And 1.0.2 prevent this how?

because I don't have to use att the fbi and cia favorite source for listening in on every phone convo grandma and every ot her self respecting person has a constitutional right to written in the United States Constitution of America to Privacy! Duh? Need I say more sheepfucker?

and to answer yes 1.0.2 matters because it was the first commercial release of iphone firmware after they announced the 200 amereuro price drop. It is significant because most third party apps worth half a shit were derived during this period also. 1.1.1 procedeed to further break funcionality of these applications to patch a fictional security flaw that this farce of a story covers. i.e. some guy uploading a tiff image through wifi to your phone which is a joke in and of itself to get you stupid fucks to upgrade to a locked state.
This guy is probably hired by apple anyway.

and furthermore he has to have installed ssh on the iphone for this to work...

So this is infact an ad from apple to get you to upgrade to apple due to the new att service where you don't even have to use t-mobile for a good plan. Is it coincidence that they just made available a -$20 for non edge data phones???

No it is not. This is a fear tactic.
Even if this Skeletor looking grey haired buffoon tried to tiff exploit my phone I'd laugh at all the shit he would record. Possibly me taking a horrible dump after a night of heavy boozing and dehydration. Maybe he would install something I can't see (which is nothing because I have access due to 1.0.2 firmware to all process running on my os at anytime)

I've made my case.

This is fear tactics to get people to upgrade and brick phones.

Steve and the rest=full FAIL

let me guess...
9/11 was planned by Bush
JFK was killed by the Cuban Mafia
The moon landings were staged
Paul is dead
There are aliens at Area 51
Did I miss any?

Oh, they're going to Iraq for liberating the people there. That's a big conspiracy

@thethirdmoose

The government puts fluoride in my drinking water!

This whole video is unnecessary, lol.

clak,

The Safari exploit must have happened so fast you missed it. He roots the iPhone with a web link. After that he is in total control of the iPhone, no local access is needed.

No, I didn't miss that, but he's using an exploit that has already been patched. That is the whole point of the article here. My point is, you got these Microsoft fanboys coming on here saying that because there was an exploit for the iPhone, there must be an exploits for OS X. While the iPhone runs everything at root, OS X does not. They are completely different animals. And that's exactly why Apple has avoided releasing an SDK for so long. They want to get the security aspect right.

I'm not saying there aren't exploits yet to be discovered on OS X, but the harm you can do once you gain access to OS X is drastically different than the harm you can do on a swiss cheese OS like Windows XP. Most of the security faults in Windows would be nullified by throwing away the registry and incorporating a level of authentication (not Allow/Deny but full password authentication) for critical tasks. Of course, I haven't used Vista yet, so maybe some of the exploits I mentioned have been fixed, but the majority of users still use XP.

clak,

No you are simply mistaken. Once this exploit is run via libtiff or whatever the jailbreak exploit is in the latest flavor, the iPhone is rooted. That is not as bad as XP or Vista, it is worse. Even worse, the iPhone does not have any of the security infrastructure in place to prevent damage. No firewalls, no sandboxs, nothing. This is a complete and total rooting of the operating system, the security in the iPhone is more on par with windows 95, just forget about XP like security for the time being. The guy covers it in very fine detail on his metasploit blog.

First of all, the point I have been trying to make is that security problems on the iPhone does not necessarily indicate security problems on OS X, as the MS fanboys immediately try to suggest whenever a story like this appears. OS X has had an open development platform for a while now. The iPhone has not. While I've already acknowledged that the iPhone runs at root, you're mistaken in claiming that the iPhone doesn't have a firewall or isn't sandboxed. No report I have seen backs up that statement (if I am wrong, provide your sources for that assertion).

While it is certainly possible, I personally believe there is no firewall simply because the iPhone has a closed environment, which is incidentally the same reason it runs as root. When the SDK comes out and the iPhone is officially open, that is likely to change. In fact, mark my words, application signing and permission levels will be some of the first features implemented in the SDK.

The misinformation campaign of Apple and its fanboys never stops. Are you comparng Windows 98 with OSX? Besides, application signing originated from Windows.

What? A hacker who gets physical access to my iPhone can do damage to it? Say it ain't so!

I believe an idiot with a hammer can also do damage if he has physical access to it, and he'll do it in a lot less steps than this crazy lookin' coot demonstrates.

