back to article Apple kills browse-and-get-hacked bugs in iOS

Apple has patched a critical iOS  vulnerability that allows attackers to install malicious apps on iPhones, iPads, and iPod touches by doing nothing more than luring victims to a booby-trapped website or sending them a tainted email. The update plugs a hole in Apple-designed document-viewing software that allows attackers to …

COMMENTS

This topic is closed for new posts.
  1. Philip Harvey
    Stop

    no fix for iPhone yet....

    No word from Apple about a fix for the original iPhone yet, since the original iPhone can't run iOS. There are also a lot of iPhone 3G and 3GS owners that won't update to iOS until Apple fixes the speed and battery issues in iOS so the exploit won't be patched until they release a 3.1.x patch as well.

    1. Anonymous Coward
      Stop

      RE: no fix for iPhone yet....

      "There are also a lot of iPhone 3G and 3GS owners that won't update to iOS until Apple fixes the speed and battery issues in iOS so the exploit won't be patched until they release a 3.1.x patch as well."

      These issues don't seem to affect the 3GS. Only *some* 3Gs are affected...

  2. yeehaw....
    Pirate

    Poor AT&T.....

    That network is going to stagger and fall under the load. 378mb for a PATCH on a cell phone.... just wow.

    On a side note: The troubles I've had since last Thursday with AT&T just completing a dns change makes me want to giggle and point..... bastards deserve all of that and more.

    sigh.....

    1. jai
      FAIL

      Broadband

      Patch comes over your broadband, not the AT&T network

      1. Alan W. Rateliff, II
        Paris Hilton

        ONLY available via WiFi?

        I was wondering about that myself when I saw the "iPad update is a whopping 456.9MB in size" bit. I am assuming that at SOME point an iPad user would have access to WiFi, but what if not? Are all updates restricted to non-3G connections?

        As for AT&T, fortunately I have not experienced any problems with their DNS. I am curious about that as well. I never pay attention to the DNS the network hands out as I use my local Bind session for resolution on my laptop.

        Paris, non-connected.

        1. max allan

          iTunes anyone...

          iPhone patches get downloaded onto your PC and then installed over iTunes and your cable to the device.

          The reason that it's so big is that this isn't a patch. Apple don't patch, they just release a whole new iOS. Which includes browser, mail app, phone, contacts app, etc. etc. etc....

          Hence, yes it is a bit chunky.

        2. twunt

          Updates are done via itunes

          not directly to the device.

          You HAVE to sync to update.

    2. twunt

      No it isn't.

      Updates are deilvered via itunes when you sync the device, NOT over 3G or even directly to device via WIFI.

      How do you think updates get to ipod touch or non 3G ipads? Dunce.

  3. Anonymous Coward
    Anonymous Coward

    Joking!

    Most iPhone users I know have been happy with the simple jailbreak procedure and certainly won't be patching. They have control of their phones, something they have never had on an iPhone.

  4. vincent himpe

    surely there can be no bugs like this in anything from 'apple'

    after all, this is 'apple' we are talking about...

    1. Andy ORourke
      WTF?

      What is more shocking......

      Is that the Adobe reader was not affected, I mean forget everything else, Adobe NOT affected!

      These are words I didn't think would go together in an article about malicious PDF files :-)

  5. Shades
    Stop

    378Mb...

    ...For a phone OS?!? You could get the same functionality (minus the phone bit of course) from an Amiga with probably a handful of 880kb disks (minus the fart apps of course!) ;)

    1. Anonymous Coward
      Grenade

      378mb?!?!?!?

      in this day and age?!!?! someone think of the children!

    2. max allan
      FAIL

      And ...

      And minus :

      Web browser

      Contacts

      iPod (audio and video playing)

      Maps

      Calendar

      App store

      Notes

      Voice recorder

      etc...

      So, you 800K disks would be just the OS and no flipping good to anyone. Unlike the 378Mb which makes an entire useful device.

  6. Craig Foster

    iOS 4 runs fine on 3GS

    Turn off location services... background apps will keep the GPS running while they're not doing anything which kills the 3GS battery.

