Apple releases iPhone 3.0.1 software to fix SMS exploit

135

Comments

  • Reply 41 of 91
    Quote:
    Originally Posted by Boogerman2000 View Post


    Yes, actually you will brick your phone. I was told this by the guy who unlocked my phone, and now as of today people are updating and bricking their phones. The link is below. Dfu mode does NOT work, restoring, hard reset etc., they all don't work with a jailbroken 3GS so be warned everybody that had their 3GS jailbroken/unlocked. So far I'm in the clear, but Fuck Apple for punishing those of us who simply want to add functionality to our phones LEGALLY.



    http://forums.macrumors.com/showthread.php?t=756956



    For starters, it’s hard to know what you are talking about when you interchange jailbreaking and unlocking. These are not the same thing. Secondly, what evidence do you have that Apple is punishing you when they issue an update. It’s not illegal to jailbreak your own device, but it’s foolish to expect Apple to work to preserve any exploits found in the device. These are security risks and should be plugged. Last, if you have unlockedy our phone you should not be updating it unless you have read that it’s okay to do from the people who issue the hacks. Usually it takes a couple days to get updated software to circumvent the new update. If you wish to play in that arena, fine, but at least be smart enough to know when to update your device.



    PS: That link you supplied shows that at least one reinstalled iTunes and got their ISPW to install while another got it to by correctly putting it into DFU mode. I’ve never heard of and iPhone being bricked from a jailbreak, just ID-10-T errors from users not knowing how to correct problems they themselves have created.
  • Reply 42 of 91
    Quote:
    Originally Posted by Logisticaldron View Post


    For starters, it?s hard to know what you are talking about when you interchange jailbreaking and unlocking. These are not the same thing. Secondly, what evidence do you have that Apple is punishing you when they issue an update. It?s not illegal to jailbreak your own device, but it?s foolish to expect Apple to work to preserve any exploits found in the device. These are security risks and should be plugged. Last, if you have unlockedy our phone you should not be updating it unless you have read that it?s okay to do from the people who issue the hacks. Usually it takes a couple days to get updated software to circumvent the new update. If you wish to play in that arena, fine, but at least be smart enough to know when to update your device.



    I know, but it appears that this time Apple has purposefully made it so that you will be stuck with a broken phone if you Unlocked/Jailbroke your device. The link I provided shows this to happening, and I expect that tomorrow there will be many more people with 3GS paperweights. I'm also aware that it is risky to unlock/jailbreak but historically there was always the option of restoring..evidently that is no longer the case. I am just putting the warning out there so that others don't end up stuck.
  • Reply 43 of 91
    Quote:
    Originally Posted by Boogerman2000 View Post


    I know, but it appears that this time Apple has purposefully made it so that you will be stuck with a broken phone if you Unlocked/Jailbroke your device. The link I provided shows this to happening, and I expect that tomorrow there will be many more people with 3GS paperweights. I'm also aware that it is risky to unlock/jailbreak but historically there was always the option of restoring..evidently that is no longer the case. I am just putting the warning out there so that others don't end up stuck.



    --Maybe I don't understand the difference b/t jailbreaking and unlocking. I was under the impression that you had to unlock to jailbreak..guess i'm wrong. Either way hope this all works itself out eventually.
  • Reply 44 of 91
    iphone1982iphone1982 Posts: 109member
    Quote:
    Originally Posted by Logisticaldron View Post


    It’s amazing how you can be on this page where it’s clearly stated Apple has released a fix for the SMS hole and yet you claim that it’s a fact that Apple hasn’t fixed the security flaw.



    I said they didn't fix it until they were called on it publicly and were told that it was going to be released at Black Hat FORCING them to RUSH a fix out for a security flaw that they sat on thier ass on.



    Apple Looks foolish in the media and should for letting it go unfixed.
  • Reply 45 of 91
    Quote:
    Originally Posted by Boogerman2000 View Post


    I know, but it appears that this time Apple has purposefully made it so that you will be stuck with a broken phone if you Unlocked/Jailbroke your device. The link I provided shows this to happening, and I expect that tomorrow there will be many more people with 3GS paperweights. I'm also aware that it is risky to unlock/jailbreak but historically there was always the option of restoring..evidently that is no longer the case. I am just putting the warning out there so that others don't end up stuck.



