The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?
(I'm not sure about Google Android.)
Quote:
Originally Posted by GregoriusM
It affects Android as well.
I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake? It doesn't seem like there should be shared code like when several operating systems were using the BSD TCP/IP stack, including Microsoft.
They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.
Correct... Apple WAS slow in fixing this flaw. Miller first notified the public of the bug's existence a few days before 3.0 was released. My understanding is he gave Apple plenty of time before then to issue a patch. The fact that we waited at least six weeks after a known vulnerability was out there before it was finally patched (essentially forced to, since the flaw is now public) is pretty damning on Apple's part. Again, I say this as an iPhone owner and Mac user.
Google was also notified of a similar, but less-severe SMS exploit around the same time. They, however, managed to patch their Android platform within a few days.
Quote:
This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also.
In case you didn't notice, iPhone OS, Android and Windows Mobile are three separate operating systems . Each has their own unique code base and systems that govern the phone. Just because one platform is vulnerable doesn't mean the others are as well.
For example, the iPhone is in the worst shape because of the severe nature of the exploit, vs Android, which only had a minor bug that was more of an annoyance than severe. Windows Mobile was *NOT* vulnerable to either of these exploits, which is why Microsoft wasn't notified of any such problem. However, a *NEW* problem with Windows Mobile was discovered on Monday, and Microsoft hadn't been notified. I'm certain Windows Mobile users can expect a security update to their devices within the coming days, hopefully much sooner than Apple's six-week delay.
Quote:
It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.
Once again, this is because the flaw in Windows Mobile is a separate one from the iPhone and Android. Miller doesn't mention Microsoft in his "chest pounding" as you put it, because again, this discovery was made less than a week ago, and more than likely hasn't been engineered into an actual exploit yet. I'm certain that Miller has informed Microsoft to the problem, and they'll issue a patch once they properly test it on a wide range of devices.
Remember, its not as easy as writing some code and sending it out. You have to test it properly, or else you could have WORSE problems than you did before. Look up Seagate and the bad firmware update story from a year ago, and see what I mean.
Quote:
it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.
While I do think the carrier has a responsibility to monitor some of this stuff, the fact is millions and millions of text messages are processed every day. The way this exploit works is not sending just one malformed character, but sending nearly 500 of them invisibly.
But even still, how would you filter it out? How do you know its not just a regular text from another customer? Why do they need to worry about filtering when issues like this have never really been brought up before?
still has trouble connecting with wifi, my macbook has 3 bars iphone zero bars.
i guess this is a known problem with weak wifi connection doesn't find my network till i'm in the same room with the router then it will keep it for a while
Is the update "safe" for jailbroken and unlocked i Phones?
I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.
I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.
You won?t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.
for some odd reason i got a major boost in cell phone reception from 1-2 bar to 3-5 bar 3g on my new 3gs! i don?t know if this is a fluke or just that maybe people who jailbroken their phones now have bricks that has freed up AT&T towers from their interference cause by their hacked phones?maybe apple is onto something by updating software to clear phones periodically of hacked software. i am loving all of my new found freedom of making calls anywhere in my home without worrying about losing quality or dropped calls, for now at least until the jailbroken community comes back online. i wish there was a way for apple and that community to join forces to offer all of the cool apps that seems to be so popular to make people to want to jailbreak in the first place! until then i will wait like a good little mac geek too scared to screw up his new toy. everyone else who has the guts enjoy i hope to be there soon where we can live in peace!
No offence (as I can see you took a while on the response, but this is all just a lot of blah, blah, blah form my perspective. You kind of re-iterate everything you asserted in your first post (the one I replied to), but don't actually add anything substantive to the argument or seriously refute any of my statements.
IMO the nature of the bug(s) is such that MS can be considered to have got it's "warning" at the same time as everyone else which, according to Miller's own words was "a month" (not two) but I'm not going to do research on that to find out exactly what the times were because I just don't really care. Apple fixed the bug in a reasonable amount of time AFAICS, but I'll give you that their wording on "fixing it 48 hours after it was successfully demonstrated" is kind of a lame dodge. The Android *community* (not necessarily just Google), did fix it faster and I never doubted that. Microsoft still hasn't fixed their bug and I don't think they have any real excuse to hang that on, but on the other hand this is really not that dangerous a bug in the real world.
The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.
I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.
I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.
I doubt Android and Windows Mobile will be patched as T-Mobile has patched the network side of things and I assume all carriers will eventually.
I think Apple obviously had to patch the iPhone due to the fact of all the bad press.