    Luckily iOS4 gives the ability to set which apps can use location services if you do want to keep it on.

    There's also a fix for the exchange sync having too long a timeout which may also keep 3G data services going longer than needed.

  7. Alan Denman

    A cabbage?

    They are making a bit of a cabbage out of the patch indeed.

    Kidding of course but it certainly looks like all new iPhones are now orphans.

  8. JaitcH
    Jobs Horns

    Some patch at 378MB - sounds more like a REBUILD

    There is no way such a huge download, presumably compressed, can ever be considered as a 'patch'.

    And who gets to pay for this LemonAid download - maybe a visit to an Apple outlet would save users data allowances?

    Another tribute to Job's skills in 'under statement' or as some might call it ... lying. And they actually tested Lemon 4 before they released it? Perhaps Job's should hire the hackers to do he testing.

    Maintaining the faith can be very testing and expensive.

    1. twunt

      This is the same with all iOS updates

      You get the whole package everytime, not a patch.

    2. RichyS
      Thumb Down

      FFS

      Christ you're tiresome.

    3. Anonymous Coward
      Anonymous Coward

      Another tribute to a poster

      Who doesn't know how Apple update their mobile devices.

  9. Sean Timarco Baggaley
    FAIL

    Jesus Horatio Fogharty CHRIST,

    the marching morons are out in force today...

    It's a mystery how some of you dribbling imbeciles ever learned how to breathe, let alone type. I don't know why Google even bother to maintain their search engine given how few of you seem to use it.

    See that screenshot in the fucking article? That's right: it's iTunes. Running on a Mac or PC. You download OS updates through iTunes, not on your bloody iDevice. 3G charges don't enter into it.

    1. FL1X
      Flame

      He has a point

      No really he does you people are insane, you dont download the patch to your phone you download it to your MAC / PC and install it via that nice white cable.

      But untill apple fix the proximity sensor im sticking with my jailbroken phone ta ;)

      1. Robert Forsyth

        I can do both

        on my Nokia: download to PC update over USB or download to phone over WiFi, 3G, or GPRS, then it updates itself.

        1. Anonymous Coward
          Grenade

          Bravo

          Good for you. What do you want, a medal?

        2. Anonymous Coward
          FAIL

          WHOOSH!!!

          That, Mr Forsyth, was the point wizzing past you...

    2. Anonymous Coward
      Happy

      title

      /me unplugs and hides his 3G dongle before anyone sees it.

  10. NightFox
    Stop

    Not just a patch

    All the people commenting about the size of this patch - patches for iPod Touches/iPhones always come as a complete OS download, that way there's no issues with whatever OS the device previously had installed.

  11. Pavlov's obedient mutt
    Thumb Up

    shame poor fools

    here, in the Netherlands on my 60Mb internet bundle (DSL? Cable? dunno - don't care) - that download takes mere seconds

    And I can see hookers from my window (ok, I have to lean out the window and peer down the street some) and smoke weed legally

    now, what was I saying?

    um. Shit, forgot. But I am hungry suddenly

  12. bertino

    Softies.

    I see the bittards, Bytetards, millitards, Megatards and kilotards are out in force again.

    The clue is in the 1st letter of each of those words.

    1. NightFox
      WTF?

      Do I Win a Prize?

      Blackberry Messenger Milton Keynes?

  13. Matt K

    To be fair to Apple...

    (and there's a phrase I didn't think I'd ever use)

    ...they don't describe iOS 4.0.2 as a patch. Suspect it's just easy shorthand for others to report given it fixes one or two things and adds no new features.

    I won't be updating. No intention of spending an hour or two downloading a file that size, resetting my phone, then restoring from a backup, just to fix a problem I can likely avoid with some common sense (don't open PDFs).

    1. NightFox
      Stop

      A Little Information is a Dangerous Thing!

      But it's not a problem you can avoid that easily - when you click a link in Mobile Safari, how do you know that link isn't to a PDF (which Mobile Safari opens automatically)?

      OK, you can avoid clicking on any links or use an alternative browser, but why not just install the patch? Connect iPhone to computer, accept T&Cs, come back 30 minutes later and all is complete. No need to reset, no need to restore, no need to re-sync anything - job done.

