Apple kills code-signing bug that threatened iPhone users Apple has patched a serious bug in iPhones and iPads that allowed attackers to embed secret payloads in iTunes App Store offerings that were never approved during the official submission process. Charlie Miller, who is principal research consultant at security firm Accuvant, was kicked out of the iOS developer program on …
Tagline: "Hacker who discovered it remains excommunicated"
And rightly so. You cannot sign up to the iOS Developer Program, find a bug and then release an app to exploit that bug. This guy sounds more like a fame-hunter than a security professional. He should've informed Apple about the bug and let them fix it. He probably had betas 1 and 2 of iOS 5.0.1 and could've raised it with them if it were still present in those betas. As far as I know, he didn't.
Unfortunately, Apple's iRDF (iProduct Reality Distortion Field) would have counteracted any attempt to engage an iOS engineer in a useful fashion.
There have been multiple instances over the recent years where app developers and users have reported verifiable, repeatable problems to Apple engineers, either directly or via forums, only to be told by Apple that either (1.) they're "doing it wrong," or (2.) they're not welcome any more.
Not that Apple is the only organisation guilty of this; it happens at Microsoft and in the FLOSS (Free/Libre` Open Source Software) worlds as well. It's probably not very uncommon for programmers at the top of any operating system or API development pyramid to exhibit a certain amount of hubris and/or "ostrich-puts-head-in-the-sand" behaviour...
Really Apple,
If you could fix these various bugs in less than 48 hours, why did you not do it before? Did you use code provided by Charlie Miller to fix the problem? Maybe Charlie should sue the teats off you for theft of intellectual property.
At the very least, he deserves reinstatement for the public service he provided by pointing out your flaws, whether you like being told your software is unsafe or not. What a bunch of childish twerps you are! You have a longstanding history of blowing people off when they try to help you so he created an app to prove his point and got it in your "app store". Just shows you don't check applications for security very well now do you?
Question: What kind of fools do you think we consumers are?
Answer: Big ones. Apple, Etc; don't give a rat's ass about anything but bottom line profit. Oh, and "design".
All Software/Operating System manufacturers need to be held legally accountable for the shortcomings of their product(s). If any product has a bug in it that allows the theft or loss of personal or financial data by unknown entities, and the manufacturer was warned about the problem and di nothing to fix it, then the manufacturer should be required to compensate the consumer to the extent they were injured by the shoddy code.
This means each and everyone of you malingering douchebags, Microsoft, Norton, Trend Micro, Apple, SONY, etc etc etc.
As I understand it the sequence of events was: find hole, tell apple, make app that uses hole, ignore app store TOS, release app, brag to all and sundry, wonder why he's been excommunicated.
We can't say the hole was fixed in 48hrs as we don't know how long someone was working on it before; that said I dare say it had an effect in bumping it up the priority list. Holes that are being used being more critical than holes noone knows about from both a security and PR perspective.
So, if you're right about the sequence, and if previous posts are correct and the app was released in September, and, if previous stories are right and it can take 3 months to approve an app for release, it figures that the app was submitted some time in June.
If you then say he informed Apple, you'd presume he gave them a couple of months to respond before deciding to create the app, then that works out as Apple being made aware back in April.
Hell of a coincidence if the fix arrived just two days after he revealed the bug.
Wonder how many other bugs are out there, that Apple are fully aware of, but the people in the know aren't quite so willing to shout it to the world?
That is not disclosure in November, but all the comments are from the last couple of days. I think the main thing is that something that the Apple App Store folks are looking for directly was missed. If you look at Apple and Microsoft as doing VM (Vulnerability Management) with pre-screening and Google as ID (Intrusion Detection) by reactive response then it is really up to you as to what is more effective. Plenty of companies out there have different opinions on this topic, and all of them are still vulnerable to one degree or another. I personally prefer VM.
The small area is the new Nitro JavaScript engine in Safari which is given more freedom than the old engine, to improve web app performance compared to native apps. At the time IIRC it could only be used by web apps and not native apps (yep much wailing and pulling of hair about how that was evil and Apple were control freaks and people would never buy another iphone) guess that was changed.
Charlie Miller is very well known to Apple and in the wider security community - this isn't an attempt to gain notoriety as all the fanbois seem to think. As for the question of why he submitted it to the app store - how else could he test that his exploit could bypass the code signing component of the app store?
This is just a case of Apple over reacting (probably by a low level app store QA staff member). They will back down and let him back in when the noise dies down. If they don't they are stupider than they currently appear.
>Apple excommunicated him from the developer program, making him ineligible to test the security of new products before they are released to the public.<
So, from having a clever bloke on their side helping make their products safe, they've now created an anti fan clever enough to find holes in their previously thought unassailable products, making them appear as secure as all the others (Android, Windows etc), clever.
If he found one vulnerability, chances are he'll find others, get a mate to sign on as developer and boom, compromised Apple products.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
