Apple releases iPhone 3.0.1 software to fix SMS exploit

245

Comments

  • Reply 21 of 91
    jcw5002jcw5002 Posts: 37member
    Also wondering if this breaks tethering hack........... anyone?
  • Reply 22 of 91
    libertyforalllibertyforall Posts: 1,407member
    Wow, Apple didn't put the input validation code in there in the first place? Shame on them.
  • Reply 23 of 91
    Finally can turn my 3gs back on lol
  • Reply 24 of 91
    Quote:
    Originally Posted by teckstud View Post


    You win first prize for best complaint - EVER!



    Yay!! I drew an attack from Teckstud! That wasn't a complaint, genius. Just an observation for those who might be interested. Geesh you're funny!
  • Reply 25 of 91
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by nagromme View Post


    The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?



    (I'm not sure about Google Android.)



    Quote:
    Originally Posted by GregoriusM View Post


    It affects Android as well.



    I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake? It doesn't seem like there should be shared code like when several operating systems were using the BSD TCP/IP stack, including Microsoft.
  • Reply 26 of 91
    mdriftmeyermdriftmeyer Posts: 7,503member
    Quote:
    Originally Posted by nagromme View Post


    The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?



    (I'm not sure about Google Android.)



    Google Android is also affected. It has to do with SMS specifically, not any particular implementation.
  • Reply 27 of 91
    mdriftmeyermdriftmeyer Posts: 7,503member
    Quote:
    Originally Posted by JeffDM View Post


    I don't get it, why are three different platforms affected by the same bug? Is everyone making the same mistake?



    http://tools.ietf.org/html/draft-iet...p-01#section-7



    Quote:



    7. Security Considerations





    Please see the discussions on security considerations for the

    registrations of Enumservice "sms:smpp" and URI scheme "smpp" in

    Sections 8.1 and 8.2 respectively.







    8. IANA Considerations





    This document registers the "smpp" Enumservice using the subtype

    "smpp" under the existing type "sms" in the Enumservice registry

    described in the IANA considerations in RFC 3761 [2] and draft-ietf-

    enum-enumservices-guide-07 [12]. This document also registers with

    the IANA the "smpp" URI scheme per RFC 4395 [5]. Details of the two

    registrations can be found in Sections 8.1 and 8.2 below.







    8.1. IANA Registration for Enumservice "sms:smpp"





    Enumservice Name: smpp



    Enumservice Class: Common Application



    Enumservice Type: sms



    Enumservice subtype: smpp



    URI scheme: smpp



    Functional Specification: This Enumservice indicates that the

    resource identified by the associated URI is capable of receiving

    short messages using the SMPP protocol [13].



    Security Considerations: Use of the "sms:smpp" Enumservice shall

    either be within a service provider's internal network, or on a

    private basis between one or more parties. It is assumed that

    this Enumservice is used in an environment where entities are

    trusted and general public or attackers are not supposed to have

    access to the DNS RRs containing the "smpp" URI.




    The initial purpose of this Enumservice and the "smpp" URI is to

    indicate that the remote resource can receive short messages using

    SMPP. It is recommended that only the <hostport> appears in the

    URI. If the <userinfo> is present, it is recommended that it

    contains the international telephone number with the leading "+"

    so as not to convey user-specific information in the "smpp" URI.






  • Reply 28 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by Virgil-TB2 View Post


    This is just not true at all.



    They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.



    Correct... Apple WAS slow in fixing this flaw. Miller first notified the public of the bug's existence a few days before 3.0 was released. My understanding is he gave Apple plenty of time before then to issue a patch. The fact that we waited at least six weeks after a known vulnerability was out there before it was finally patched (essentially forced to, since the flaw is now public) is pretty damning on Apple's part. Again, I say this as an iPhone owner and Mac user.



    Google was also notified of a similar, but less-severe SMS exploit around the same time. They, however, managed to patch their Android platform within a few days.