Clak,

If you had minimally informed yourself about iPhone security you would know it does not have a firewall. Since you seem ignorant of that basic fact, I am forced to dismiss everything else you say. The simple fact of the matter is, the iPhone would not be threatened right now (this exploit would not work) if Apple had taken basic security precautions into consideration when designing the iPhone, and included a firewall. Considering how badly the security on the iPhone is botched (and it is) I think you need to re-evaluate Apples security in general.

For example, Apples recent release of Leopard has some basic security issues with their firewall! Well Duh, without a firewall OSX is vulnerable. Just accept that. Because also included in the last round of patches were privilege level escalation fixes. Which means leopard computers were not exploited only because no one tried.

Is OSX now the lowest hanging fruit? I honestly do not know. However given the lack of hubris on Apple users and Apple its self on this matter I will rue the day it does become the lowest hanging fruit.

It is basically apparent that Apple has managed this exploit news to be released on Friday evening to minimize the impact on their stock. As a self professed OSX security researcher, your hair should be on fire. Apple should be dealing with these issues up front and out in the open. They are not.

Get ready! Because it is comin.

Has anyone noticed that GregA finally posted this reply to a comment I made 11 hours ago?

If OSX is truely so secure as you claimed, why does it start to have code signing, a concept first implemented in Windows? The point is, OS exploits do so through poorly implemented third-party applications executed with root privilege. In that sense, OSX is not more or less secure than Vista.

Jim, you got owned... and I don't even own a mac

I'm pretty much for both of them, Microsoft because the market and everything has shifted in their direction... also I love macs not only for style, but being so damn stable. Woot for both!?

I have to admit, I love the iPhone, Leopard, hell even OS10... yet I don't own either one

I like being able to slowly upgrade my PC part by part, I hate the feeling of buying one system and pretty much only being able to upgrade the hdd and ram (I hope I'm wrong, that that's all you can upgrade)

Cormin, I understand. I have to admit Steve Jobs is truely a marketing genius. He should have been in those late night TV infomericals instead of wasting his life in Apple, being seen by the public only a few times a year.

I must of rattled you, Jim, because now you're just blurting out nonsense. You're questioning why Apple incorporates good security design into their operating system, rather than the way Microsoft does it, which always an afterthought?

Unlike XP, Mac users didn't have to wait for to Service Packs for Apple to get it right. And I don't know if you read my last comment, but Microsoft DID NOT invent code signing. Variants of code signing have existed since the seventies and you would have to understand OS X's Unix heritage to fully grasp the subtleties, but something tells me you're not the type of guy that would fully understand, so you'll just have to trust me. LOL.

If you have ever used Vista once (assuming you are smart enough to use it that is), you wouldn't blurting out such nonsense that OSX (or Linux, Unix whatever) is more secure than Windows.

Crap, I'm so sleepy that I can't even write straight. Should have read:

I must of rattled you, Jim, because now you're just blurting out nonsense. You're questioning why Apple incorporates good security design into their operating system, rather than the way Microsoft does it, which (is) always an afterthought?

Unlike XP, Mac users didn't have to wait for (2) Service Packs for Apple to get it right. And I don't know if you read my last comment, but Microsoft DID NOT invent code signing. Variants of code signing have existed since the seventies and you would have to understand OS X's Unix heritage to fully grasp the subtleties, but something tells me you're not the type of guy that would fully understand, so you'll just have to trust me. LOL.

Clak,

The firewall did not work on the release version of leopard. Your quality assurance assumptions are way off base.

You chill out. This is exactly why we have a comment section, so that people can discuss, real civil like, the intricacies of their favorite computers. I got out of hand a bit, because I abhor ignorance, but I think I've made my point regardless, but thanks for your concern.

I'm sure none of what I just said will make any sense tomorrow morning. I'm tired. Mostly of fanboys. But I'm really, really tired.

wouldnt happen if engadget asked for it. it has to be in a post with a tiny reference to either os "iphone libtiff exploit...hmmm...the iphone runs mac! lets troll away into the night!" or something like that

mac pwns at most things. the only reason people use windows is because they either a)think they need to or b)play video games or have a task that truly cant be done in mac

i own a 24" imac and it hurts to use windows when i have to. in my opinion there are no "windows fanboys", or at least not very many, there are only those who need it and loathe it and those who know no better. oh and trolls of course. damned trolls. how did they ever figure how to get on engadget?