    This happens with every update. The people jumping the gun on the update with jailbroken iPhones are obviously not that tech savvy anyhow, or they wouldn?t have updated. I?m still on version 3.0 and won?t update my jailbroken 3GS until I know it?s safe. I also wanted to find out that the tethering hack which is just a simple AT&T profile added to the device was still effective with version 3.0.1, which it is. I won?t be updating to version 3.1 until I know I can tethering again. I don?t mind paying AT&T for it as I do understand the difference between unlimited on the device?s screen and unlimited tethering, but until they offer it to me as an service option I?ll get it by other means.
  • Reply 46 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by Virgil-TB2 View Post


    No offence (as I can see you took a while on the response, but this is all just a lot of blah, blah, blah form my perspective. You kind of re-iterate everything you asserted in your first post (the one I replied to), but don't actually add anything substantive to the argument or seriously refute any of my statements.



    The reason I can't respond quickly is because I have a job that has me do more than surf on web forums and argue with faceless names all day



    Quote:

    IMO the nature of the bug(s) is such that MS can be considered to have got it's "warning" at the same time as everyone else which, according to Miller's own words was "a month" (not two) but I'm not going to do research on that to find out exactly what the times were because I just don't really care.



    Again, looking at your little signature there, you should know that a Windows machine is very different from a Mac, and thus, they have different security problems/vulnerabilities. A virus written for Windows doesn't usually affect Macs. Likewise, a bug in a Mac-only service wouldn't affect Windows users. The same goes with the operating systems on phones. These things are essentially computers designed to execute code. And, like all computers, they're coded by humans. Humans have a tendency to make a mistake, which is why these flaws exist.



    Quote:

    Apple fixed the bug in a reasonable amount of time AFAICS, but I'll give you that their wording on "fixing it 48 hours after it was successfully demonstrated" is kind of a lame dodge. The Android *community* (not necessarily just Google), did fix it faster and I never doubted that. Microsoft still hasn't fixed their bug and I don't think they have any real excuse to hang that on, but on the other hand this is really not that dangerous a bug in the real world.



    The iPhone bug, if exploited, is much worse than the Android and Windows mobile problems. The iPhone can allow a remote user to utilize anything on the phone, including the GPS, which would report back the phone's (and most likely, your) location anywhere in the world. For Android and WinMo, it merely knocks you off the network for 10 seconds. If a message is sent every 10 seconds, it could keep you off the network indefinitely.



    Quote:

    I think all the companies with the exception of Microsoft, Mr. Miller and the media, did their jobs rather well in fact, and the whole situation is just another "tempest in a teapot" from Mr. Miller at the end of the day.



    Considering that, at this point, the Windows Mobile bug hasn't been released to the public, seems like Safari Charlie is treating Microsoft like any other player in the game by informing them of the problem before showing a proof-of-concept to be used in the wild. Again, its unreasonable (and IRRESPONSIBLE) of Microsoft to release any kind of update without sufficient testing to make sure it works on the widest variety of devices. Sometimes, this process takes a while.



    Its like you're in high school and a student is given an assignment. Let's say that two students (Apple and Google) were given a task to complete as soon as possible. In this case, Android is the A+ student who completes it within a few days. Apple is the lazy procrastinator that pulled an all-nighter before the due date and rushed to get something out the door on time.



    Now lets say while these students have had nearly 6 weeks to complete their task, a new student has joined the class from out of state (Microsoft), and they're told they have less than a week to complete the same task that the other two have had over a month to prepare. Does that sound fair?
  • Reply 47 of 91
    Quote:
    Originally Posted by Boogerman2000 View Post


    --Maybe I don't understand the difference b/t jailbreaking and unlocking. I was under the impression that you had to unlock to jailbreak..guess i'm wrong. Either way hope this all works itself out eventually.