    Quote:

    This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also.



    In case you didn't notice, iPhone OS, Android and Windows Mobile are three separate operating systems . Each has their own unique code base and systems that govern the phone. Just because one platform is vulnerable doesn't mean the others are as well.



    For example, the iPhone is in the worst shape because of the severe nature of the exploit, vs Android, which only had a minor bug that was more of an annoyance than severe. Windows Mobile was *NOT* vulnerable to either of these exploits, which is why Microsoft wasn't notified of any such problem. However, a *NEW* problem with Windows Mobile was discovered on Monday, and Microsoft hadn't been notified. I'm certain Windows Mobile users can expect a security update to their devices within the coming days, hopefully much sooner than Apple's six-week delay.



    Quote:

    It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.



    Once again, this is because the flaw in Windows Mobile is a separate one from the iPhone and Android. Miller doesn't mention Microsoft in his "chest pounding" as you put it, because again, this discovery was made less than a week ago, and more than likely hasn't been engineered into an actual exploit yet. I'm certain that Miller has informed Microsoft to the problem, and they'll issue a patch once they properly test it on a wide range of devices.



    Remember, its not as easy as writing some code and sending it out. You have to test it properly, or else you could have WORSE problems than you did before. Look up Seagate and the bad firmware update story from a year ago, and see what I mean.



    Quote:

    it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.



    While I do think the carrier has a responsibility to monitor some of this stuff, the fact is millions and millions of text messages are processed every day. The way this exploit works is not sending just one malformed character, but sending nearly 500 of them invisibly.



    But even still, how would you filter it out? How do you know its not just a regular text from another customer? Why do they need to worry about filtering when issues like this have never really been brought up before?



    There's more to it than just "filter it."
  • Reply 29 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by mdriftmeyer View Post


    Google Android is also affected. It has to do with SMS specifically, not any particular implementation.



    Android was also patched a few weeks ago. If you have an android phone, make sure you accept those updates.
  • Reply 30 of 91
    parkyparky Posts: 383member
    Quote:
    Originally Posted by al_bundy View Post


    mine seemed to backup faster as well



    i have around 23GB of data on mine and usually takes 10 minutes to backup. will see how it goes when i get home



    The backup only backs up SMS, settings, notes, application settings, etc, it does not backup applications, photos, music, videos, etc.



    Any content that is synced via iTunes is not part of the backup as it can always be resyned to the iPod from iTunes.
  • Reply 31 of 91
    nofeernofeer Posts: 2,422member
    still has trouble connecting with wifi, my macbook has 3 bars iphone zero bars.

    i guess this is a known problem with weak wifi connection doesn't find my network till i'm in the same room with the router then it will keep it for a while

    but update went fine
  • Reply 32 of 91
    Quote:
    Originally Posted by IsmOfAm View Post


    Is the update "safe" for jailbroken and unlocked i Phones?



    I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.
  • Reply 33 of 91
    Quote:
    Originally Posted by Boogerman2000 View Post


    I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.



    You won?t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.
  • Reply 34 of 91
    for some odd reason i got a major boost in cell phone reception from 1-2 bar to 3-5 bar 3g on my new 3gs! i don?t know if this is a fluke or just that maybe people who jailbroken their phones now have bricks that has freed up AT&T towers from their interference cause by their hacked phones?maybe apple is onto something by updating software to clear phones periodically of hacked software. i am loving all of my new found freedom of making calls anywhere in my home without worrying about losing quality or dropped calls, for now at least until the jailbroken community comes back online. i wish there was a way for apple and that community to join forces to offer all of the cool apps that seems to be so popular to make people to want to jailbreak in the first place! until then i will wait like a good little mac geek too scared to screw up his new toy. everyone else who has the guts enjoy i hope to be there soon where we can live in peace!
  • Reply 35 of 91
    virgil-tb2virgil-tb2 Posts: 1,416member
    Quote:
    Originally Posted by yuusharo View Post


    Correct... ...