Jim, you're just digging a bigger hole for yourself when you keep suggesting that Microsoft invented code signing. Next thing you know, you'll claim that Microsoft invented the longer lasting light bulb.

Oh Geez! Okay, Jim, whatever. Microsoft invented computers, the internet, softcore porn, and Gary Coleman. I would ask you for a source, but why bother. Good night all.

I tried to go to sleep, but I just couldn't let it stand. I finally understand what has been lost in translation. You're under the impression, Jim, that Apple stole code signing from Windows. What I have been TRYING to get across to you is that Apple inherited a variant of code signing (look up something called crytographic hash function) when they decided to incorporate Unix (actually NeXT Step, but let's not split hairs), a 38 year old operating system that very secure and stabile.

OS X has always had good security from the ground up. If you look at Microsoft's history, they really didn't get serious about security until 2003, which is the year Service Pack 2 was released.

Okay? Got that? Good. Pleasant dreams.

Crytographic hash is not invented by anybody (just like multi-touch which Apple claims they invented). The idea came from many years of academic research in computer science and mathematics. But just like I recognize Apple brought multi-touch to the public, you should also recognize what Windows did to code signing. Otherwise why OSX is just starting to have it now when the basic functionality has been in the code that OSX is based on for so many years?

No, I don't think we're on the same page. You keep saying that Microsoft popularized code signing, when I'm saying that Apple had code signing from the very beginning and for many years BEFORE Microsoft implemented it into Windows. That is one reason (there are many others) why malware and adware has never become an issue with Macs. When Microsoft finally decided to use code signing, they didn't develop it in-house, they simply used a method that was already commercially available on the market.

NeXT, the company that Steve Jobs started when he left Apple, developed an operating system called NeXTstep, which was based on BSD (Berkeley Software Distribution) Unix. Apple bought out NeXT in 1996 and Jobs returned as CEO. During the intervening years, Jobs used NeXTstep as the foundation for OS X, which Apple finally released in 2001 (months before XP, I might add), although the very first version, Mac OS X Server 1.0, was released in 1999.

So code signing on Windows and code signing in OS X, have absolutely nothing to do with each other. And by all accounts, Steve Jobs had incorporated Unix security technology into the operating system that would become OS X a full decade before Microsoft released XP (in 1989).

I also would like to add that the World Web Web, the hypertext markup language that popularized the internet, was developed on a NeXT computer by Tim Berners-Lee. I just wanted to mention that in case you were under the delusion that Microsoft had something to do with starting the internet revolution.

That's one of the reasons I admire Steve Jobs. He single handedly created the personal computer revolution, he revolutionized computer animation with Pixar and he indirectly created the internet revolution, while all Microsoft has done, is copy his innovations. Now with the iPhone, he's set to revolutionize the cell phone market as well.

It also seems to me, Jim, that you're confusing basic distributed code signing with application signing, which is fundamentally different. By all indications, Apple is going to use the application signing popularized by Nokia, which involves certificates being issued by a certification authority, which verifies that the application in question has been tested against a commonly accepted test criteria and then certified. The distribution of such a system will no doubt be handled exclusively by iTunes, which will completely nullify attempts to execute code on the iPhone through other means, such as over an open internet connection.

The code signing you're probably referring to would have more in common with authenticode technology that Microsoft has been using in Internet Exploror since version 5 (1999).

GregA wrote, "It is basically apparent that Apple has managed this exploit news to be released on Friday evening to minimize the impact on their stock"

Clak mentioned it several times as did Engagdet. This is NOT new info. Apple did not convince anyone to delay releasing this "news" until a Friday. The hackers exploited this weakness in the iPhone well over a month ago, maybe two.

You seem to be talking about trojans. The guy in the video uses an EXPLOIT to gain access to an iPhone that hasn't been updated with the latest firmware.

It is apparent that you don't know what you are talking about. Go read his blog. He uses the Safari Exploit to install the root kit. After that, it is over, the iPhone is pwned. If the iPhone had even minimal security measures in place, like a firewall, the attack would be stopped right there. However, the iPhone has no security counter measures in place. None.

I didn't realize how fast and furious the exploits for Safari and OS X were hitting when I started researching this story, but it is over man. