Drive-by Wi-Fi i-Thing attack, oh my! Apple hasn’t provided much detail, but you don’t want to ignore the latest iOS release – 10.3.1 – because it plugs a very nasty Wi-Fi vulnerability. Cupertino has rushed out the emergency patch because: “An attacker within range may be able to execute arbitrary code on the Wi-Fi chip” – meaning, presumably, that malicious …
Oh, like so many Android devices that get at most 1 or 2 security updates and virtually no OS upgrades despite lots of promises from the manufacturer/network.
Apple has a lot to not like about it, but the length of time that iDevices get updates is generally far better than any Android or Microsoft device.
AFAIK, the last 32bit device they sold was the iPhone 5. That was around 4 years ago if not before.
In the mobile space, that age of device is considered almost prehistoric.
How many Androids running 4.x would get this sort of update? or 5.x?
and when I looked about 6 months ago it was still possible to buy a new Android running Gingerbread. It might be cheap but WTF?
as Apple make most of the profits in the mobile device space they can afford to release these updates and they need to be made to keep on doing so, so well done El Reg for pointing this out. I'm sure the one or two readers of this site who have iDevices will be udating them ASAP.
Just because it runs Gingerbread, doesn't mean it can't be up-to-date.
I'm not saying it's the case (probably cheap Chinese stuff never gets updated at all) but going from Android Gingerbread to Marshmallow is just unfeasible and like forcibly upgrading everyone on Windows 98 to Windows 8.1. That's never going to work and even if it did, it's not going to go down well.
But there's no reason that vendors can't push out patches to any version of Android to patch the same bugs, in the same way that Vista still gets "critical" security patches.
To be honest, in my mind, the constant forced upgrade is much more of a pain than anything else, because it's NOT the case that Android G devices can happily run anything past that anyway, but I don't want to have to change phone every damn year.
My smartphone is currently on the latest vendor-supplied patch (Android Marshmallow at the moment). It pissed me off no end when a simple security patch that was required radically altered how my phone works and looks.
What we need is a separation between "security patch" and "feature addition" such that security patches can ALWAYS be applied to an OS, but feature additions requires the user's consent. We used to have that. Now it's gone.
I think you can leave MS of that list. They tend to support for around a decade.
On the desktop, sure. Their mobile devices were obsoleted after every major revision, with nothing that ran Windows Mobile 6.5 able to update to Windows Phone 7, nothing that ran WP7 able to update to WP8, and a minority of WP8 devices able to update to WP10. That is probably part of the reason they failed in mobile - they already had a small share and then orphaned each generation when they moved to the next.
Oh, like so many Android devices that get at most 1 or 2 security updates and virtually no OS upgrades despite lots of promises from the manufacturer/network.
Apple has a lot to not like about it, but the length of time that iDevices get updates is generally far better than any Android or Microsoft device.
That's because Apple are the only makers of Apple devices, and they refused to bend at all to the networks. They have complete control over what gets what.
A similar Android device would be a Nexus, which also gets lots of upgrades, because it's Google in charge, and nobody else has any say.
Unfortunately, most Android devices come from the likes of LG, Samsung etc... And they are your bottleneck. They're interested in the money from your next purchase, not the money you've already given for the current.
Someone should make a website with some nice graphs so you can see what kind of after sales service you can expect to get.
> Surely this can only bork the radio, right?
It would seem likely that the Wi-Fi chip can read and write to arbitrary memory locations (avoiding needing the CPU to move bytes around when receiving data).
So it would be possible to bypass any virtual memory or OS process protection...
If a hacker owns the Wi-Fi chip, then probably they can rewrite the entire internet before you see it? Including HTTPS without Extended Validation - their own "apple.com" will have a different certificate from the real one, but you may not be able to see that.
"9to5Mac notes that while 10.3 left older 32-bit devices off the list, 10.3.1 includes them – indicating how serious Apple views the bug."
It sounds like a shocking big bug, so atrocious awful that sudden high qualified proof readers are willynil dropping proper formatted adverbial suffixes from their copy. I'd take that serious.
It's the classic error: "a buffer overflow fixed by better input validation" The obvious solution is to include a compiler check on all input and automatically add input validation on all input. It's such an obvious fix that only a genius could come up with a daunting explanation as to why not to do it. (Might have something to do with 'job security'.)
was bettersome input validation.
Fixed it for you.
Seriously people, you read in data from an uncontrolled source and you don't catch something as common-place and dangerous as a buffer overflow?
It's pretty easy. I reserve X bytes, if "size of data" > X, that's an error. If "size of processed data" >= X, you stop processing. Or even better, if "size of processed data + size of data to process" > X, STOP!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