The fact is Android is not patched and the only reason Google said its taken care of is because T-Mobile has done something with their network. Thats what I have heard.
The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.
I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.
I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.
Accept the facts. Apple didn't fix the security Flaw. If you don't believe it was a flaw then I would expect that you are smarter than the Apple Team that rushed to get this out ASAP after this guy gave them more than enough time to FIX IT and called them on it and made them look foolish for letting this go.
Windows found about it on Monday (I would expect they are working on a fix).
If not he will likely do the same thing for Microsoft as he?s concerned with the security of the end user.
Android fixed the security Flaw.
Sleep well this weekend knowing that you are smarter than Apple and would have left the security flaw go unfixed.
yuusharo and many others on the forum did an excellent job explaining the entire history and when & who was notified and who took action. They put it in terms the average 3rd grader could understand.
You won’t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.
Yes, actually you will brick your phone. I was told this by the guy who jailbroke my phone, and now as of today people are updating and bricking their phones. The link is below. Dfu mode does NOT work, restoring, hard reset etc., they all don't work with a jailbroken 3GS so be warned everybody that had their 3GS jailbroken/unlocked.
Accept the facts. Apple didn't fix the security Flaw..
It?s amazing how you can be on this page where it?s clearly stated Apple has released a fix for the SMS hole and yet you claim that it?s a fact that Apple hasn?t fixed the security flaw.
Comments
You win first prize for best complaint - EVER!
Yay!! I drew an attack from Teckstud! That wasn't a complaint, genius. Just an observation for those who might be interested. Geesh you're funny!
The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?
(I'm not sure about Google Android.)
It affects Android as well.
I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake? It doesn't seem like there should be shared code like when several operating systems were using the BSD TCP/IP stack, including Microsoft.
The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?
(I'm not sure about Google Android.)
Google Android is also affected. It has to do with SMS specifically, not any particular implementation.
I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake?
http://tools.ietf.org/html/draft-iet...p-01#section-7
7. Security Considerations
Please see the discussions on security considerations for the
registrations of Enumservice "sms:smpp" and URI scheme "smpp" in
Sections 8.1 and 8.2 respectively.
8. IANA Considerations
This document registers the "smpp" Enumservice using the subtype
"smpp" under the existing type "sms" in the Enumservice registry
described in the IANA considerations in RFC 3761 [2] and draft-ietf-
enum-enumservices-guide-07 [12]. This document also registers with
the IANA the "smpp" URI scheme per RFC 4395 [5]. Details of the two
registrations can be found in Sections 8.1 and 8.2 below.
8.1. IANA Registration for Enumservice "sms:smpp"
Enumservice Name: smpp
Enumservice Class: Common Application
Enumservice Type: sms
Enumservice subtype: smpp
URI scheme: smpp
Functional Specification: This Enumservice indicates that the
resource identified by the associated URI is capable of receiving
short messages using the SMPP protocol [13].
Security Considerations: Use of the "sms:smpp" Enumservice shall
either be within a service provider's internal network, or on a
private basis between one or more parties. It is assumed that
this Enumservice is used in an environment where entities are
trusted and general public or attackers are not supposed to have
access to the DNS RRs containing the "smpp" URI.
The initial purpose of this Enumservice and the "smpp" URI is to
indicate that the remote resource can receive short messages using
SMPP. It is recommended that only the <hostport> appears in the
URI. If the <userinfo> is present, it is recommended that it
contains the international telephone number with the leading "+"
so as not to convey user-specific information in the "smpp" URI.
This is just not true at all.
They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.
Correct... Apple WAS slow in fixing this flaw. Miller first notified the public of the bug's existence a few days before 3.0 was released. My understanding is he gave Apple plenty of time before then to issue a patch. The fact that we waited at least six weeks after a known vulnerability was out there before it was finally patched (essentially forced to, since the flaw is now public) is pretty damning on Apple's part. Again, I say this as an iPhone owner and Mac user.
Google was also notified of a similar, but less-severe SMS exploit around the same time. They, however, managed to patch their Android platform within a few days.
This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also.
In case you didn't notice, iPhone OS, Android and Windows Mobile are three separate operating systems
For example, the iPhone is in the worst shape because of the severe nature of the exploit, vs Android, which only had a minor bug that was more of an annoyance than severe. Windows Mobile was *NOT* vulnerable to either of these exploits, which is why Microsoft wasn't notified of any such problem. However, a *NEW* problem with Windows Mobile was discovered on Monday, and Microsoft hadn't been notified. I'm certain Windows Mobile users can expect a security update to their devices within the coming days, hopefully much sooner than Apple's six-week delay.
