Apple Fixes Three Zero Days Used In Targeted Attack (onthewire.io) 76
Trailrunner7 quotes a report from On The Wire: Apple has patched three critical vulnerabilities in iOS that were identified when an attacker targeted a human rights activist in the UAE with an exploit chain that used the bugs to attempt to remotely jailbreak and infect his iPhone. The vulnerabilities include two kernel flaws and one in WebKit and Apple released iOS 9.3.5 to fix them.
The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto's Citizen Lab, who recognized what they were looking at. "On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ;new secrets' about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based 'cyber war' company that sells Pegasus, a government-exclusive "lawful intercept" spyware product," Citizen Lab said in a new report on the attack and iOS flaws.
The attack that set off the investigation into the vulnerabilities targeted Ahmed Mansoor, an activist living in the UAE. Earlier this month, he received a text message that included a link to what was supposedly new information on human rights abuses. Suspicious, Manor forwarded the link to researchers at the University of Toronto's Citizen Lab, who recognized what they were looking at. "On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising ;new secrets' about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based 'cyber war' company that sells Pegasus, a government-exclusive "lawful intercept" spyware product," Citizen Lab said in a new report on the attack and iOS flaws.
Re: (Score:3)
Re: (Score:3)
It's more about Apple strong-arming the carriers into an agreement where Apple can roll out any software they want to any iPhone at any time, WITHOUT the carriers' approval or testing, and even without allowing the carriers to inject their own software (bloatware) into the image.
All other smartphone vendors are, at least individually, not in a position of enough strength to try and tell Verizon, AT&T, Telstra, Orange, etc. that they don't get to make any software customizations or do their own testing.
Re: (Score:2)
It's more about Apple strong-arming the carriers into an agreement where Apple can roll out any software they want to any iPhone at any time, WITHOUT the carriers' approval or testing
That is bollocks.
Software upgrades don't affect the carrier at all.
How should they?
Re: (Score:2)
I'm not arguing whether software updates to devices should or shouldn't affect or be approved by carriers; I'm telling you that they *are*. Factually. It's a known thing; look it up. The carriers themselves admit it.
If you are using a smartphone that was not manufactured by Apple, and you live in a country where large corporations own and operate the telecommunications infrastructure, especially the United States, UK and Australia, there is a very good chance that your carrier actively tests, modifies, and
Re: (Score:1)
If you are using a smartphone that was not manufactured by Apple, and you live in a country where large corporations own and operate the telecommunications infrastructure, especially the United States, UK and Australia, there is a very good chance that your carrier actively tests, modifies, and must approve all operating system software updates being applied to your phone, *before* that software can be rolled out to you.
Perhaps the carriers demand that, but it makes no sense.
The software can not interfere w
Re: (Score:3)
Re:How many can get updates from carriers!? (Score:5, Informative)
Re: (Score:2)
Only if you agree crazy enough to buy your phone from the carrier.
Re: (Score:2)
It's nothing to do with causing network issues, virtually all carriers can't stop you connecting your own handsets that could be running anything.
It's all about branding, forcing their brand in your face and all the bloated crap they want to put on the handsets that the users will never use.
Re:How many can get updates from carriers!? (Score:5, Informative)
Few. Any. Time. Soon. Give. It. Up.
That's not how iOS works. The carriers just carry. Apple provides the update -- to the user's device. The carrier has no say in it at all.
Or, are you implying that the carriers will refuse to carry the update? That would be selective blocking / filtering, and once that story breaks, well, it'll be pitchforks and torches against those carriers.
And, to cover any misunderstandings, if the phone has no carrier, it cannot transmit, either.
So... what was your point, again?
Re:How many can get updates from carriers!? (Score:5, Interesting)
And, to cover any misunderstandings, if the phone has no carrier, it cannot transmit, either.
So... what was your point, again?
You can use a iPhone with no carrier. I do all the time. You just use wifi enabled calling and sms. It's a lot cheaper, much less of a headache, and quite convienent for some people who nearly always have access wifi.
Re: (Score:2)
You can use a iPhone with no carrier. I do all the time. You just use wifi enabled calling and sms. It's a lot cheaper, much less of a headache, and quite convienent for some people who nearly always have access wifi.
Certainly. That's how I use it at home, at friend's houses, and the like. Well, except for the wi-fi calling and SMS.
That's still transmitting, just through a different carrier -- if we're on wi-fi we're using whatever carrier (ISP) our host has. Comcrap for me, AT&T Uworse for my buddy.