    Jailbreaking allows access to the OS. For the iPhone, most of the unlocking has been done by first jailbreaking the device, and then using Cydia to issue the unlock, but there is also HW unlocks that use a special SIM card that don’t require any OS jailbreaking. Unlocking allows for the use of any GSM-based network access.



    Right now, my iPhone is unlocked so I can use any 3rd-party app, run background apps, install folders on my home page, etc, but it’s not unlocked, since I’m on AT&T and have no reason to unlock it at this point. Actually, I’m even sure I can unlock as I was using the version 3.1 beta which updated the baseband. I was able to use Purplera1n to downgrade to version 3.0 but the baseband is written into the hardware and is a higher version that one for other 3GS iPhones running 3.0. It’s all good though, eventually it will be broken.





    Quote:
    Originally Posted by iPhone1982 View Post


    I said they didn't fix it until they were called on it publicly and were told that it was going to be released at Black Hat FORCING them to RUSH a fix out for a security flaw that they sat on thier ass on.



    Apple Looks foolish in the media and should for letting it go unfixed.



    Show us proof that Apple choose not to work on a fix for this problem until "they were called on it publicly” and I’ll believe you. Anything else is just conjecture, which is fine, if you state it as a theory, but you have a way of stating your opinions as hard facts.
  • Reply 48 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by btitusjr View Post


    This is a pretty strong statement with nothing whatsoever to back it up. Why does apple suck at security any more then anyone else. \



    In my opinion based on my observation of how the company deals with security issues, I'll stand by my statement. Apple sucks in the security department.



    Now, that doesn't mean OS X is bad security-wise. Obviously, built on Unix, its inherently more secure than Windows. But not having as many exploits doesn't translate to having no exploits. One prime example was a severe Java vulnerability that was discovered in October 2008, where a malformed java-applet could run on a web page and completely overtake a user's machine instantly. Microsoft, Sun, and a variety of Unix, Linux and BSD systems all released patches immediately after they were notified. Who was the one company that did not?



    Apple. Apple did not fix this *severe* vulnerability in December with 10.5.6, and the STILL didn't fix this problem when they released the 700+ megabyte 10.5.7 update in May. The security researcher who found the problem got fed up with Apple taking their time to fix the problem that he released sample code out into the wild and allowed it to be actively exploited. It was only then that Apple *FINALLY* decided to patch the bug in June 2009, a full eight months after they were notified.



    Can you imagine a known problem in Windows going unpatched for 8 months?
  • Reply 49 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by Boogerman2000 View Post


    I've heard that once you jailbroke your 3GS , you cannot update or you will permanently brick your phone, no option to restore through Itunes or re-jailbreak. I'm not %100 on this, but wouldn't take the chance if I were you.



    That's absolutely false. Jailbreaking will never "brick" your phone. Worst case senario, you simply but it back into DFU mode and restore to stock Apple firmware.



    Jailbreaking is never permanent, and will NEVER damage your iPhone. What you do *after* you jailbreak your phone, that's a whole other matter.



    Quote:
    Originally Posted by UltimateKylie View Post


    I doubt Android and Windows Mobile will be patched as T-Mobile has patched the network side of things and I assume all carriers will eventually.



    Android was patched weeks ago, shortly after they were notified of the problem (unlike Apple). The Windows Mobile bug was only discovered on Monday, meaning its only been known for a few days. I would expect an update to address the issue soon.



    Quote:

    I think Apple obviously had to patch the iPhone due to the fact of all the bad press.



    That's a sad statement. A company should have an obligation to protect their users from harm, regardless of PR. The fact that Apple constantly has to be pushed this far just to get a security update from them is incredible, if not down-right scary.



    Quote:

    The fact is Android is not patched and the only reason Google said its taken care of is because T-Mobile has done something with their network. Thats what I have heard.



    What you "heard" was wrong. Android was issued an update that addresses this issue, which has been pushed across all Android devices (HTC magic, HTC touch, HTC hero, etc). Unlike Apple, Google fixed their phones immediately.
  • Reply 50 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by Logisticaldron View Post


    Show us proof that Apple choose not to work on a fix for this problem until "they were called on it publicly? and I?ll believe you. Anything else is just conjecture, which is fine, if you state it as a theory, but you have a way of stating your opinions as hard facts.



