back to article Shedload of security bugs squashed in iOS 9 – what the hell went wrong with iOS 8?

Apple's latest version of iOS – iOS 9 – is out today with new features and security fixes. A lot of security fixes: 101 potentially exploitable bugs, we count. If you've got a compatible device, you may well want to upgrade sooner rather than later – certainly before people start trying to exploit these security holes. The …

  1. graeme leggett Silver badge

    straight question

    What's Apple's thinking behind patching this many issues in one go rather than say fixing 30 and then 70 six months later? That way a fair number of holes would have been closed off and users ought to have been safer in the interim.

    1. Anonymous Coward
      Anonymous Coward

      Re: straight question

      They do fix security issues on the point releases as well. The reason for the larger number could be that the fixes were more involved so they wanted to wait for 9.0, or they or someone else ran some new types of bug scans (source code scans, fuzzing, whatever) that found heaps of new bugs, or the extended beta cycle of a major release gets better testing and more issues get found than in the shorter cycles of a 8.3 or 8.4.

      1. Charlie Clark Silver badge

        Re: straight question

        The reason for the larger number could be that the fixes were more involved so they wanted to wait for 9.0…

        Ever the apologist! Waiting means leaving paying customers potentially vulnerable to some pretty severe exploits. But you obviously seem happy both as a customer and, as you frequently remind us, as an investor. Ergo Apple must doing it right.

        1. Anonymous Coward
          Anonymous Coward

          Re: straight question

          So you're going to claim the same amount of effort is required for every bug fix, and that "rather than do a halfway job of fixing this bug now, we're going to rewrite this whole subsystem in the next major rev to do a proper job" isn't a reasonable idea? If the bugs were being actively exploited obviously I want the fix sooner rather than later, but no one is able to fix everything with a day/week/month (whatever you seem to feel is the appropriate time after becoming aware of a bug) in every case. They have delivered point releases specifically for a single security issue in the past, so they'll do it for bugs they feel it is necessary for.

          Apple is fair from perfect, but point me to someone who is doing better. Google's code sure isn't any better, when overflowing the lock screen password drops you to the home screen! Even if they deliver fixes few Android owners ever see them until they buy a new phone. Microsoft has a terrible history WRT to security, and while they're better than they used to be they still have many security fixes in their monthly patch cycles and offer fewer and fewer details about what is actually be fixed these days. They obviously released Windows 10 based on a marketing schedule than when the engineers thought it was done, so they aren't an example Apple should strive to emulate.

    2. Bob Vistakin
      Holmes

      Re: straight question

      They're Thinking Different.

      Fixing bugs when they are reported makes it clear their immaculate products weren't so perfect after all, and as always with Apple it marketing first.

      Small point - the bluetooth AirDrop hack became public this week but its not on that list?

  2. Anonymous Coward
    Anonymous Coward

    iOS 8 is now like a middle aged drunken uncle trying to do cool dancing at his niece's wedding. iOS 9 is the new supermodel. I think that explains everything clearly.

    1. Anonymous Coward
      Trollface

      "iOS 9 is the new supermodel."

      Looks pretty on the outside, but in reality is shallow, unoriginal and vacuous?

      1. Anonymous Coward
        Anonymous Coward

        Much like your comment...

        1. Anonymous Coward
          Anonymous Coward

          Really? You fandroids really are sensitive little souls.

  3. werdsmith Silver badge

    Had to flip my phone region temporarily over to United States (and restart) to get the new News app to appear.

    I avoided the tacky bias-rags like the Guardian etc and I'm trying out the Huff, and The Register is on there too!

  4. Voland's right hand Silver badge

    C'mon. It's 1998 all over again

    1996. Aleph wrote and published "Smashing the Stack for Fun and Profit" in 1996

    1. Destroy All Monsters Silver badge

      Re: C'mon. It's 1998 all over again

      +1 for this reference! Your name is Watson.

    2. Grikath

      Re: C'mon. It's 1998 all over again

      You mean when Apple as a brand had so little total uptake they could actually afford security by obscurity, because their market segment was so small and specialised that they simply weren't worth bothering with from the perspective of malware writers?

    3. Fazal Majid

      Much older than that

      Robert Tappan Morris' 1988 worm used a buffer overflow in fingerd, for one.

      1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    IOS less than perfect?

    You heretics, Burn them all

    1. Destroy All Monsters Silver badge

      Re: IOS less than perfect?

      As soon as we manage to get out of the Apple Reality Distortion Warp, Cardinal!

  6. schafdog

    Apple employees are super human?

    "Apple employs a lot of clever and capable people, who are very well compensated. Isn't it time for a multinational technology giant with smart folks, plenty of resources, and endless billions of dollars in the bank, to start shutting down whole classes of bugs in its products?"

    Many people in the Silicon Valley is highly paid, and I am pretty sure that other people makes memory allocations / bounds errors. But Apple has to live up to higher standards?