I rarely call... I usually imessage.. not even SMS. The one guy I call on a regular basis doesn't even have a cellphone. Luddite! ;o) It's either phone, or email with him. He literally has no cellphone. The only pe
Re: (Score:2)
Ditto.
Re: (Score:2)
You are probably using iMessage and facetime. Both work fine without a carrier, but you'll be limited to apple devices on both sending and receiving.
Re: (Score:2)
"You can use a iPhone with no carrier."
You can also set one up with a prepaid carrier rather than a fixed monthly contract.
Re: (Score:2)
And, to cover any misunderstandings, if the phone has no carrier, it cannot transmit, either.
If by no carrier, you mean no nearby cell towers, I would agree.
If a phone has access to a carrier's tower, I would not be surprised to find out that it could transmit surreptitiously.
If you can make a 911 call on a phone without a sim card, I see no reason as to why a carrier couldn't track you via IMEI number. And if they can identify your IMEI, why couldn't they enable you to communicate without having a proper sim? Sure, this requires the government to be buddy-buddy with the carrier...
I read t
Re: (Score:2)
Does democracy pay as much as the alternative?
Re: (Score:2)
"And, to cover any misunderstandings, if the phone has no carrier, it cannot transmit, either."
None of these quibbles apply if you just download your iOS updates over WiFi, which you want to do in any case to avoid burning through your data cap. It's a swich right there in Settings.
Re: (Score:2)
Re: (Score:2)
I think you mean it will be less unsafe.
Clearly 'safe' is an absolute. This is a fix for a known vulnerability. ;)
You cannot be safer than safe, but you can be less unsafe than having a known vulnerability
Its almost like no one is magically 'exempt' from such issues, fancy that.
Still, at least they turned around a patch reasonably quickly. Pity they didnt do so before it was
major media news..
Re: (Score:2)
Re: Safe? (Score:4, Interesting)
Well, the fact that an ios vulnerability is newsworthy and android one is not, should tell you which is safer.
Re: (Score:1)
I guess you dont read the news much then?
Android vulnerabilities, even ones that dont actually cause any issue, are trumpeted loudly.
Want to apply your (broken) logic again? Didnt think so.
Re: Safe? (Score:3)
You are talking about android specific forums, etc. I am talking about generel non-tech media. I stand by my statement.
Re: (Score:1)
Zero-days that are used in a targetted attack, analysed. *That* is newsworthy.
Well, slashdotworthy in any case.
iOS sucks! (Score:5, Funny)
Thank god I use android where such bug fixes will never make it to my phone.
Re: (Score:1, Insightful)
Yawn. You really think that Apple, the richest company on the planet, gives two shits about a half-ass, wanna-be tech site like Slashdot?
Re: (Score:1)
You really think that $mega_software_co gives two shits about a half-ass, wanna-be tech site like Slashdot?
They have been known to do so. Why is Apple any different?
Re: (Score:2)
You really think that $mega_software_co gives two shits about a half-ass, wanna-be tech site like Slashdot?
They have been known to do so. Why is Apple any different?
Well, Apple keeps doing many things different than other companies. A lot ofanalysts and journalists keep complaining about it, yet Apple is successful either despite or because of it. Eg they don't go to any of the computer, entertainment and mobile phone trade fairs. When everybody got out of retail, they started the Apple Stores. And they don't give out Technology roadmaps.
So "Everybody else does it so $this_guy has to do it too" is a particular bad argument in the case of Apple.
Re: iOS sucks! (Score:5, Informative)
I only was once in an apple store, but it was an amazing experience.
That was in Paris close to the Louvre, I forgot my iPad charger at home, so I bought a new Charger and a canle.
While I was looking through the different chargers and picked what I wanted a lady approached me and aksed if she could help me, and I said, no I have all I want.
So she said "ah, oki, want to pay in cash or with card?" So I replied "with card", and she said: then you can pay right away here (without me needing to go to the cashier)
So she took out her iPhone 4, made a photo of my credit card, and asked a seond later: "you have this email adress?"
"Yes?"
"Do you want a bill as PDF to that eMail address?"
"Yes!"
"And this is credit card is keyed to your iTunes Account?"
"Yes?"
"Do you want to be billed via the iTunes Account?"
"Yes!"
Actually I should have asked her when she finishes working ... she was about my age but typical french, strict hair in a bunny, dark skin and hair, in a small black dress. Likely with ancestors from north africa.
