First crop of iPhone bugs - A chance for Apple to make a good impression

First crop of iPhone bugs - A chance for Apple to make a good impression

Summary: Robert Graham writing on the Errata Security blog details the first of iPhone bug.

SHARE:
TOPICS: Apple, iPhone, Mobility
28

Robert Graham writing on the Errata Security blog details the first of iPhone bug.

The bug, discovered within minutes of activating the iPhone, was a Safari web browser bug, the same bug the company had found in the browser earlier.  The company also discovered that its Bluetooth fuzzer (a Bluetooth stack smasher) locked up the iPhone and it hopes that data from this will uncover more vulnerabilities.

Another vulnerability not mentioned is one that relates to AT&T in general, and that's the ease with which you can access someone else's voicemail because spoofing Caller ID on the network is a trivial process.

These bugs offer Apple a great opportunity to show how quickly they can respond to and patch bugs on the iPhone.  As Graham writes:

The thing that interests us most, though, is that we think the iPhone is inherently more secure than competing smartphones (such as those based on Windows Mobile or Symbian). While Apple is slightly behind Windows on the desktop/server (that Samba bug still appears to be unfixed), it's still light years ahead of the mobile vendors. The mobile market is completely screwed up right now: while carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them.

Apple is taking a chance. Rather than allowing carriers like at&t/Cingular to control the mobile experience, Apple is controlling the experience through iTunes. Financial analysts on Wall Street are waiting to see whether this strategy will work.

...

We think Apple will win that battle. When we activated the phone, iTunes told us it was going to look for updates on July 5, 2007. That's a good sign. We've reported a vuln in a another smartphone 6 months ago that still hasn't gotten patched, mostly because that carrier doesn't want to. If Apple can push a fix for one of our bugs before this carrier fixes their bug, that might convince Wall Street that their strategy is better.

I think that Apple's decision to use iTunes as an update vehicle for the iPhone is both interesting and revolutionary.  It offers a mechanism for Apple to respond to security and non-security issues quickly and for users to be able to apply patches with little effort. 

However, when it comes to updates for the iPhone Apple will have to get things right first time and every time.  Hosing someone's iPod is one thing.  People become irritated but it's not a mission-critical bit of kit.  A cellphone is different.

Topics: Apple, iPhone, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Confusing the point.

    From your article -
    Graham quote - "...The mobile market is completely screwed up right now: while carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them...."
    AND
    "...We?ve reported a vuln in a another smartphone 6 months ago that still hasn?t gotten patched, mostly because that carrier doesn?t want to. If Apple can push a fix for one of our bugs before this carrier fixes their bug, that might convince Wall Street that their strategy is better."

    From Adrian -
    "I think that Apple?s decision to use iTunes as an update vehicle for the iPhone is both interesting and revolutionary. It offers a mechanism for Apple to respond to security and non-security issues quickly and for users to be able to apply patches with little effort.

    However, when it comes to updates for the iPhone Apple will have to get things right first time and every time. Hosing someone?s iPod is one thing. People become irritated but it?s not a mission-critical bit of kit. A cellphone is different."

    Can you see the problem in logic here? The current industry standard for fixes pretty much sucks - yet if Apple does not respond immediately they have failed in the market place in your mind. Frankly from your report, if Apple merely applies what it is doing today in the computer patch field they will be miles ahead of the current cell phone industry standards and the impression you draw from that is they some how will do nothing - like their past history indicates they do nothing.

    Personally I expect that Apple will do better because that is what I think their corporate culture would have them do. I do agree that the iTunes path for updates will be a great vehicle for free updates and new features or products that require cash money. My only thought here is that 6 months from now, when we see that Apple patched the iPhone umpteen times, that you will report that fact - and also point out that none of the other vendors have fixed their issues at all. So the score is not Apple FIXES Billions - it is Apple has fixed their issues while Nokia / LG / whatever STILL HAS BILLIONS they have not addressed.

    Might be too much to hope from here - but expect the good and hopefully we will get that from zdnet.
    Jim888
    • Nope. They must be held to higher standards

      Just as Microsoft's Vista is held under the microscope every second, and may actually be the safest OS in history, have a mounting number of Vista titles, newer GPUs coming all the time to make the experience better and better etc......any problem is magnified many times over. Meanwhile Joe's Linux may not even support any hardware w/o proprietary drivers etc. and it's not in the news. <br>
      For Apple and the press to have hyped the iPhone far beyond the iPod or anything Apple has ever released, they must also deal with the label of being the best and what comes with that....no slack. Get used to it if you are an Apple fan.
      xuniL_z
      • Wait a few seconds here.....

        I don't recall Apple and or the press in general making a fuss about iPhone
        security? Maybe I'm wrong here but is that a big issue out there anyway? Now as
        for VISTA one has to keep in mind it's DEVELOPMENT time and tha fact that during
        that time MS has and does make a great deal about VISTA security heck even your
        post pumps it up so the MICROSCOPE just might be a self inflicted wound in that
        case. People have expectations about VISTA based on MS's own words and the
        time given to develop the sort of expect after all this time and monoey and words
        that it will be.....well good.

        As for the iPhone I don't think Apple made the bost it was going to be the BEST.
        It's made claims that it's going to be an Apple product and advertised it as
        different from what is out there already but I can't recall a claim of BEST. Nor do I
        remember any claim regarding security and the iPhone from Apple at least...

        Pagan jim
        Laff
        • I think that Jobs

          said it'd be the best cell phone ever (more than once I suspect).

          I have no opinion on whether or not the iPhone is the best or not and I won't until the price comes down and it's available on other carriers.
          notsofast
        • my my you are sensitive.

          first of all, how do you define "magical" in terms of quality? Magical in and of itself refers to something so good, it's beyond talking specs....it's just "magical". <br>
          And Jobs did pump the heck out of this thing at the apple expo earlier this year. He postponed Leopard....a current major product with paying customers.....for it. Apple said other have smart phones but ours is "light years" ahead of the others. <br>
          And all i meant was the hype and launch of this thing, by force of nature, not by MY opinion, is going to put the microscope on it. Don't you think? I wasn't saying fair or unfair. I was just saying that is the way it is. <br>
          I don't think the microscope on Vista is fair. the liberal media has left out any story about the benefits and great code in Vista...totally...and there is obviously is a ton of it. <br>
          I would say the iPhone has gotten the royal treatment so far and they will take some hits for any problems. Get used to it dude. that's life in the fast lane.
          xuniL_z
          • Well "magical" is a word that can be interpreted by

            the listener. I took magincal in the iPhone reference to describe the difference
            between the iPhone interface and the typical cell phone intererface and the difference
            between what one is use to and what the iPhone gives you.

            I did not expect the ability to make coins disapear or rabbits to start poping out of
            the iPhone though that would be cool.....

            Pagan jim
            Laff
          • What do you take me for Jim

            Of course I didn't mean "magical" was to be taken literally. However, I do think one can apply what magic really is and make it work well with this device. It's an "illusion". what was defined as 5 years ahead of everything else is an illusion. Not so whatsoever. The only thing it has over other phones is touch technology and a bigger screen. That's it. Again, for my money, i can't browse on anything smaller than a 12" screen and even then I feel claustraphobic.
            xuniL_z
          • I myself don't think that anything selling can be 5

            years ahead because well you are selling it and there fore the technology exists. But
            I still think many people fail to see the ahem "magic" of the interface and that is
            Apple's strength like the iPod it's not the device in and of itself, nor is it what the
            iPods does or features of said. No it's the way it works...same for the iPhone. Mobile
            entertainment is very "tricky" the bigger you make a device the less mobile it
            becomes....plain and simple.

            Pagan jim
            Laff
          • well the iphone is built

            a little like a brick....but I'm sure it's smaller than it looks...well...it's bigger than most phones. I have an LG of 7 or 8 years age, flip phone, works great...i can call and take calls and it has always been just fine for that.
            <br>
            Touch screen is not new. Microsoft has that touch technology with those table units...presumably to be used in all kinds of vertical wall screen situations etc. I can see it used with an electronic book or something too. Not sure how similar it is, but the demo of it was like, ahem, "magic".
            (they started that project before the iphone was even announced, let alone the touch portion.
            xuniL_z
          • So MS with all it's money and resources is "slower" than

            Apple? How does that work? Well sure the iPhone with the larger screen is larger
            than a flip phone but where is the surprise in that? The trick is to get the correct
            balance of screen size and mobility not sacrifice one for the other and I would argue
            that a flip phone gives mobility but sacrifices screen size to get it. I can't say about
            the iPhone till I see one and or use one.

            Pagan jim
            Laff
          • Say what?