    I would have prefered more releases on iOS 8 to fix CVEs but as far I remember all devices that supports iOS 8 can run iOS 9, and since there are no ground breaking differences in UI everyone can upgrade and thus end-of-life iOS 8.

    People using Android depends on Operators to create new releases and that is not going so well...

    But I would prefer that that iOS users had the choice to upgrade or not, and even downgrade if the new release isn't optimal.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Apple employees are super human?

      "Apple has to live up to higher standards?"

      Apple – like Facebook, Google and Amazon - hire the best. So, yeah.

      C.

      1. Dan 55 Silver badge

        Re: Apple employees are super human?

        Well something's failing because both iOS and Android have bugs that look like they didn't even bother to test.

      2. chris 17 Silver badge

        Re: Apple employees are super human?

        well this i the best that the best minds can come up with. Deal with it or employ your own staff to write your better code on your better device.

    2. Mike Flex

      Re: Apple employees are super human?

      "But Apple has to live up to higher standards?"

      They charge a premium price for their products and their software only has to run on a restricted range of hardware so, frankly, yes.

  7. This post has been deleted by its author

    1. SuccessCase

      Re: I may have found a bug in iOS 9 already :)

      No, not oops. Basically you either have to log in using your primary AppleId password AND have to confirm the login using the second factor (e.g. a message to another designated device) OR if using a service where the second factor isn't used, you login using an app specific password. Things have changed for the better with iOS 9 with the second factor used with more services, eliminating the need for the app specific password (even if you have set one up). Just because you used one for service x before, doesn't mean you need to now.

  8. Anonymous Coward
    Anonymous Coward

    How is this any different than anyone else's OS?

    There are always long lists of exploitable bugs fixed. If you even see the list - Microsoft puts out so little information in its patches you often don't know what it fixes other than 'security' and whether it fixed a single bug or a dozen unrelated bugs in the same subsystem.

    Here's a question to ponder (I don't have the answer) Is a lengthy list of security fixes a good thing (because a lot of stuff is being found and fixed) or a bad thing (because there were so many issues before) If they had 100 bugs this time, but only 5 bugs found and fixed with iOS 10 a year from now is that a good thing (hardly any bugs found) or a bad thing (they stopped looking as hard and potentially left many bugs in place)

    1. parity bit

      Re: How is this any different than anyone else's OS?

      Depends on whether you sell your OS as absolutely and completely safe (no need for AV/Malware protection in our house) or whether you fess up and say you ain't perfect.

      1. Anonymous Coward
        Anonymous Coward

        Re: How is this any different than anyone else's OS?

        AV/anti-malware doesn't protect you against security holes in the OS. There are essentially zero viruses or worms for iOS, so regardless of your feelings about Apple you have to admit there would be zero difference in your safety/security if you had it. Maybe that changes someday if there's a widespread virus (and one that affects non-jailbroken devices)

        The walled garden is far from infallible, but if a dodgy app gets past Apple's checking they can remotely disable it easily so the window of vulnerability would be pretty small even if someone manages to slip something by. I get that some people don't like giving up that level of control and want to be able to run whatever they want. I want that freedom on my desktop, but I look at my phone as more of an appliance, which is why I'm one of those oddballs who has an iPhone but has been running a Linux desktop since before 2000 (i.e. before the first of the many "year of the Linux desktop"!)

    2. Destroy All Monsters Silver badge

      Re: How is this any different than anyone else's OS?

      It's a Bad Thing now, and a Worse Thing later.

    3. asdf

      Re: How is this any different than anyone else's OS?

      >How is this any different than anyone else's OS?

      https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-oberg-nyberg-tusini.pdf

      Check out the graph on page 14. Granted its only a snapshot of cve data but in general with general purposes OSes out of the box there is OpenBSD and OpenVMS and everything else security wise. You said OS not mobile OS only btw.

    4. Charlie Clark Silver badge

      Re: How is this any different than anyone else's OS?

      Here's a question to ponder (I don't have the answer) Is a lengthy list of security fixes a good thing

      Wrong question. They should be aiming to keep the list as short as possible but should be completely honest and open about it: errors happen and we're doing everything we can to reduce them.

      Let's face it: with NextStep and MacOS they have a pretty good, tried and tested basis for the OS. Consequently, the number of low-level bugs is small compared to some of the stuff that crops up in Microsoft's list (because Internet Explorer is so tightly welded to the OS). But some of these errors are, a bit like some of the shit Google has done with Android, frankly alarming that they are not being picked up before release.

    5. Naselus

      Re: How is this any different than anyone else's OS?

      " Is a lengthy list of security fixes a good thing (because a lot of stuff is being found and fixed) or a bad thing (because there were so many issues before)"

      Always, always, always a good thing.

      No-one writes perfect code. Any complex software is therefore riddled with bugs automatically - be they typos in the UI or an escalation of privilege vuln that allows complete remote takeover, there's usually dozens of bugs of each type. If you don't have long lists of security fixes, then either a) your software is insecure as hell and people are going to attack the hell out of it, or b) your software is insecure as hell but no-one bought one so no-one is bothering to write attacks on it.