    Proof is in the pudding, as they say. Apple was notified before the 3.0 launch of this problem, and didn't delay the release despite knowing the potential danger behind it. Google was notified of a similar problem and pushed out an update as soon as it was made available.



    Now why did Google fix their problem so quickly, and Apple waited until the exploit became known to the public before they did? I can't answer for sure obviously, but my guess is they wanted to include the update in 3.1, currently being beta tested. 3.0.1 only exists because Apple ran out of time, and decided to revert back to an old code-base with the fix included.



    This update should have come out WEEKS ago. But what sort of message would that have sent? Oh, Apple's newest iPhone shipped with a major security flaw?! That can't be good for Cupertino's business....



    Face it. Apple delayed this security patch in favor of better press. Never mind that the action puts their users at risk for a DANGEROUS exploit, as long as nothing spoils the iPhone's launch and image. That's just... wrong.
  • Reply 51 of 91
    [QUOTE=Logisticaldron;1457865]Jailbreaking allows access to the OS. For the iPhone, most of the unlocking has been done by first jailbreaking the device, or using Cydia to issue the unlock, but there is also HW unlocks that use a special SIM card. Unlocking allows for the use of any GSM-based network access.



    Right now, my iPhone is unlocked so I can use any 3rd-party app, run background apps, install folders on my home page, etc, but it?s not unlocked, since I?m on AT&T and have no reason to unlock it at this point. Actually, I?m even sure I can unlock as I was using the version 3.1 beta which updated the baseband. I was able to use Purplera1n to downgrade to version 3.0 but the baseband is written into the hardware and is a higher version that one for other 3GS iPhones running 3.0. It?s all good though, eventually it will be broken.







    Ok cool. I appreciate the explanation.
  • Reply 52 of 91
    Quote:
    Originally Posted by yuusharo View Post


    Proof is in the pudding, as they say. Apple was notified before the 3.0 launch of this problem, and didn't delay the release despite knowing the potential danger behind it. Google was notified of a similar problem and pushed out an update as soon as it was made available.



    Open source always has a leg up with fixing holes. It?s the nature of the beast so it?s not surprising that Android had a patch more readily than closed OSes. There are plenty of examples of where this has happened before.



    Apple has 3 betas for 3.1. If any of them have the hole fixed then it?s clear that Apple had a fix but was waiting to plug it with the next version. If not, I see no way of making a determination that the hole was a simple fix for Apple. It doesn?t mean that it was hard, either, there just isn?t enough evidence to make such an accusation.
  • Reply 53 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by Logisticaldron View Post


    Open source always has a leg up with fixing holes. It?s the nature of the beast so it?s not surprising that Android had a patch more readily than closed OSes. There are plenty of examples of where this has happened before.



    Apple has 3 betas for 3.1. If any of them have the hole fixed then it?s clear that Apple had a fix but was waiting to plug it with the next version. If not, I see no way of making a determination that the hole was a simple fix for Apple. It doesn?t mean that it was hard, either, there just isn?t enough evidence to make such an accusation.



    True, what you say about Open Source I won't doubt. Google definitely has an advantage with its community of developers. But when you have profit margins and as high a profile as Apple does, they should be able to hire enough resources to work on these fixes.



    Unfortunately I can't say if any of the 3.1 betas addressed this problem, and I wouldn't be able to talk about it if I did (with the whole NDA thing). While I don't have any evidence to backup my opinion, I find it hard to believe that it was just coincidence that the patch came out 24 hours after the flaw was made public, given that they were notified of the problem before 3.0 was released six weeks ago.



    My opinion - they didn't want to associate the image of a dangerous security flaw being shipped with Apple's shiny new iPhone 3GS. Think of what the news headlines would be. I think they held off patching it until it went public, then patted themselves on the back for releasing a fix less than 24 hours of it going to the wild. By waiting, they have the image of fixing the problem immediately after it was revealed....



