iPhone 3.0 Update Delivers Prodigious Patch Batch 150
CWmike writes "Apple patched 46 security vulnerabilities in the iPhone and iPod Touch, half of them in the Safari browser and its WebKit rendering engine, as it released iPhone OS 3.0 on Wednesday. One of the patched WebKit vulnerabilities stands out because of the attention it received in March, when a German college student, Nils, walked away with a $5,000 cash prize for hacking Safari at the Pwn2Own challenge. Nils used a bug in WebKit's handling of SVGList objects to crack Safari."
But the real question is... (Score:2, Insightful)
Re:But the real question is... (Score:3, Insightful)
$5000... you couldn't hire a security expert to do the same work for that little money.
Re:Hacking Safari? (Score:4, Insightful)
Yes, you are missing the part where you should read the article
From TFA:
IE8 wasn't the only browser Nils hacked yesterday. After he took down IE8, he moved on to Apple Inc.'s Safari and Mozilla Corp.'s Firefox, both of which he successfully exploited with attack code he had created earlier. His total for the afternoon: $15,000 in cash from TippingPoint, and the Sony laptop
Re:I am disappointed! (Score:4, Insightful)
Phone companies are the scum that are only slightly worse than the music industry.
Certain companies with certain phones may well be. My phone Just Works on tethering and other things without the need to jailbreak anything :) (I didn't even know it had a special name like "tethering" to be honest - I just thought it was something that worked as standard out of the box with any phone. There's nothing special about my phone, it's just a commonly available cheap bog-standard one.)
Re:I am disappointed! (Score:5, Insightful)
Have they gotten to the point where they have actually tricked you into thinking there's a difference?
There is a difference. Its subtle, but important. But its not a technical difference it has to do with with service levels, over selling, marketing, and pricing. But that doesn't mean its any less "real.
Essentially, when they give you a 6GB data plan they are overselling their capacity. They know this. I know this. And now you know this. Its not a secret, its not 'teh evil'. If -everyone- used 6GB every month they'd be unable to deliver the service reliably at that price.
Hi end users are subsidized by low end users. Low end users are happy that they have 6GB and don't have to worry about bandwidth everytime they check their email. The carrier has a good idea what the distribution of users is, and knows that it can offer 6gb for $30 bucks, overselling what they can actually deliver at that price, but secure in the knowledge that the mathematical models of their customer's usage patterns virtually gaurantee they won't have to.
But that all assumes no tethering. Its a no brainer to sell 'unlimited data' to a blackberry user a couple product cycles back-- the thing only did email really well, and web browsing poorly. Add in tethering, and suddenly a sizeable chunk of customers on unlimited go from 'low/moderate' usage measured in the kilobytes per day to super-users in the 10s of megabytes per day. Someone that historically only checks his email on his device, getting the odd document, or mp3... well now he now downloading his operating system service pack, virus software update, while watching youtube.
The mathematical model changes. Bottom line: if they allow tethering, consumption goes up sharply for a significant group of consumers. They need to deliver more total bandwidth. That additional capacity costs more to supply and maintain. So they need to charge more for it.
And so we have 'no tethering' in some areas or 'tethering feature' charges in other areas. As as we move forward, the devices become more powerful, and its actually possible to use significant bandwidth on them, but even now, bandwidth usage per unit for untethered use is an order of magnitude lower than what tethered users use.
The carriers fear they would be unable to deliver reliable service at that level at that price point with wide spread tethering. So they're beign cautious about it, and looking to tier the service so that people who need it pay for it.
A final word out to those who despise over-selling and thing the ISP shouldn't do it. Shut the hell up. We, the /. power users, benefit from over selling the most. Its our usage that is subsidized by the low end users. Its because of overselling we can get 6GB for $30 in the first place. If they got rid of overselling the prices we'd pay would shoot sky high, and we'd all pay by the megabyte or some other metering right from the first byte. That would suck.
That's not saying that ISPs are angelic entities looking out for us, but overselling is good business that generally benefits the consumer with lower prices and services offered in a form that we like (I want a 6GB plan more than a plan that charges me 1$ per MB. Over selling and makes efficient use of the available resource...it a case of the free market actually working.
Re:I am disappointed! (Score:5, Insightful)
Uh, no.
Uh. Yeah.
You use your phone to access the internet over the cellular network.
Thank you captain obvious.
Whether or not your phone then communicates with your PC or other devices makes no difference. At all.
Actually read my post before you reply. There is no technical difference. But in terms of the business model to support it they are worlds apart.
Take a salad-bar, its the same situation. A single person can't really eat that much food, so I can offer him unlimited food for a fixed price, and make money by pricing it above what the average person will consume.
If people walk in and start expecting to 'tether' and feed their whole family off that one price, that's a game changer. I can't run an unlimited salad bar at that price anymore. The average amount consumed per "plate sold" has gone WAY up.
Similiarly, with a data device, there's really only so much data a single handset will consume. They are still mostly used for email and small files. So you can give people lots of bandwidth for a fixed price above the average cost and make money. If people start tethering, where they suddenly are using a lot more average bandwidth than before, then the pricing is no longer valid. They need to raise the rate, or charge for tethering, or block tethering, or something in response.
Re:Apple charges 'by law' - Sarbanes-Oxley act (Score:3, Insightful)
What I wonder is: How can Apple distribute the Remote application for free? It is an additional feature that was not provided with the original sale. There is no technical difference between downloading Remote through iTunes and downloading iPhone OS 3.0 through iTunes.
I see no problem with Apple charging for the update if they want to charge for it. But the SOX reasoning doesn't seem to make sense when they clearly provide additional features for free already.
Re:Hacking Safari? (Score:2, Insightful)
To give you an idea about how slow Apple are about patching security holes, and to add another data point to the description:
I reported the security issue known as CVE-2009-1697 (which is included in this large patch release). The e-mail back from Apple confirming receiving my report of this issue is dated January 7, 2009 in my e-mail inbox. That's about half a year ago.
Now, granted the security bug I reported is actually very difficult to exploit and do anything actually useful with. Basically, if you used XMLHttpRequests in Safari and requested a URL ending with a newline, it would end up in the final HTTP request as double newlines. I.e. the HTTP header would be terminated prematurely (before the Host: header, significantly) and thereby allow javascript to access files hosted on the default website on the same server the javascript was served from. For example, if victim.example.com is served on the same IP address as evil.example.com - javascript on evil.example.com could use this to request files on victim.example.com.
In other words - you could do cross-site-scripting targetting another web site served on the same IP address as the web site hosting the exploit.
Still, took them about 6 months to patch it and actually roll it out an update, it seems. Heh.
Re:Well that's just fantastic (Score:2, Insightful)
Now I'm looking at keeping my Sanza Fuze and Nokia E51. Apple can get fucked.
Your Fuze gets feature-rich updates often?
Point being — I find it somewhat strange that when Apple charges for an update, it's somehow worse than the competitors who don't offer any of the features, free or otherwise.
Re:Apple charges 'by law' - Sarbanes-Oxley act (Score:3, Insightful)
I know... this doesn't change the fact they charge for iPod firmware updates -- and Apple's reasoning is certainly open to well-deserved criticism -- but they lay the blame squarely on the Sarbanes-Oxley act.
That's bullshit. I bought iTouch OS 3.0 for $10 and assure you that it's not a bigger update than any of MS's service packs, or even their own OS X point upgrades. Every OS company - including Apple - somehow manages to give away upgrades, but they're claiming the government made this one illegal? Nope. Apple wanted extra cash and they charged for it, pure and simple. If they'd said something like "we're offering it for free to our premium customers", I think there would've been a lot less anger over it.