      Apple from the 1990s very much fell into the second camp; their wafer-thin market share and the fact that no-one would dream of storing any useful data on an Apple machine at that point meant there was simply no market for attack vectors, so no-one cared to look for them. This is where we get the myth of Apple security from - the castle was made of wood and was missing two walls, but there were no invaders, while MS at the time (who weren't much more secure)were being constantly bombarded.

      Microsoft learned from that and actually do spend a hell of a lot of resources on security since then; their problems (much like Android's today) largely stem from the sheer size of their market share encouraging most malware writers to target their OS. Conversely, Apple largely decided that the lack of viruses and hacks on Macs was due to their own genius. This is why Eugene Kaspersky said Apple were a good ten years behind MS on security - he didn't mean technologically, he meant culturally. Apple's culture by about 2010 was all about making access easy and avoiding the user being forced to jump through security hoops, at a time when people found their Windows machines popping the UAC every time they wanted to open a program and most Linux distros demanded a sudo for more or less anything more involved than opening the web browser. The lack of annoying sec checks appeals to users... but is exactly the sort of thing that was regularly slammed by security professionals.

      Apple have made some good strides in this in recent years, but tbh some of their security practices flagged sine 2007 have been face-palming embarrassing 1998 stuff. The overwhelming faith placed in the walled garden, for example, is conceptually utterly wrong. Good security assumes that your opponent has information you don't, and so will be able to breach your security (both GCHQ and the NSA, for example, run on the assumption that their security is permanently compromised and all internal network comms are being intercepted by rival agencies).

      I generally divide attackers into three categories - category 1 covers 95% of attacks, and is generally script kiddies. A decent firewall, antivirus and antimalware will offer complete protection against these guys, and they're also the group which the walled garden protects you against. Category 2 covers 4% of attacks, and these are seasoned professionals who really know what they're doing; they use zero-days, social engineering and have some serious coding clout. These guys are genuine criminal hackers, and they're the ones that you need good, well-trained security professionals to combat. These guys ignore Apple devices not because they can't breach them, but because there's much, much better returns to be had from targeting Android and Windows machines. Why waste a week finding hacks for the iPhone when you could hit 9 times as many people on Android for the same amount of effort?

      Then there's category 3, who cover about 1% of attacks and you simply cannot defend against them, only attempt to detect what they did after the event. These are the guys who don't just use zero days; they discover them and will deploy multiple examples in an attack; they're the kind of guys who can write a virus that targets a specific set of serial numbers for centrifuges made in a small geographic area between two dates and so shut down the Iranian nuclear program. They generally have state backing, and you're not really going to be able to stop them short of air-gapping, custom O/Ses completely divorced from the OSI model and generally just preventing any means of access. The main defense against these dudes is simply not being a worthwhile target, since governments mostly spend their time hacking each other and ignoring the rest of us.

  9. Crazy Operations Guy

    One big fix that iOS 9 fixes

    The cynic in me believes that they waited until a major release like this so that anyone still using a device that can't upgrade to 9 will now need to buy a new device to remain safe.

    1. asdf

      Re: One big fix that iOS 9 fixes

      Though that play is in their playbook supposedly some other poster said they for once didn't cut off devices this time. Probably due to some new feature they want to bank on. Kind of like the one software Apple continues to update long after the others is iTunes.

    2. Matthew 17

      Re: One big fix that iOS 9 fixes

      But there aren't any devices that were capable of running 8 that can't run 9.

  10. Anonymous Coward
    Angel

    Magical and game-changing

  11. oneeye

    Fruity Folks Finagle facts and figures to Fanboys!

    Fanboys are treated like mushrooms! Apple keeps them in the ddark,and feeds them lots of $h/+!

    There have been now,well over THREE HUNDRED FIXES in just the last year,for those of you who are mushrooms. The point the author makes is a valid one. Stupid laziness of Apple's supposed superior engineering, leaves users in the Lurch.

  12. MacroRodent

    Cure known but will not be used....

    Any system where the bulk of the software is written in C, or the C derivatives that share its low-level insecurity, like C++ or Objective C, will have buffer overflow errors until the heat death of the universe.

    There are secure languages, and I do not only mean slow managed languages like Java or C#, that proactively prevent memory errors. For example Ada, the "Wirth langauges", etc. They just aren't fashionable. Yes I know that some low-level code like drivers cannot implemented with a totally safe language (except these languages often provide loopholes that can be used when absolutely required), but the bulk of the "userland" code could be written in safe compiled languages with no performance loss.

  13. Anonymous Coward
    Anonymous Coward

    Just updated to it

    Nah, don't like the new "tab pages" app closing and also why did it put the "find friends" shit on my front page?

    Put it on the last page along with iwatch, wallet health and the other stuff i'll never use but cant delete

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like