking with point updates for a bit is no guarantee of fixing bugs. What deadline was Microsoft up against that caused them to BSOD and performance issues in March 2023? Apple has delayed major releases due to bugs. Yet Apple still has to release new software to enable new hardware. People expect new major software updates. I buy a new iPhone, I expect so many years of major updates. It is precisely those major plumbing updates that allow Apple to introduce new security and privacy features and cut the crud. This is a benefit as well as a curse. 

     Getting rid of crud is a major improvement, not a minor. There has been many bugs that have been exploited due to old software, even old open source software. Part of the problem is old software was built with old tools that didn’t enforce variable types and other methods that reduce potential problems which increases security. People didn’t program with an eye toward security as much. People didn’t think of security as much so long ago. 
  • Reply 7 of 9
    avon b7avon b7 Posts: 7,972member
    avon b7 said:
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    There is little to consider. 

    We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all. 

    Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.

    Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem. 

    I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance. 

    It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes. 
    Your rant has nothing to do with this bug. You keep saying bugs should be fixed within the same linages, yet this bug only was only confirmed with the 14.4 series of iOS and suspected of other versions. This spyware was only confirmed infecting between January and November of 2021. 14.5 had fixes for root level exploits. 14.8 had a fix for the Pegasus spyware exploit. Where is the evidence that this wasn’t fixed in the same linage? Apple does security point updates, not just for the current major version but several previous versions also, not all but some. Moreover, the current version has a mechanism to implement quick security updates. You keep saying major yearly updates are the problem and yet you conclude only Apple really knows. Sticking with point updates for a bit is no guarantee of fixing bugs. What deadline was Microsoft up against that caused them to BSOD and performance issues in March 2023? Apple has delayed major releases due to bugs. Yet Apple still has to release new software to enable new hardware. People expect new major software updates. I buy a new iPhone, I expect so many years of major updates. It is precisely those major plumbing updates that allow Apple to introduce new security and privacy features and cut the crud. This is a benefit as well as a curse. 

     Getting rid of crud is a major improvement, not a minor. There has been many bugs that have been exploited due to old software, even old open source software. Part of the problem is old software was built with old tools that didn’t enforce variable types and other methods that reduce potential problems which increases security. People didn’t program with an eye toward security as much. People didn’t think of security as much so long ago. 
    It doesn't matter when bugs are confirmed. That is irrelevant. Once discovered, they are applicable going back in lineage until such a point where they are not applicable. 

    Implying 'I don't know for sure how buggy Apple’s coding is so I can't have a relevant opinion' doesn't alter what I am saying. 

    Major yearly updates are definitely part of the problem. Complexity is another. From API's, general frameworks, compilers, security etc. 

    ALL security frameworks are based off decades old security models. I'm not sure why you say people didn't code with an eye for security. Operating systems have had security as a major foundational objective for years. App development using OS APIs can have bugs but at worst you know they should not impact security at a deeper level. We obviously understand that bugs can punch big holes into security but uninstalling an app is easy. That isn't really possible at OS level. 

    The shorter the development process, the more likely bugs will be present. The development process itself is a balancing act of bugs vs usability, threat vs risk, cost vs performance etc.

    I haven't seen Apple’s security model so I don't know what goals or level of certification it aspires to but for modern operating systems we can consider that basically moot unless they actually have a formal design review and testing process as part of it. That is unlikely given the outward facing nature of its operating systems in the consumer realm. I imagine Apple aspires to something like B2/EAL-5.

    Software gets released with 'known issues' as a result. It is also released with unknown issues, some of them are potentially disastrous for security. Lack of development time (pushed by deadlines) means lack of testing, lack of security research etc. 

    Yes, there are trade-offs involved in bringing software to market but zero click security issues should always be fixed on the original lineage and the mere suggestion of fixing something as part of a major upgrade should be scoffed at. Yes, that is only my opinion. 

    The problem is that with yearly major update cycles there is a huge reason to do just that. 


  • Reply 8 of 9
    avon b7 said:
    avon b7 said:
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    There is little to consider. 

    We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all. 

    Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.

    Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem. 

    I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance. 