      1. Anonymous Coward
        Thumb Down

        You may say that....

        ...but the week before last I applied the iOS4 update to an iPod touch and when it failed somehow during the update (leaving me with a device in recovery mode that simply couldn't be seen by the normal PC/iTunes combination no matter what I did) it took me over 9 hours to get the damn thing restored and with all of the contents back on it and to do that required a second entirely separate laptop and clean copy of iTunes.

        Now granted it's the first time I've seen anything this bad happen, but clearly there is something that needs to be done to sort out the potential for things to go horribly wrong.

        So claiming that all Apple processes just work (tm) is not completely true.

        1. Eponymous Howard

          @Brian Morrison

          Had a similar prob with this update and it is reported on the Apple forums - fortunately only a quick reset/ restore/ leave to sync (and go to bed) sorted it. I suspect at busy times Apple's verification server gets a bit flaky and terminates the process.

          Somewhat to my surprise, the unbacked up video I had on the phone was not lost.

      2. Gilbo
        Go

        Alternatively

        1. Go to jailbreakme.com on your iPhone.

        2. Jailbreak iPhone.

        3. Load Cydia.

        4. Install PDF Loading Warner.

        Hey presto, jailbroken phone and a pop-up confirmation each time Safari tries to automatically open a PDF. Takes 3 minutes instead of 30, no need to reset, no need to restore, no need to re-sync. Job done.

        Does a better job than 4.0.2.

    2. Jolyon Ralph
      Unhappy

      Common Sense

      > just to fix a problem I can likely avoid with some common sense (don't open PDFs).

      Sadly it's not that easy. Safari on iOS 4.01 and earlier (and probably 4.0.2 as well) opens PDF files automatically without prompting so if they are, for example, embedded in a hidden IFRAME on a web page you're visiting then basically as soon as you visit the website you're buggered.

      So you really should upgrade to 4.0.2, unless you want to jailbreak your phone/pad, or you want to stay with OS v3.x, in which case you should jailbreak the phone and install PDF Loading Warner from Cydia, which prevents PDFs being loaded without your approval.

  14. Geoff Campbell Silver badge
    Happy

    I take it that all these iPhone owners complaining about a 378MB download....

    ....are envious of those with more bandwidth, because they are too poor to afford it?

    GJC

  15. A Non e-mouse Silver badge
    Unhappy

    And the rest ?

    And how long do we have to wait for Apple to fix all the other iOS 4 bugs ?

  16. CaptainBlue
    Alert

    How big?

    According to iTunes presently, the download for my iPhone 4 is 579.3MB

  17. Jessica Werkz

    @Stike Vomit

    Pratt

    1. Anonymous Coward
      Thumb Down

      That word....

      ...has one t, not two...

      Tsk!

  18. Tigra 07

    Extra data charges?

    Since all the network operators are now offering about 500mb a month as "unlimited".

    isn't 378m for an update going to push a few people over onto extra charges on their contracts?

    Or are updates exempt?

    1. NightFox
      FAIL

      Facepalm

      Handy hint for next time, save face by reading the existing comments before posting.

      1. Tigra 07
        Coat

        RE:NightFail

        I can't be expected to constantly reload a page to check for comments after reading, im doing more than one thing at once

        1. Ivan Headache

          If we can do it

          You can do it.

  19. Anonymous Coward
    Troll

    @Stike vomit

    Hey.. heres an idea, go and play in traffic.. or watch paint dry.. it'd surely be more interesting than trolling... sorry.. trawling the internet looking for iPhone articles to moan about.

    Seriously, get a life. Boo hoo... I don't like Apple.. I don't like iPhones.... fine, stop reading about them moron. Just ignore them and get on with your life, assuming you actually have one.

    1. Anonymous Coward
      Anonymous Coward

      @ AC

      "Seriously, get a life. Boo hoo... I don't like Apple.. I don't like iPhones.... fine, stop reading about them moron. Just ignore them and get on with your life..."

      I wish I *could* ignore them. But thanks to Apple's hype machine they are rapidly becoming unavoidable, and I'm fucking sick of it.