    No offence (as I can see you took a while on the response, but this is all just a lot of blah, blah, blah form my perspective. You kind of re-iterate everything you asserted in your first post (the one I replied to), but don't actually add anything substantive to the argument or seriously refute any of my statements.



    IMO the nature of the bug(s) is such that MS can be considered to have got it's "warning" at the same time as everyone else which, according to Miller's own words was "a month" (not two) but I'm not going to do research on that to find out exactly what the times were because I just don't really care. Apple fixed the bug in a reasonable amount of time AFAICS, but I'll give you that their wording on "fixing it 48 hours after it was successfully demonstrated" is kind of a lame dodge. The Android *community* (not necessarily just Google), did fix it faster and I never doubted that. Microsoft still hasn't fixed their bug and I don't think they have any real excuse to hang that on, but on the other hand this is really not that dangerous a bug in the real world.



    The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.



    I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.



    I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.
  • Reply 36 of 91
    btitusjrbtitusjr Posts: 53member
    Quote:
    Originally Posted by gto65l View Post


    Have there been any documented instances of this flaw being used maliciously?



    No Not a One. Its a wonder what everyone is crying about.



    Quote:
    Originally Posted by yuusharo View Post




    Apple sucks at security.



    This is a pretty strong statement with nothing whatsoever to back it up. Why does apple suck at security any more then anyone else. \
  • Reply 37 of 91
    I doubt Android and Windows Mobile will be patched as T-Mobile has patched the network side of things and I assume all carriers will eventually.



    I think Apple obviously had to patch the iPhone due to the fact of all the bad press.



    The fact is Android is not patched and the only reason Google said its taken care of is because T-Mobile has done something with their network. Thats what I have heard.
  • Reply 38 of 91
    iphone1982iphone1982 Posts: 109member
    Quote:
    Originally Posted by Virgil-TB2 View Post


    ...



    The fact that Charlie Miller is a big blowhard bent on self aggrandisement and with a big anti-Apple bias is pretty well-known so I won't bother defending that. The fact that the media just repeated all his words verbatim without any real analysis or even looking into the facts is also a given IMO.



    I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.



    I think he will actually have to cross over to the dark side and do an exploit himself if he really wants to satisfy his urges to prove Apple's security sucks.



    Accept the facts. Apple didn't fix the security Flaw. If you don't believe it was a flaw then I would expect that you are smarter than the Apple Team that rushed to get this out ASAP after this guy gave them more than enough time to FIX IT and called them on it and made them look foolish for letting this go.



    Windows found about it on Monday (I would expect they are working on a fix).

    If not he will likely do the same thing for Microsoft as he?s concerned with the security of the end user.



    Android fixed the security Flaw.



    Sleep well this weekend knowing that you are smarter than Apple and would have left the security flaw go unfixed.



    yuusharo and many others on the forum did an excellent job explaining the entire history and when & who was notified and who took action. They put it in terms the average 3rd grader could understand.
  • Reply 39 of 91
    Quote:
    Originally Posted by Logisticaldron View Post


    You won’t brick your device, but you not be able to jailbreak it for awhile if the exploit gets patched in the update. Best just not to update until Dev Team gives you the go ahead.



    Yes, actually you will brick your phone. I was told this by the guy who jailbroke my phone, and now as of today people are updating and bricking their phones. The link is below. Dfu mode does NOT work, restoring, hard reset etc., they all don't work with a jailbroken 3GS so be warned everybody that had their 3GS jailbroken/unlocked.



    http://forums.macrumors.com/showthread.php?t=756956
  • Reply 40 of 91
    Quote:
    Originally Posted by iPhone1982 View Post


    Accept the facts. Apple didn't fix the security Flaw..



    It?s amazing how you can be on this page where it?s clearly stated Apple has released a fix for the SMS hole and yet you claim that it?s a fact that Apple hasn?t fixed the security flaw.
Sign In or Register to comment.