    It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes. 
    Your rant has nothing to do with this bug. You keep saying bugs should be fixed within the same linages, yet this bug only was only confirmed with the 14.4 series of iOS and suspected of other versions. This spyware was only confirmed infecting between January and November of 2021. 14.5 had fixes for root level exploits. 14.8 had a fix for the Pegasus spyware exploit. Where is the evidence that this wasn’t fixed in the same linage? Apple does security point updates, not just for the current major version but several previous versions also, not all but some. Moreover, the current version has a mechanism to implement quick security updates. You keep saying major yearly updates are the problem and yet you conclude only Apple really knows. Sticking with point updates for a bit is no guarantee of fixing bugs. What deadline was Microsoft up against that caused them to BSOD and performance issues in March 2023? Apple has delayed major releases due to bugs. Yet Apple still has to release new software to enable new hardware. People expect new major software updates. I buy a new iPhone, I expect so many years of major updates. It is precisely those major plumbing updates that allow Apple to introduce new security and privacy features and cut the crud. This is a benefit as well as a curse. 

     Getting rid of crud is a major improvement, not a minor. There has been many bugs that have been exploited due to old software, even old open source software. Part of the problem is old software was built with old tools that didn’t enforce variable types and other methods that reduce potential problems which increases security. People didn’t program with an eye toward security as much. People didn’t think of security as much so long ago. 
    It doesn't matter when bugs are confirmed. That is irrelevant. Once discovered, they are applicable going back in lineage until such a point where they are not applicable. 

    Implying 'I don't know for sure how buggy Apple’s coding is so I can't have a relevant opinion' doesn't alter what I am saying. 

    Major yearly updates are definitely part of the problem. Complexity is another. From API's, general frameworks, compilers, security etc. 

    ALL security frameworks are based off decades old security models. I'm not sure why you say people didn't code with an eye for security. Operating systems have had security as a major foundational objective for years. App development using OS APIs can have bugs but at worst you know they should not impact security at a deeper level. We obviously understand that bugs can punch big holes into security but uninstalling an app is easy. That isn't really possible at OS level. 

    The shorter the development process, the more likely bugs will be present. The development process itself is a balancing act of bugs vs usability, threat vs risk, cost vs performance etc.

    I haven't seen Apple’s security model so I don't know what goals or level of certification it aspires to but for modern operating systems we can consider that basically moot unless they actually have a formal design review and testing process as part of it. That is unlikely given the outward facing nature of its operating systems in the consumer realm. I imagine Apple aspires to something like B2/EAL-5.

    Software gets released with 'known issues' as a result. It is also released with unknown issues, some of them are potentially disastrous for security. Lack of development time (pushed by deadlines) means lack of testing, lack of security research etc. 

    Yes, there are trade-offs involved in bringing software to market but zero click security issues should always be fixed on the original lineage and the mere suggestion of fixing something as part of a major upgrade should be scoffed at. Yes, that is only my opinion. 

    The problem is that with yearly major update cycles there is a huge reason to do just that. 


    Of course it matters when bugs are confirmed. You can't know how far back the bugs go without some indication of when bugs are confirmed. Basic troubleshooting 101. Was it fixed by 14.8 or by the major release? You keep saying security issues should be fixed within the linage, how do you know this bug wasn't fixed within this linage, if you don't care when bugs are confirmed?

    Your whole idea that these major release is higher in bugs due to short timeframe, fails just upon none of really knows how long Apple spends on these major releases, prior to even announcing them at WWDC. Further, you are missing the tools to check for bugs, and the underlying language are not the same as decades ago. Part of the selling point of Swift is that Swift is a safer language. You can have whatever opinion you want, but you cannot point to anything where these Major releases are a problem more than the point release that Windows or Linux does. Rarely does a week go by that my Linux box have some update. Point updates still have major problems and you can't acknowledge that. Security updates are have to be short deadline, does that mean they are buggy too? 

    There is no proof that the major releases force a short deadline, and thus bugs because we have no idea how much time Apple actually spends prior to WWDC. Further we have no idea if Apple moves to point releases, that will actually reduce the amount of bugs.
    watto_cobramacike
  • Reply 9 of 9
    avon b7avon b7 Posts: 7,972member
    avon b7 said:
    avon b7 said:
    avon b7 said:
    lkrupp said:
    Wait. What? Ohh, I thought this was a current exploit. My bad. But this should end the argument over whether Apple should allow users to downgrade iOS versions, whether Apple should should be so aggressive in promoting upgrades to the latest versions, and end the “planned obsolescence” claims. But we all know it won’t so whatever.
    What? Just fix the problem in the same lineage it exists in! 

