That's....bad! Move a slider in a browser, and root the fecking device? Nice security!
Apple plans to issue fixes for two security flaws that when exploited together allow attackers to remotely install malicious apps on iPhones, iPads, and iPod touches. Although the critical vulnerabilities surfaced over the weekend, Apple officials didn't acknowledge them until Wednesday, the same day the German government …
That's....bad! Move a slider in a browser, and root the fecking device? Nice security!
and then install the PDF Loading Warner from Cydia, which will warn you whenever mail or safari try to open a PDF so you can cancel it.
Yet again, the jailbreakers are making iOS secure before Apple do :)
Was it really needed for you to bash Microsoft/Adobe in a post about Apple? The entire issue is about Apple, so why bring up MS/Adobe at all? Is the PDF reader on the IOS Adobe or Apple? Is the ISO a MS product? Nope? Then I see no reason to detract from the fact Apple are lackluster when it comes to security by trying to fawn MS/Adobe as evil companies who let your OS be taken over 24/7 at a whim.
You get upset because they make a reference to all the past failures of Adobe and MS when someone who hasn't had a track record for failures fails? In fact, it added some information to the article because it made it clear this was Apple's code and not Adobe's PDF code.
Apple still FAILED in my eyes... I won't BUY an Iphone/Itouch. It was cool however, someone tossed their broken Iphone 3Gs that only needed a new screen and LCD. It cost me $55US plus 4hrs of research on installing the parts.
1. Apple failed by not allowing bluetooth transferring of files to a phone or PC.
2. Apple failed by not using the universal MICROUSB cables. ( You are stuck with purchasing overpriced propietary APPLE cables and adaptors).
3. Apple failed by their warranty program (mainly because they are replacing each new release phone with one with either faster processor or bigger hard drive space with minor cosmetic changes every 12 to 16 months).
I won't be surprised if Apple now make a new Iphone version in 2012 with a new proprietary power/sync cable that cost 50 bucks and all cables from version 1 to 4 obsolete.
Oh, my... Haven't companies learned yet that automatically opening files always ends in tears?
What do you think happens when you visit a website? What do you think an HTML file is, if not a - y'know - file? The iOS browser brings PDF up to a first level file along with HTML, JPEG, PNG and so on - that's the only difference here.
To be fair, I work with the guts of PDF on a daily basis and some of the legacy stuff there (parsing Type 1 fonts or some of the freaky CCITT variations etc) is just awful, so there's more room for error parsing PDF than JPEG.
I'm also surprised on a device like this that Apple aren't flagging the data area as no-execute, which neuters this sort of buffer overrun. I guess not, so we won't see the last of these.
I get the impression the iphone doesn't have that option
....are not really something Apple understand, as far as I can tell.
“we have already developed a fix and it will be available to customers in an upcoming software update.”
Yeah, they are going to remove all PDF support from the thing now :P
So relations will already be strained between the two. And there's enough of a history of PDFs and Acrobat creating gaping security holes that it wouldn't be hard to get Apple's PR guys to start saying why PDF support isn't necessary.
Plus the iPhone isn't exactly a business device anyway, so I can't see the absence of PDF support being a problem for most users.
And there are PDF-> other format converters all over the web, so Jobs would just tell you to use one of them (or rather Apple's pay-to-use certified version).
Just put your finger on the "I don't want PDFs rooting my phone" button that is placed on the side between the two antennas...
In other news, a user has found that when they hold their phone with their finger over a certain part, pictures don't come out either!
Who found the exploit first - Jailbreakme.com or is the German Federal Office for Information Security?
Whilst the Jobs gang plays catch-up what are they doing about fixing all the other iOS problems such as Bluetooth. etc? Mind you, Jailbreakme.com did manage to actually get Apple to admit they have 'issues' with the Lemon ware.
Or the excellent job that Apple have done to Nike Plus in iOS 4. So good, in fact, that Nike suggest that if you've recently bought an iPhone/iPod & Nike Plus, you return it back to the Apple Store as the system doesn't work.
You said "booby"
.. but I guess the sentiment is there I suppose.
Though it is funny thinking of all the iPads and iPhones in Apple stores with Cydia installed over the last couple of days. :)
It doesn't work as a phone and gets rooted if you try to use it for web surfing or email. What exactly is it for? Just a fashion accessory? Of course it will still continue to fly of the shelves, says a lot about the users.
Except the only known exploit doesn't root your phone, it jailbreaks it.