It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.
Once again, this is because the flaw in Windows Mobile is a separate one from the iPhone and Android. Miller doesn't mention Microsoft in his "chest pounding" as you put it, because again, this discovery was made less than a week ago, and more than likely hasn't been engineered into an actual exploit yet. I'm certain that Miller has informed Microsoft to the problem, and they'll issue a patch once they properly test it on a wide range of devices.
Remember, its not as easy as writing some code and sending it out. You have to test it properly, or else you could have WORSE problems than you did before. Look up Seagate and the bad firmware update story from a year ago, and see what I mean.
it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.
While I do think the carrier has a responsibility to monitor some of this stuff, the fact is millions and millions of text messages are processed every day. The way this exploit works is not sending just one malformed character, but sending nearly 500 of them invisibly.
But even still, how would you filter it out? How do you know its not just a regular text from another customer? Why do they need to worry about filtering when issues like this have never really been brought up before?
There's more to it than just "filter it."
Google Android is also affected. It has to do with SMS specifically, not any particular implementation.
Android was also patched a few weeks ago. If you have an android phone, make sure you accept those updates.
mine seemed to backup faster as well
i have around 23GB of data on mine and usually takes 10 minutes to backup. will see how it goes when i get home
The backup only backs up SMS, settings, notes, application settings, etc, it does not backup applications, photos, music, videos, etc.
Any content that is synced via iTunes is not part of the backup as it can always be resyned to the iPod from iTunes.
i guess this is a known problem with weak wifi connection doesn't find my network till i'm in the same room with the router then it will keep it for a while
but update went fine
Is the update "safe" for jailbroken and unlocked i Phones?
I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.
I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.
You won?t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.
Correct... ...
No offence (as I can see you took a while on the response, but this is all just a lot of blah, blah, blah form my perspective. You kind of re-iterate everything you asserted in your first post (the one I replied to), but don't actually add anything substantive to the argument or seriously refute any of my statements.
IMO the nature of the bug(s) is such that MS can be considered to have got it's "warning" at the same time as everyone else which, according to Miller's own words was "a month" (not two) but I'm not going to do research on that to find out exactly what the times were because I just don't really care. Apple fixed the bug in a reasonable amount of time AFAICS, but I'll give you that their wording on "fixing it 48 hours after it was successfully demonstrated" is kind of a lame dodge. The Android *community* (not necessarily just Google), did fix it faster and I never doubted that. Microsoft still hasn't fixed their bug and I don't think they have any real excuse to hang that on, but on the other hand this is really not that dangerous a bug in the real world.
The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.
I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.
I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.
Have there been any documented instances of this flaw being used maliciously?
No Not a One. Its a wonder what everyone is crying about.
Apple sucks at security.
This is a pretty strong statement with nothing whatsoever to back it up. Why does apple suck at security any more then anyone else.
I think Apple obviously had to patch the iPhone due to the fact of all the bad press.
The fact is Android is not patched and the only reason Google said its taken care of is because T-Mobile has done something with their network. Thats what I have heard.
...
The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.
I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.
I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.
Accept the facts. Apple didn't fix the security Flaw. If you don't believe it was a flaw then I would expect that you are smarter than the Apple Team that rushed to get this out ASAP after this guy gave them more than enough time to FIX IT and called them on it and made them look foolish for letting this go.
Windows found about it on Monday (I would expect they are working on a fix).
If not he will likely do the same thing for Microsoft as he?s concerned with the security of the end user.
Android fixed the security Flaw.
Sleep well this weekend knowing that you are smarter than Apple and would have left the security flaw go unfixed.
yuusharo and many others on the forum did an excellent job explaining the entire history and when & who was notified and who took action. They put it in terms the average 3rd grader could understand.
You won’t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.
Yes, actually you will brick your phone. I was told this by the guy who jailbroke my phone, and now as of today people are updating and bricking their phones. The link is below. Dfu mode does NOT work, restoring, hard reset etc., they all don't work with a jailbroken 3GS so be warned everybody that had their 3GS jailbroken/unlocked.
http://forums.macrumors.com/showthread.php?t=756956
Accept the facts. Apple didn't fix the security Flaw..
It?s amazing how you can be on this page where it?s clearly stated Apple has released a fix for the SMS hole and yet you claim that it?s a fact that Apple hasn?t fixed the security flaw.