    Have you ever considered the fact that yearly major updates are part of the problem? 
    Have you considered major yearly updates are part of the solution? Some people assume yearly major updates are part of the problem without any evidence. Look at Windows 10, had none of what people consider major updates, yet some of those minor updates caused major issues. Windows 10 has had printer issues after updates. The March 2023 mandatory security update has caused blue screen of death and performance issues. With major updates, users expect changes that will likely cause problems and minor updates could but should not cause problems. With major updates, Apple has the opportunity to dump old code, enact new security and privacy methods that would be too drastic for point updates. Another example, been trying to get the manufacture of my favorite game to support Macs better by moving to Metal and when ASi Macs came out, support native ASi code. They supported iPads and iPhones, so it wouldn't be that heavy lift. Then one day they came out with a point update that used Metal and ASi native code, trouble was they dropped support for previous Mac OS versions that didn't support ASi Macs. So you had people who bought that major version of the game, who can run Metal apps on their Mac, and the easier versions of that major release, but not the latest versions of that major release because they couldn't run the newest versions of Mac OS. It was a weird situation, however they have a new major version, which makes it clearer. Major versions bring in the funds and the excitement. Minor versions do not.
    There is little to consider. 

    We are talking major, zero click exploits here. They should be fixed within the same lineage. They are bugs after all. 

    Major updates on a yearly cycle are beyond most companies. They introduce deadlines that cannot be met reasonably. Apple is no exception and code quality has probably suffered badly over the last decade even with the improvements. Only Apple can know for sure but external evidence points to some very buggy iOS releases.

    Trying to flip the tortilla by saying it allows Apple to eliminate crud doesn't resolve the problem. 

    I've seen some drafts from the EU which cover software support in an upcoming directive. If approved as is, device manufacturers will have to state on the box how long software support will be and the EU will set a minimum. Software/firmware updates that add new functionality will be user reversible as will updates that reduce performance. 

    It's worth pointing out that in terms of security updates Apple is pretty good at getting solutions out but making them part of major updates has always been a problem. It is by definition because major updates introduce major plumbing changes. Apple also took way too long to introduce bug bounty programmes. 
    Your rant has nothing to do with this bug. You keep saying bugs should be fixed within the same linages, yet this bug only was only confirmed with the 14.4 series of iOS and suspected of other versions. This spyware was only confirmed infecting between January and November of 2021. 14.5 had fixes for root level exploits. 14.8 had a fix for the Pegasus spyware exploit. Where is the evidence that this wasn’t fixed in the same linage? Apple does security point updates, not just for the current major version but several previous versions also, not all but some. Moreover, the current version has a mechanism to implement quick security updates. You keep saying major yearly updates are the problem and yet you conclude only Apple really knows. Sticking with point updates for a bit is no guarantee of fixing bugs. What deadline was Microsoft up against that caused them to BSOD and performance issues in March 2023? Apple has delayed major releases due to bugs. Yet Apple still has to release new software to enable new hardware. People expect new major software updates. I buy a new iPhone, I expect so many years of major updates. It is precisely those major plumbing updates that allow Apple to introduce new security and privacy features and cut the crud. This is a benefit as well as a curse. 

     Getting rid of crud is a major improvement, not a minor. There has been many bugs that have been exploited due to old software, even old open source software. Part of the problem is old software was built with old tools that didn’t enforce variable types and other methods that reduce potential problems which increases security. People didn’t program with an eye toward security as much. People didn’t think of security as much so long ago. 
    It doesn't matter when bugs are confirmed. That is irrelevant. Once discovered, they are applicable going back in lineage until such a point where they are not applicable. 

    Implying 'I don't know for sure how buggy Apple’s coding is so I can't have a relevant opinion' doesn't alter what I am saying. 

    Major yearly updates are definitely part of the problem. Complexity is another. From API's, general frameworks, compilers, security etc. 

    ALL security frameworks are based off decades old security models. I'm not sure why you say people didn't code with an eye for security. Operating systems have had security as a major foundational objective for years. App development using OS APIs can have bugs but at worst you know they should not impact security at a deeper level. We obviously understand that bugs can punch big holes into security but uninstalling an app is easy. That isn't really possible at OS level. 