            When I talk of my LG, I don't care about the screen. It's plenty big enough to display missed calls, menu items, phone numbers, but it's not a video phone. It's not a music player. I don't want those things, as I've said video or the web on a tiny screen is not worth it to me. Esp. the web. You can include all the magical gesturing you want (I've only got one gesture for it, and it doesn't have have to do with functionality ;) ) but you can't make a tiny screen of the web "seem" bigger, no matter how hard you try or "magic you add, the screen is still tiny<br>
            Anyway, concerning MS being slower.....their R&D may have 100 projects incubating at any give time. Perhaps that is to a fault, but to compare speed to market here does not make any sense. MS R&D has so much more going on at any given time compared to Apple it's not something you compare at all. Sure they have more employees but each group is not larger than the iphone group, for example, and with that they needed to pull all of the leopard programmers away to make it to market.
            xuniL_z
          • You are absolutely right.

            When you hype the bejesus out of something, YOU are responsible for rising expectations! Mac boasts virus free status, but cries foul when someone plays on their bug weakness... Bug-A Day for 30 days... This damn phone has been hyped for months by Jobs as "the best phone, the best ipod, and the internet in your pocket" You have to keep plugging it into your computer. So yes, my crappy little non-connected Nokia isn't held up to the same security standards as the i-hype-phone.
            Chippolus
      • Microscope

        Vista has been labeled "the best"? I must have missed that amidst all the
        complaints about UAC. For the worlds foremost OS to be implementing Limited
        user accounts in 2007? It is universally being considered long overdue, and poorly
        implemented. Linux is not being held to a lower standard, it's simply not
        competing with proprietary solutions. Comparing them is like comparing the sales
        of a bookstore to a library.

        Comparing Apple and Windows however is fair. Hold them to a higher standard?
        How about no. How about just maintain higher standards to begin with. PC users
        should reconsider standing by their record. The record is not good. As I've
        mentioned before, Apple users are open to anything to improve security, but after
        having 7 years of a properly implemented user account scheme?we don't accept
        lectures from the PC users who have not.

        The implication here is that Apple users are not "tough enough" to receive
        criticism. Neither are they "tough enough" to have made the choice of an
        endemically flawed architecture. Nor tough enough to have chosen the popular
        choice over the unpopular one. Nor tough enough to surround themselves with a
        parasitic IT economy that depends on eating ticks off a bloated architecture.

        So let's agree that sliding scales of critical judgement are simply not on. But let's
        also agree that you have to act on judgement or else it's of no use. Writing
        cheques to a single second rate vendors over 15 years, isn't my idea of an
        engaged and proactive use of that magic microscope.
        Harry Bardal
        • I believe

          I said Vista is possibly the safest OS available...or something very close to that. There are statistics to back that statement and I'm not one to say Product A had a poor security record in the past, therefore they will in the future, end of discussion. No, I don't live that way. <br>
          UAC on Vista is not perfect. Microsoft has been trying to phase in a better security model for years. The reasons it's been a slow process? One example should clear this one up. Intuit's Quickbooks, one of the leading titles on the Windows platform, did not bother to even attempt to get their product ready for Vista. Not only that, they didn't warn any customers who were buying their 2006 product, that they would not support Vista until the QB 2007 release. That example of a very large software vendor echoes the problem Microsoft faced. Vendors who were sliding by with poor code, were not willing to do the work to get ready for Vista. Why? Who knows. Maybe they assumed Microsoft would back down and allow for old poorly written code. Perhaps it was a game of chicken. I'm not an insider. <br>
          But if you think i was juding the thickness of an "apple user's" skin, you are mistaken. In reality I don't judge people by the computer they use. That would be a rather shallow way to judge people, wouldn't you say? In fact, the mention of it seems laughable when imaging a social gathering. "And what OS do you use sir?" "I have windows" Oh, get out of here you perverted capitalist!!". No, I think thickness of skin is normally measured by more measurable standards. :) <br>
          As for your last paragraph, I'm not sure why you insist on calling Microsoft a second rate company. You know the BMW tagline, "the ultimate driving machine". I'm sure it is, and the amount of craftsmanship involved would be ideal for every product on the planet, wouldn't it. But if you live in reality, you know that is not possible. Take a highly skilled man who does construction for a living and need something to haul the bricks and mortar and lumbar around in. Would he choose the much more well crafted BMW, or maybe he'd be satisfied with a used 3/4 ton pickup truck? To him, it's of more value than the BMW could ever be. Reality holds for us our needs and demand and cost concerns drive the quality required for any given purpose. It would be nice if everyone in the world were a master craftsman and everyone could afford the best products evertime, or there was some magical force that created top of the line products for poor and rich alike. But we must try to keep our perspective from leaving reality. Windows has served it's purpose very well. It's not intended to run on only one set of hardware specs, which Microsoft controls, fine tunes the OS to, then locks up tight so nobody can screw with their perfect piece of electonic art. I think the most often overlooked beauty of Windows, and linux for that matter and maybe moreso, is how well it does run on such a massively wide spectrum of devices, fitting every budget from those less fortunate to the most financially endowed.
          xuniL_z
          • Cars and Computers?

