CoreText Font Rendering Bug Leads To iOS, OS X Exploit

redkemper writes with this news from BGR.com (based on a report at Hacker News), excerpting: "Android might be targeted by hackers and malware far more often than Apple's iOS platform, but that doesn't mean devices like the iPhone and iPad are immune to threats. A post on a Russian website draws attention to a fairly serious vulnerability that allows nefarious users to remotely crash apps on iOS 6, or even render them unusable. The vulnerability is seemingly due to a bug in Apple's CoreText font rendering framework, and OS X Mountain Lion is affected as well."

iOS doesn't have exploits

[0xdeadbeef]

It has jailbreaks, and that's a good thing.

Re:Who says?

[smash]

Targeted != exploited. They're both targeted, just android is a lot easier to exploit because there is so much junk out there without any updates.

Re:Who says?

[ciderbrew]

I do; but its more like ... Find something that looks really good, then look at all the permissions it wants; but it shouldn't need all those permissions!! Feel sad about it and then don't install it unless drunk.

Re:Who says?

[sootman]

Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?

Maybe, just maybe, there's more to it than market share.

"... it fell 3% in marketshare in just the last three months..."

iPhone sales ALWAYS drop this time of year because everyone knows a new one is coming this Fall. It'll be back up in another few months... and then maybe down again, and then up again...

Re:Who says?

[gnasher719]

Android:
79.3% marketshare.
80% of malware.

That may look good to you, but it isn't. If you had 100 pieces of malware, and each affected 1% of the possible users, then you would have 80 pieces of Android malware and 20 pieces of other malware, so an Android user would have an 80% chance of being affected, while other users would only have a 20% chance.

It may give an explanation why there is so much malware, but it doesn't help you. (BTW iPhone was said to be attacked by 0.7% of all malware, which makes every iPhone user about 100 times safer. And all iPhone users have bought an expensive phone, while the high Android numbers come from all the cheap Android phones around, so your "Fort Knox vs. piggy bank" comparison is a bit stupid. ).

Re:Who says?

[Joce640k]

Well that would be logical wouldn't it, given that Android is a more widely used platform

Not only that, it has a checkbox to allow you to install unsigned apps from uncontrolled websites.

Unsurprisingly, bad people upload malware to those sites. If you download it and click "yes", you'll get what you deserve, just like installing randomly downloaded exe files on PCs, etc.

Re:Who says?

[0123456]

Right, because having users manage their own risk profile has worked out so well in the PC/Windows world...

Indeed. Letting someone else control your computer is much safer.

Android's big problem is that you have no way of saying 'no, I'm not giving this app that permission', and can only choose to install or not install the Fluffy Kitty Screen Saver that wants access to your filesystem, the Internet, and the ability to send SMS messages.

Re:Who says?

[Plumpaquatsch]

Well that would be logical wouldn't it, given that Android is a more widely used platform. Hackers often try to get the biggest 'bang for buck' and target the most popular platforms (see also number of Windows viruses vs. Mac OS ones).

Are you claiming iOS was targeted far more than Android just 2 years ago?

Re:Who says?

[chowdahhead]

I think Android is targeted more because it isn't inherently tied to the Play store, and not so much because of devices not being updated. The app signature verification works for 2.3 and up, which covers 96% of Google's Android devices. Getting malware on a phone or tablet still generally requires installing a malicious app, and it's far easier to be careless about that on Android.

The myth of the equal opportunity attacker

[benjymouse]

Holy cow, your fanboy hat must be cutting off the flow of blood to your brain. Explain again why an OS with 4x the market share garners 100x the exploits?

Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.

Say you joined a shooting competition: You can shoot at two targets, equal size and equal distance, no objective difference at all. Only difference is that each time you hit target A four people will give you $10 each and each time you hit target B only one person give you $10. You have 10 rounds. How do you distribute your rounds between the two targets? Do you fire 8 shots at target A and 2 shots at target B because that would be the most fair thing to do, or do you fire all 10 shots at target A?.

Maybe, just maybe, there's more to it than market share.

There might be. When you see people start taking shots at B, despite the higher reward of hitting target A, you can conclude that some factor causes them to *not* go for the higher reward. Somehow target A must have become harder to hit, the reward is going down or the shooters skills allow them to hit target B more easily.

But all other things being equal, prudent attackers who are in it for the rewards will go for the higher market share, every time.

Re:The myth of the equal opportunity attacker

[exomondo]

Attackers will *always* try to attack the biggest target. They are not for equal opportunity, they do not meet to work out quotas so that OSes gets attacked accordingly to their market share.

Ok then so if iOS has 13.2% marketshare then why does it only get 0.7% of the smartphone malware and the remaining 20.3% of smartphone malware is targeted at the remaining various players that make up just 6.8% of the marketshare?