    The shorter the development process, the more likely bugs will be present. The development process itself is a balancing act of bugs vs usability, threat vs risk, cost vs performance etc.

    I haven't seen Apple’s security model so I don't know what goals or level of certification it aspires to but for modern operating systems we can consider that basically moot unless they actually have a formal design review and testing process as part of it. That is unlikely given the outward facing nature of its operating systems in the consumer realm. I imagine Apple aspires to something like B2/EAL-5.

    Software gets released with 'known issues' as a result. It is also released with unknown issues, some of them are potentially disastrous for security. Lack of development time (pushed by deadlines) means lack of testing, lack of security research etc. 

    Yes, there are trade-offs involved in bringing software to market but zero click security issues should always be fixed on the original lineage and the mere suggestion of fixing something as part of a major upgrade should be scoffed at. Yes, that is only my opinion. 

    The problem is that with yearly major update cycles there is a huge reason to do just that. 


    Of course it matters when bugs are confirmed. You can't know how far back the bugs go without some indication of when bugs are confirmed. Basic troubleshooting 101. Was it fixed by 14.8 or by the major release? You keep saying security issues should be fixed within the linage, how do you know this bug wasn't fixed within this linage, if you don't care when bugs are confirmed?

    Your whole idea that these major release is higher in bugs due to short timeframe, fails just upon none of really knows how long Apple spends on these major releases, prior to even announcing them at WWDC. Further, you are missing the tools to check for bugs, and the underlying language are not the same as decades ago. Part of the selling point of Swift is that Swift is a safer language. You can have whatever opinion you want, but you cannot point to anything where these Major releases are a problem more than the point release that Windows or Linux does. Rarely does a week go by that my Linux box have some update. Point updates still have major problems and you can't acknowledge that. Security updates are have to be short deadline, does that mean they are buggy too? 

    There is no proof that the major releases force a short deadline, and thus bugs because we have no idea how much time Apple actually spends prior to WWDC. Further we have no idea if Apple moves to point releases, that will actually reduce the amount of bugs.
    When a bug is confirmed is irrelevant. What matters is that it is confirmed (discovered). 

    The 'when' part only serves as an indicator of potential exploits and how far they go back in lineage. A bug that is found soon after release and patched is less likely to have exploits. Obviously the sooner that happens, the better.

    As far a length of time of development before going live is concerned, as I have already said, only Apple can know and that is something that is tied to too many variables to know for sure.

    The best indicators are the bugs themselves and how Apple acts to find and squash them. 

    Here is where we have something to go on and yes, IMO, a yearly major upgrade cycle will always leave them less well protected. 

    We also know that until relatively recently, Apple wouldn't let many people see the code for long enough to catch bugs, big or small before release. There have been some very embarrassing bugs over the years that suggest literally no one checked for certain things. Some bugs have led to data loss. Those errors were representative of very sloppy protocol implementations. Some as simple as running through a checklist. 

    It took way too long to get into the bug bounty arena and even when it announced a programme there were complaints about implementation and transparency. 

    It is typical for Apple to sit on user facing bugs in its apps (that pose no security) threat for literally years. Some never ever get fixed. I've been bitten by some of them. 

    Things like Pages would get released, soon after there would be a bug fix release and maybe another but absolutely no real development after that. You were on your own to work around them.

    Why was this? We know the answer.

    The people doing the cooking were being moved around to other projects. Then, when it was time for a big Pages update, people would be brought in again for new features and a rinse, repeat of the whole process. 

    We also know this happens at an OS level. That of course is inevitable but if you are working to short cycles, bugs will be more probable. 

    Some extremely stupid OS bugs never fixed. When Apple introduced smart folders and smart searches (I can't remember the official English names as my system is in Spanish) I took advantage to create a lot of smart search items. It was painstaking but worth it as I expected system level support rather than depending on Apple's apps which are notorious for changing (losing functionality) or simply getting killed.

    How wrong I was. The very next major system update broke everything. The cause? Someone in localisation had translated some strings that they shouldn't have. Devastation ensued. It never got fixed.

    Here is a hitch potch collection of commentary but just from a quick Google:


    https://securityboulevard.com/2021/09/apple-security-is-garbage-change-my-mind/
    macike
Sign In or Register to comment.