Feeds

back to article Apple kills code-signing bug that threatened iPhone users

Apple has patched a serious bug in iPhones and iPads that allowed attackers to embed secret payloads in iTunes App Store offerings that were never approved during the official submission process. Charlie Miller, who is principal research consultant at security firm Accuvant, was kicked out of the iOS developer program on …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

So they stopped throwing a tantrum then?

Did they let Miller back on the program?

0
4
Gimp

Nope...

Tagline: "Hacker who discovered it remains excommunicated"

And rightly so. You cannot sign up to the iOS Developer Program, find a bug and then release an app to exploit that bug. This guy sounds more like a fame-hunter than a security professional. He should've informed Apple about the bug and let them fix it. He probably had betas 1 and 2 of iOS 5.0.1 and could've raised it with them if it were still present in those betas. As far as I know, he didn't.

10
3
Gold badge

Yep, nope.

Uploaded to the store in September. Disclosed in November. What was he waiting for? Was it just that nobody downloaded it in October and so he didn't have the clinching proof of concept?

6
1
Holmes

"He should've informed Apple about the bug and let them fix it."

Unfortunately, Apple's iRDF (iProduct Reality Distortion Field) would have counteracted any attempt to engage an iOS engineer in a useful fashion.

There have been multiple instances over the recent years where app developers and users have reported verifiable, repeatable problems to Apple engineers, either directly or via forums, only to be told by Apple that either (1.) they're "doing it wrong," or (2.) they're not welcome any more.

Not that Apple is the only organisation guilty of this; it happens at Microsoft and in the FLOSS (Free/Libre` Open Source Software) worlds as well. It's probably not very uncommon for programmers at the top of any operating system or API development pyramid to exhibit a certain amount of hubris and/or "ostrich-puts-head-in-the-sand" behaviour...

5
3

This post has been deleted by a moderator

Bronze badge
Devil

Move along here, nothing to see (except for killing the messenger)

Really Apple,

If you could fix these various bugs in less than 48 hours, why did you not do it before? Did you use code provided by Charlie Miller to fix the problem? Maybe Charlie should sue the teats off you for theft of intellectual property.

At the very least, he deserves reinstatement for the public service he provided by pointing out your flaws, whether you like being told your software is unsafe or not. What a bunch of childish twerps you are! You have a longstanding history of blowing people off when they try to help you so he created an app to prove his point and got it in your "app store". Just shows you don't check applications for security very well now do you?

Question: What kind of fools do you think we consumers are?

Answer: Big ones. Apple, Etc; don't give a rat's ass about anything but bottom line profit. Oh, and "design".

All Software/Operating System manufacturers need to be held legally accountable for the shortcomings of their product(s). If any product has a bug in it that allows the theft or loss of personal or financial data by unknown entities, and the manufacturer was warned about the problem and di nothing to fix it, then the manufacturer should be required to compensate the consumer to the extent they were injured by the shoddy code.

This means each and everyone of you malingering douchebags, Microsoft, Norton, Trend Micro, Apple, SONY, etc etc etc.

5
7
Silver badge

Well

As I understand it the sequence of events was: find hole, tell apple, make app that uses hole, ignore app store TOS, release app, brag to all and sundry, wonder why he's been excommunicated.

We can't say the hole was fixed in 48hrs as we don't know how long someone was working on it before; that said I dare say it had an effect in bumping it up the priority list. Holes that are being used being more critical than holes noone knows about from both a security and PR perspective.

3
3
Anonymous Coward

So, if you're right about the sequence, and if previous posts are correct and the app was released in September, and, if previous stories are right and it can take 3 months to approve an app for release, it figures that the app was submitted some time in June.

If you then say he informed Apple, you'd presume he gave them a couple of months to respond before deciding to create the app, then that works out as Apple being made aware back in April.

Hell of a coincidence if the fix arrived just two days after he revealed the bug.

Wonder how many other bugs are out there, that Apple are fully aware of, but the people in the know aren't quite so willing to shout it to the world?

2
2

This post has been deleted by a moderator

Silver badge

If you're a frequent reader of the register you'll know that most companies and security researchers stay silent to the media until the hole is patched. Then the security researcher can brag away.

0
0
Silver badge
Joke

I hope

He's patented a fix for the problem and can sue their arses off for violating his intellectual property.

2
4
Silver badge

Cunning plan

Now, if Miller had thought it through, he'd have patented the hole and the concept of blocking the hole, then he could sue Apple once they fixed things. And taken out an injunction to block the worldwide sale of anything including the block!

3
4

YouTube post was in September

That is not disclosure in November, but all the comments are from the last couple of days. I think the main thing is that something that the Apple App Store folks are looking for directly was missed. If you look at Apple and Microsoft as doing VM (Vulnerability Management) with pre-screening and Google as ID (Intrusion Detection) by reactive response then it is really up to you as to what is more effective. Plenty of companies out there have different opinions on this topic, and all of them are still vulnerable to one degree or another. I personally prefer VM.

1
0
Anonymous Coward

When you're caught with your pants down, don't bend over - shoot the guy who caught you!

As a company grows bigger and bigger it is inevitable that the "powers" will shove their heads further and further up their own arses in direct proportion to the growth rate.

2
4

The small area was the new Nitro JavaScript engine

The small area is the new Nitro JavaScript engine in Safari which is given more freedom than the old engine, to improve web app performance compared to native apps. At the time IIRC it could only be used by web apps and not native apps (yep much wailing and pulling of hair about how that was evil and Apple were control freaks and people would never buy another iphone) guess that was changed.

0
0
Gimp

Charlie Miller is very well known to Apple and in the wider security community - this isn't an attempt to gain notoriety as all the fanbois seem to think. As for the question of why he submitted it to the app store - how else could he test that his exploit could bypass the code signing component of the app store?

This is just a case of Apple over reacting (probably by a low level app store QA staff member). They will back down and let him back in when the noise dies down. If they don't they are stupider than they currently appear.

2
1
Silver badge

Another Apple PR Disaster

Apple shoots the messenger.

When someone buys an app from the App Store, 30% of that cash goes straight to Apple.

Someone else points out a problem with that App Store infrastructure, Apple ex-communicates them.

1
1
Anonymous Coward

iPhone 3G

So... for any device unable to run iOS5 (the iPhone 3G my g/f uses) will remain exposed then I take it? Thanks Apple, thanks a bunch...

0
1
FAIL

RTFA

To quote the article (para. 5); "The threat had existed since the release of iOS 4.3."

The iPhone 3G is incompatible with iOS 4.3.

0
0
Silver badge
Meh

Fair point, my bad. You can understand my suspicion though, as it would only add to the list of security problems with iOS 4.2.1 which will never be fixed (the PDF one being the highest profile)

1
1
Silver badge

Meanwhile...

At Microsoft Towers their PR team is currently reading a letter from this AC complaining he can't get security updates for an ancient WIn95 machine.

0
0
Holmes

>Apple excommunicated him from the developer program, making him ineligible to test the security of new products before they are released to the public.<

So, from having a clever bloke on their side helping make their products safe, they've now created an anti fan clever enough to find holes in their previously thought unassailable products, making them appear as secure as all the others (Android, Windows etc), clever.

If he found one vulnerability, chances are he'll find others, get a mate to sign on as developer and boom, compromised Apple products.

1
1

Want to hire Miller?

Interesting, I bet the cyber mafia groups wish they had Miller on their payroll

1
0
This topic is closed for new posts.