    ...but seriously, we know the truth.
  • Reply 54 of 91
    abster2coreabster2core Posts: 2,501member
    Quote:
    Originally Posted by yuusharo View Post


    My opinion - they didn't want to associate the image of a dangerous security flaw being shipped with Apple's shiny new iPhone 3GS. Think of what the news headlines would be. I think they held off patching it until it went public, then patted themselves on the back for releasing a fix less than 24 hours of it going to the wild. By waiting, they have the image of fixing the problem immediately after it was revealed....



    ...but seriously, we know the truth.



    Until these guys showed Apple how they did it, Apple couldn't fix 'it'. Nobody could, as nobody else could replicate the problem.



    http://www.wired.com/gadgetlab/2009/07/apple-patch-sms/
  • Reply 55 of 91
    al_bundyal_bundy Posts: 1,525member
    Quote:
    Originally Posted by Logisticaldron View Post


    Open source always has a leg up with fixing holes. It?s the nature of the beast so it?s not surprising that Android had a patch more readily than closed OSes. There are plenty of examples of where this has happened before.



    Apple has 3 betas for 3.1. If any of them have the hole fixed then it?s clear that Apple had a fix but was waiting to plug it with the next version. If not, I see no way of making a determination that the hole was a simple fix for Apple. It doesn?t mean that it was hard, either, there just isn?t enough evidence to make such an accusation.





    Open Source has nothing to do with it. ^nix based OS's are more modular making it easier to patch. Windows is only somewhat modular starting with Windows 7 and Windows Server 2008.
  • Reply 56 of 91
    kibitzerkibitzer Posts: 1,114member
    Quote:
    Originally Posted by yuusharo View Post


    Proof is in the pudding, as they say. Apple was notified before the 3.0 launch of this problem, and didn't delay the release despite knowing the potential danger behind it. Google was notified of a similar problem and pushed out an update as soon as it was made available.



    Now why did Google fix their problem so quickly, and Apple waited until the exploit became known to the public before they did? I can't answer for sure obviously, but my guess is they wanted to include the update in 3.1, currently being beta tested. 3.0.1 only exists because Apple ran out of time, and decided to revert back to an old code-base with the fix included.



    This update should have come out WEEKS ago. But what sort of message would that have sent? Oh, Apple's newest iPhone shipped with a major security flaw?! That can't be good for Cupertino's business....



    Face it. Apple delayed this security patch in favor of better press. Never mind that the action puts their users at risk for a DANGEROUS exploit, as long as nothing spoils the iPhone's launch and image. That's just... wrong.



    How many users were hurt?
  • Reply 57 of 91
    ksecksec Posts: 1,569member
    Any links for manual update? My company blocks from itunes update.
  • Reply 58 of 91
    charlitunacharlituna Posts: 7,217member
    Quote:
    Originally Posted by iPhone1982 View Post


    Accept the facts. Apple didn't fix the security Flaw. If you don't believe it was a flaw then I would expect that you are smarter than the Apple Team that rushed to get this out ASAP after this guy gave them more than enough time to FIX IT and called them on it and made them look foolish for letting this go.



    are there any reports of anyone using or suspected of using said 'flaw' on any phone much less the iphone.



    and as was pointed out by someone else, telling Apple "hey there's a problem with your code and it could really be used for some havoc" is different than "Hey we found a way to hack your phones and here's how we did it." the latter wasn't until now. so Apple couldn't really fix the issue cause they didn't know what it was. however this is not to say that they weren't trying to fix it out from the moment they were told. we don't work at Apple so we don't know
  • Reply 59 of 91
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by btitusjr View Post


    No Not a One. Its a wonder what everyone is crying about.



    Quote:
    Originally Posted by Kibitzer View Post


    How many users were hurt?



    Think of it like this. Let's say you lock your doors and you find that the doors weren't actually locking for a month or more. No one actually takes advantage of it. Does this really mean that no one will? Does it mean you were never really at any risk? Let's say you go to the customer service to get it fix it, would you really think it's OK just for them to say that no one broke in, so there really wasn't a problem?
Sign In or Register to comment.