Annyway, I avoided the queue at the cashier, payed where I was standing, got a 'real bill' via email ...
The shop was full with 'servants' like that, probably 30 - 40 people serving customers. In france it is typical that shops have a bit more 'clerks' or workers than in germany ... but that topped every thing I ever have seen before.
Of course there was a chill out area, with free WiFi etc. too ...
Re: (Score:2)
You can actually do all that yourself now with their App Store app on your iPhone. They'll let you walk right out without even checking your bag. Someone keeps an eye on the door and they know when you pay with the app. Can ask for a bag if you want. Pretty slick, hope more stores do that in the future.
Re: (Score:2)
And exactly none of you actually responded to my question, but served handily to reinforce my point. Thanks!
Re: (Score:3)
Never read your post. Still haven't. That could explain this.
Re: (Score:2)
I wish Apple cared about sites like this. Have you seen their Mac hardware and pro software lately? Ignoring their technical and pro users is the #1 complaint against Apple these days.
iOS users diss android for the same reasons Mac users diss Windows. A failure to understand different criteria for choosing computers. Apple doesn't need to pay people to argue online.
Re: (Score:1)
Yawn. You really think that Apple, the richest company on the planet, gives two shits about a half-ass, wanna-be tech site like Slashdot?
It's used as a marketing mouthpiece by Apple often enough...
Re: iOS sucks! (Score:5, Insightful)
Question: What kind of idiot would buy an Android-powered phone which isn't a Nexus phone?
So, what you're saying us that, kind of the supposed strengths of Android, "freedom to pick a phone from any one of several OEMs", actually cones down to "Only pick Nexus if you value Security".
Thank you for finally confirming that.
Re: iOS sucks! (Score:1)
There is often a root option but yes, one needs to be careful when selecting an Android powered device.
Some positives are choice, price, features, and styles. Proper work can net one a reasonable choice but it is truly simpler to just get an iPhone if one is unable or unwilling to secure their Android.
There need be no dispute, they are entirely different devices with varied benefits to picking either. Ideally, you will pick the one that best suits your needs.
I am not supposed to be here. I am in rehab, agai
Re: (Score:2)
Question: What kind of idiot would buy an Android-powered phone which isn't a Nexus phone?
About 99% of Android buyers. Because for various reasons Google doesn't really want to sell more Nexuses, Nexii or what ever more than one Google Nexus is called.
Re: (Score:2)
Thank god I use android where such bug fixes will never make it to my phone.
Ha!
I don't have modpoints right now and even if I had some I couldn't use 'em if I wanted to, since I've already replied..
Your post is either +1 Funny or +1 Insightful! It went *whoosh* right over everyone's heads, its seems!
Re: (Score:2, Informative)
How do you confuse lose and loose? You made a very fine comment, but undid it all with that mistake. -1
Re: (Score:2)
To Jail Break not just one iPhone but 1 million iPhones is a battle that Apple Inc. thanks to Timmy Cook has already lost.
Could you please speak English? Your comment is utterly incomprehensible.
Re: Apple Fights a Loosing Battle (Score:1)
There's typically about 1-4 million jail broken iOS devices, at any one time, depending on version of iOS (based on Cydia Store data). That represents less than 0.5 percent of active iOS devices.
This was the 5th , maybe 6th, time someone has chained a wireless, "just click on the link and you are done" jailbreak. 3 of the others were made public by Geohot, who later ended up working for Apple, and is currently working on self driving cars on his own project.
This one was a 3 exploit 0-day chain that is now b
Re: (Score:2)
Exactly how long has Apple known about these holes though. They maybe zero days to everyone else,Apple could have known about them all the time and left them open on purpose. I wouldn't trust Apple or anyone connected with Apple to tell me if I was stood up or laying down..
I'm sure that Tim Cook lies awake at night worrying about your opinion.
iOS 10 v7 (Score:2)
Re: (Score:2)
"Apples" is the new parent company. .. ...
Subsidiaries are:
"Idared" - products: I-Phone, I-PAD,
"Macintosh" - Mac products.
Technical analysis (Score:5, Funny)
https://info.lookout.com/rs/05... [lookout.com]
Re: (Score:1)
Malwares in the Windows world have been using system service names for ages. Alas, I can't remember any specific names right now, but I remember wondering about errant CPU usage and investigating the executable name and then purging it.