            Car metaphors are not a good idea. Comparing active, multifunction, digital
            technology with passive single role, mechanical technology sets the wrong tone to
            begin with. Secondly, the whole socioeconomic thing is bunk. A "working mans"
            computer can just as easily be a Mac mini and this hopeless preoccupation with
            capital cost shows a lack of understanding that TCO and productivity are the only
            real metrics worth paying attention to. Third, stop backpeddling on what you said,
            your first post was snide and judgemental. Stop apologizing for Microsoft, and
            misdirecting blame. If open architecture gives you the advantages that you claim it
            does, take the pain with it. Microsoft has been the mastermind of open
            architecture and regardless who is taking advantage of the loopholes they
            provided, responsibility accrues to them.

            I'll agree with you in terms of what Microsoft and open architecture has been able
            to provide. It's been sloppy but broad. Microsoft has done this particular dirty
            work so Apple doesn't have to. The problem is the marketplace imbalances. In a
            world where software gets more powerful daily, and hardware looses relevance,
            you've chosen to make hardware choice primary and software choice secondary.
            Decrying Apple's "lock in" is laughable in the face of the platform economy you
            advocate. Dell, Levono, HP, Gateway, every greybox carnival barker you've ever run
            across?what's that software they "recommend". You let us know when you see fit
            to take a look outside the walled city to see what an open market looks like. In the
            mean time, like I say, Apple users are receptive to advice, but from people with a
            good track record, technical qualifications, and some shred of logic at their
            disposal.
            Harry Bardal
          • Computers and vehicles.

            I was not using cars and trucks as a metaphor, but as an analogy. They look and act nothing like computers, though most now contain software. What they do, and i think people with this idea that technology is important for technology's sake have the wrong idea. I also believe you contradict yourself by stating <i>active, multifunction, digital
            technology</i> cannot be compared to a "passive single role" (totally wrong btw) vehicle. But then you go on to state that TCO and productivity are the only real metrics worth paying attention to. This is contradictory since those metrics apply beautifully to a vehicle as well as a computer. TCO and productivity. However, you tend to leave out function, as though everyone's idea of productivity can be accomplished with the same computer, unlike the vehicle analogy where a truck can perform many tasks a car cannot. <br>
            I won't go deeply into my thoughts on how vehicles are multitasking devices, suffice it to say carrying gravel and taking it to it's destination is multitasking. Passive or not, the end result is always the same. productivity. <br>
            I won't pretend to be as dogmatic on who is to blame when people take advantage of things. But that is part of nature. I'm not sure if your home is guarded 24/7/365, has a 50 foot wide moat with pirranhas and alligators and is made of gold. But my bet is someone could get in if they tried hard enough. Does the blame fall to you or the person who entered your home? In your worldview, it's your responsibility to keep him out and it all accrues to you, thus you should do the jailtime I suppose. Not sure how realistic that view is in the final analysis. <br>
            AS for the "greybox" carnival barkers statement, I'm not really sure of your meaning here? What OS do they sell? Windows and now Linux with multiple vendors. The may be VERY interested in OS X, if Apple didn't disallow it. How could you know? You can't, so your statement is totally moot. <br>
            And you tend to be under the impression that Apple has their own ODMs and doesn't work with the same ODMs as HP, Toshiba, Dell etc. That would be false and the same company that has made macbooks, makes HPs as well. Apple, HP, Dell....they only rebrand products that they don't make themselves you know. <br>
            So TCO is on and even playing field. I think the ease and low cost at which you can replace parts if needed, for the non Apple resellers, is an advantage. That's my opinion. It's consistent with anything I've said. <br>
            After that, your idea that OS X is somehow a better OS than Vista is based on what criteria? Your personal tastes? Real world TCO and productivity data? Please provide links. I want to see that as Windows users are even moreso open to suggestions than Apple users. With Apple users you must word it just so or they may get offended. You must know this to be true and not just an urban myth. <br>
            The idea that OS X gets more done for the average company, organization, agency or individual at the end of the day seems very subjective and based on pure opinion to me. I think Windows far surpasses OS X in TCO and productivity, but that's my opinion. <br>
            However, I can say that once you've purchased your Windows machine, you don't pay another dime for OS related software until you decide to go to the next full release.
            <br>
            Apple hardware vs. HP hardware....there is no real difference other than Windows users can reinstall their OS on a different machine if they find they are not happy with their current hardware. Say it overheats or the battery swells or the they discover cracks they are not comfortable with, you know. <br>
            <br>
            Please tell me what you mean by the open market? As for a walled city, I live in no such place. I've had exposure to many machines and operating systems over time. I have no personal stock in Microsoft, if that is what you are implying. You are totally incorrect about me with your rush to judgement. <br>
            I live for suggestions from a wide array of sources everyday. <br>
            I think the walled city exists in Cupertino, CA and nowhere else. The company with purely blackbox projects, overly onerous licensing and a pompous leader who personally claims his work to be the best, and personally smears other's works in public. The sign of a real man? Your call. <br>
            There has always been an open market. There was an upresedented run by a company in a market, yes, but never was it closed. Tell me how Apple contributed to history during the days Microsoft was growing and Apple seemed to not care. What did they do to counter the rise of Windows? Nothing. So what should they say about it now? Right, nothing.
            xuniL_z
          • Who's sensitive?