(as you would know if you'd read the article)
Rooting the phone is implied as you can't jailbreak it without root access.
Saldy, after the last few years, I have a cynical view that the rush to get the fix out is to prevent the phone being jail-broken rather than the prevention of harm to actual real, paying customers. Am I too cynical?
Is that legal ? I'll have to start looking for a fix....
IIRC Safari wasn't updated for iOS4, so this is likely an old exploit that they've been saving for the launch of new hardware to make jail breaking as painless as possible, especially now that it's legal in some places.
It's the same with the custom firmwares for the PSP, hackers find various exploits but they don't release them in case Sony fixes them in the next firmware. Then the hackers use the flaw to attack the latest firmware when it arrives.
I jailbroke (is it a verb now? ;) ) my old 3G the other day. I'm still not very impressed with Cydia or Rock, they seem to spend 99% of their time downloading lists of updates, which takes ages. Plus the stability and usability of the emulators on there is really rubbish, as are the high prices.
....just took on a whole new meaning. And not in a good way.
Uh oh, I've been strenuously avoiding an upgrade to iOS 4 on my 3G, due to all of the issues it seems to be causing people...
Now it looks like I'll have to take the plunge to get this fix...or simply get an iPhone 4. Which I was holding off doing until the white ones came out.
I have, on these forums, previously defended Apple's desire to only support one release of the iOS at a time. It makes sense, in the scheme of things. But I'm really hating it right now...would love a fork for iOS 3 support. Failing that Apple, can we get an iOS 4 that configures itself minimally for 3G/GS users, with no multitasking, no Spotlight, etc.?
The original iPhone doesn't support iOS4.
In the same position - too many 3G users reporting uissues with last OS upgrade that I decided to hold off.
The "choice" between keeping a potentially serious security flaw, or upgrading to an OS that grinds my phone to a halt is somewhat short of ideal.
You have three choices
a. Upgrade to iOS4 (unless you're on an original iPhone or iPod Touch)
b. Leave the phone insecure
c. Jailbreak it then install the PDF Warner.
I have a 3G, I upgraded to iOS 4... I had it for a week before spending several hours downgrading back to 3.1.3 due to speed issues.
Simply put the 3G cannot cope with iOS4, camera took 30 seconds to load first time, 20 seconds after that, Settings took 10 seconds, Messages longer... and keyboard response was piss poor... Typed whole sentances then wait for all the key presses to register before contuinuing...
I really cannot advise you strongly enough NOT to upgrade.
Simple, use Opera Mini.
The jail break does not work with iOS 4.1 beta, so I guess Apple have already fixed that bug and is why the jailbreak was released now rather than waiting for 4.1.
-- Lets hope that the dev team have some more holes in their pockets!
Jobby slates Adobe.
Yet another flaw annouced in iOS leaving users vulnerable.
But it's not Adobe's fault.
Jobby is hypocitical and arrogant and WRONG.
Apple hasn't had a track record for failures? Can you name one iPhone/iOS that hasn't been rootable and carrier-unlockable very very easily?
iOS 3 = XP
iOS 4 = Vista
We are all just waiting for iOS 5 :)
iOS4 is perfectly good, it's nothing like VISTA.
It's the iPhone 4 antenna that has the quirks.
Comparing iPhone 4 to VISTA is stupid, VISTA didn't sell well yet the iPhone 4 has.
Vista was touted to run on XP Hardware, but turned out to be a clinker-built slug-hog released according to the marketing depts schedule, despite a host of known QC issues . Ditto iOS4 - and iPhone4 for that matter.
I don't care how many people have said it.
Who the hell thought that was a good idea and why have they not been put down?
My god, just the sheer annoyance of it would drive me mad.
...whereas most browsers automagically run Flash unless you tell then not to.
Which is worse, knowingly running something that obviously has script inside it or opening something that doesn't?
(Just for the record, I've turned Flash off. It's mostly unnecessary, as you can immediately tell once you've turned it off for a while. About 10% of the Flash is important to the working of the page and that's probably my biased view because I watch videos online ;)
According to many posts I've read on different forums the iPhone can't ever be hacked because of signed code limitations. This must not have happened, its just a hoax.
My iPhone mail app has never opened PDFs automatically - I have to select them. OK, it doesn't ask me to confirm that I want to open it, but an explicit action is required.
Is my iPhone unusually paranoid or is the article over-egging the mail attack vector.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds