Sign in / up

back to article Wavering about Apple's latest security fix? Don't, says Talos

Here's another reason to press “install” on Apple's latest OS X and iOS security patches: a slew of image-handling vulnerabilities. Now that Apple's released the patched versions, Cisco's Talos researchers have gone public with the details of their contribution to the fixes. The most serious of the bugs is in TIFF image …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    What you had before was security by obscurity

    What you had before, protecting you with this vulnerability, was security by obscurity.

    Security by obscurity worked for years, until the exploit was discovered.

    Now the exploit has been patched, so you'd think now you have security by "bullet proof code".

    But nope.

    Nope, what you have is still security by obscurity, because there are still many other holes in MacOS, iOS, Linux, Windows, and so on.

    Even the fix to the TIFF bug, it might open a new vulnerability.

    The only security is that all holes known to criminals (and quasicriminals) are plugged, and that the vast number of unplugged holes are obscured from them.

    This is the last patch iOS will ever need? The last vulnerability? Nope, unethical to claim that.

    (Of course there is no security protecting you from the NSA, FSB, GCHQ, Mossad, etc. Those guys don't even need vulnerabilities in your code to get you, and it is unethical to claim otherwise. Achievable security is only security against private industry and academic criminals and quasicriminals.)

    0 7 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: What you had before was security by obscurity

      You are arguing against points that no one is trying to make. No one is suggesting that these fixes are the last bugfixes that iOS will ever need.

      8 0 Reply
  2. Christian Berger

    What we need to acknownledge is...

    ... that such huge code bases are simply not maintainable. We need to go for smaller code bases. We need to eliminate unnecessary features.

    Unfortunately there are some people now who don't understand that and try to shove unnecessary complexity into every aspect of computing. One typical example is HTTP/2.

    3 2 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: What we need to acknownledge is...

      You mean getting back to DOS? As systems evolve, they become more complex. Image formats became more complex to handle more complex image capture devices and their more complex outcomes. Features that may unnecessary for your, may be critical for someone else. General purpose systems have to cope with a very broad range of needs.

      What is needed are ways to master this complexity, and reduce the space for mistakes. Just, they may have costs many don't want to sustain.

      2 1 Reply
      1. Justin Clift
        Reply Icon

        Re: What we need to acknownledge is...

        With enough evolution, simplicity becomes possible again. :D

        0 0 Reply
      2. Christian Berger
        Reply Icon

        Re: What we need to acknownledge is...

        Actually DOS was a step towards more complexity. Since it didn't come with a host of standard tools (in part because Microsoft was lazy, in part because that concept doesn't work on diskettes) every program had to implement it's own functionality. For example every program had to have its own printer drivers.

        As for "needed" features there's always the idea of having small maintainable programs with well defined functionality. You can then just add whatever functionality you want. That's how we got editors like ex and vi. That's how we got sed. Those are all just minor modifications to get a whole different kind of functionality. Often you will find that it's much easier to have a fork for a particular usecase than to try to cram certain functionality into some software.

        Also today we have immense amounts of useless complexity.

        Here's an example for Android: https://www.youtube.com/watch?v=NgifNa7qD5s

        Another category are systems where someone tried to solve a problem, then found out that their solution creates 2 new problems, then tries to solve those 2 problems only to create new problems and so on... eventually you will end up with feature upon feature that you wouldn't have needed before. Typical examples for this category are systemd and HTTP/2.

        0 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: What we need to acknownledge is...

          Wrong examples. All tools for quite basic text manipulations. Today software does a lot more on far more complex data. Not always you can chain different modules to obtain the final result, and even if you can the complexity of the chai itself, and the lack of proper input/output validation can become huge issues themselves.

          0 1 Reply
          1. Christian Berger
            Reply Icon

            Re: What we need to acknownledge is...

            a) You can map everything to text. If your data structures are complex even though your problem is not, you have a serious design problem. There are very few problems that need complex data structures.

            b) You can always to input/output validation at the edges where you get your input or you interpret it in a problem specific way.

            Real life problems aren't complex. They are things like making a database table editable. Such things used to be done with a handful of commands in dBase, or a couple of clicks in Delphi. It shouldn't take some actual work in newer systems.

            0 0 Reply
    2. PassiveSmoking
      Reply Icon

      It's not too much complexity that's led to this

      It's the same old mistakes that programmers keep making over and over and over again, namely a buffer overrun. So long as we insist on using C and its descendants and other languages that make the programmer manage memory themselves errors such as buffer overruns, stack overflows, heap corruption, dangling pointers, null pointers and double-frees are always going to be here.

      What we need to acknowledge is that programmers are fallible and that some of the more mundane yet error-prone aspects of programming should really be taken out of the hands of programmers wherever possible. Managing memory yourself is something that you should only need to do in performance-critical code.

      1 1 Reply
  3. s. pam Silver badge
    Paris Hilton

    Thanks Apple for bricking my new iPad

    My 3 month old iPad is fucking bricked by the "upgrade".

    iTunes on a current version OSX stalled, then the install failed. Said iPad now more brain dead than Paris so looking forward after work to fixing this shit.

    0 0 Reply
  4. Anonymous Coward
    Childcatcher

    Does it.....

    Does it fix any of the things the last update broke??

    (Not a hope in hell, but mummy asked me to ask).

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Does it.....

      What did the last update break? I didn't have any problems with it or the new one. Never had a problem with any update in fact.

      FWIW, I always close all apps, power down the phone, power it up and do the update, and after the update is complete power it down and up again. Old habit from when I was a sysadmin and found that patching a 'clean' system leads to fewer problems. I have no idea if that helps at all, but I figure it can't hurt...

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Does it.....

        After the last update an Air stopped working with a TPLINK router and a Maplin repeater that it had been working happily with for months.

        I got it working with the router by DOWNGRADING the security; the repeater has had to go, as not only was the Air not working with it, it was doing something to stop anything else working with it either - switch the Air or the repeater off, and every other wifi device could suddenly work again.

        Just to reiterate, this is my parents house, I wouldnt touch an IOS device with a barge-pole.

        0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like