            Mac User's are so sensitive. Who's posting the miniseries? Who's getting
            defensive? Who's asking for links without providing any? Who likes to point out
            that Apple is a minor player in market share, then rant for hours on the evil Apple
            creaping crud which will ruin all that the Great Benevolent MS has created,
            unassisted, with its purely altruistic buisness model. Freedom from hardware is
            good, even if you get chained to an OS. Who's paranoid?

            Why is everyone in the 90%+ MS maketshare freaking out when 5% marketshare
            Apple camp speak out?

            Something to think about! Change computer to OS in the following quote:

            "However, you tend to leave out function, as though everyone's idea of
            productivity can be accomplished with the same computer, unlike the vehicle
            analogy where a truck can perform many tasks a car cannot."

            There are no shades of gray!!!
            MS = GOOD!
            APPLE = BAD!
            ELVIS LIVES!
            CATTLE MUTILATIONS ARE UP!

            QED!

            C'mon baby gimme somemore o' that RANT!
            pokeitwithastick
          • Wow... Still dripping with smug.

            "Decrying Apple's "lock in" is laughable in the face of the platform economy you
            advocate. Dell, Levono, HP, Gateway, every greybox carnival barker you've ever run
            across?what's that software they "recommend". You let us know when you see fit
            to take a look outside the walled city to see what an open market looks like. In the
            mean time, like I say, Apple users are receptive to advice, but from people with a
            good track record, technical qualifications, and some shred of logic at their disposal. "
            I can't imagine how you can look down your nose and read at the same time. I bet it would be fun though.
            You obviously hold a lot of contempt in that pointy head for everyone who chooses "the wrong computer" and yet claim openness of mind. Your self superior attitude does not allow anyone else to buy a computer they can actually use over an expensive smug magnet.
            Chippolus
        • Wrong..

          [b]For the worlds foremost OS to be implementing Limited
          user accounts in 2007?[/b]

          Windows NT, 2000 and XP have all had limited accounts. However, poor coding on the part of vendors made it so that you HAD to run as an admin to make use of their software - thus making those limited accounts close to useless. Intuit (Quickbooks) is quite notorious for this.

          Vista merely added a "limited administrator" account. Meaning if you want to do something that directly modifies the operating system, you must confirm that you really want to do whatever by supplying administrator credentials - even when you're logged in as an admin.

          If you're going to post something at least have the decency to get it straight beforehand.
          Wolfie2K3
          • Implementation

            I used the term implementation to qualify my points. Meanwhile, you have the
            decency. Limited accounts or limited administrators are as effective as they are
            permitted to be, through they implementation. Because this matter wasn't forced,
            there is, to this day, still no guarantee that a simple user setting switch to enable
            some piece of rogue software, won't open up the machine to all manner of
            problems. There are many security experts who've said Vista's false sense of
            security is worse than before. You have the "decency" to stand by the security
            record of your platform of choice and try to explain a way a dismal record of
            malware attacks that have cost business and industry billions in lost productivity.

            I'm truly tired of this parade of apologists praising this cluster bomb for exploding
            early so the healing could begin sooner. What are you folks thinking? Who's to
            blame? Who cares. Open architecture itself is to blame. If you want to follow those
            bread crumbs back to the source, Bill Gates would most assuredly be standing
            somewhere nearby.

            This started with a snide dig at iPhone security and the "high standard" to which it
            will be held. So now, if all things are equal and the yardsticks for Vista and
            iPhone/Leopard are the same, let the experiment begin. If "playing with the big
            boys" is to put an unfamiliar pressure on Apple that will test the technology, then
            let that happen. We'll stand by our record, You'll stand by yours. We'll both stand
            by the result.
            Harry Bardal