      1. Anonymous Coward
        FAIL

        *You* are sick of it?!

        Does it not occur to you that the rest of us are sick of you polemic and spite-filled vitriol? 'Apple's hype machine'? You mean the press? Stop reading it then! It really *is* that easy.

  20. Elsie
    WTF?

    Jailbreak Issue?

    Not JB my iPad but I wish Apple would fix the problem of mine backing up for hours on end!

    1. Jolyon Ralph
      FAIL

      iPad backup

      If you have applications that have lots of private data (for example, loading up Goodreader with a ton of PDF files), then it can take hours and hours to do a backup each and every time you sync with iTunes. Seems ITunes doesn't understand the concept of differential backups and tries to transfer everything, every time. You would have thought that when they produced a 64Gb device they might have considered there could be a problem with that.

      Simple solution, find some alternative software to sync your music, contacts, etc with your iPad and don't use iTunes.

      Oh. wait...

      Guess you'll just have to keep skipping the backup.

  21. James Robertson 2

    why the fuss?

    I have a 2MB download speed on my broadband, the new OS took 12 minutes to download and install on the iPhone, as stated above its a complete OS download not a patch, I don't think that having to plug my Phone into my computer for 12 minutes is really such a big deal.

    Both the Apple haters and the FanBois really need to calm down a bit.

  22. Andy Watt
    Stop

    OK Mr Vomit...

    If you're sick of it, cut yourself off from it.

    Seriously, impotent anger will kill you.

    Form a company which tells people how to buy non-apple products, and tell them how to use those products (seeing as most of the imbeciles you're ranting at seem to like apple products because they don't need any smarts to use them).

    Turn off all apple adverts you see on TV. Develop a plugin for web browsers which filters out apple banners.

    Don't read any articles (including this one) which mention apple products.

    Spend your time evangelising to your friends about good product which isn't apple.

    But dont' ever, EVER post to comment boards like this (especially with the tragic swearing). You must be the kind who simply can't accept that 90% of the population will do what they do (for an easy life) and don't have geek enlightenment like you do. So use your enlightment for good and stop screaming like a prophet into the void. It's pointless.

    Me? I've got an iphone. I've also got an apad, which I hack Android about on. The reasons I decided to become an imbecile for my phone were simply because I couldn't be arsed with more complex phones (which needed "attention" all the time) anymore (ran S60 / UIQ symbian phones for years).

    I know I had something to say about the story... what was it... oh yes.

    Updates over the air (especially to devices with batteries) are just another way of creating bricked product. At least if the whole system image is replaced you can be reasonably sure it'll work. Before anyone screams, I'm aware that both will have a potentially low fail rate, but the ADSL+laptop+cable solution added to a fallback bootloader mode at least means you can resurrect things. I'm sure android has that mode, but if you work over the air it's not going to help, is it?

    1. guybles
      Pint

      Seconded

      Well said that man!

      Perhaps we can also suggest that El Reg includes a mandatory first comment on any story referring to Apple, which simply says "iPhone, iPad, iPod: Nobody makes you buy them".

  23. heyrick Silver badge
    Alert

    OMFG!

    I don't know what's more shocking... a patched vuln on invincible unhackable more-secure-than-secure Apple kit... or 378Mb for a <beeeeep>ing patch. What the hell? What the hell? What the hell?

    1. Test Man
      FAIL

      What's more shocking...

      ... is people up in arms over it. 378MB WOW BIG DEAL. Do you lot have less than 2Mb/s broadband or something? Get over it.

      1. heyrick Silver badge

        What is MOST shocking...

        ...is that you don't seem to think it astonishing that a firmware *patch* for a *phone* is 378Mb.

  24. Juan Inamillion
    Grenade

    <deep sigh>

    I've come to this party a bit late in the day but at least I've...

    a) read the article

    and

    b) read the previous comments

    ...before commenting.

    Nothing much to say really, other that how totally totally amazing it is that some other commentards here don't perform a) then b).

    Oh wait... I forgot to add the 'and understand' bit.

    Fucking hell....

This topic is closed for new posts.

Other stories you might like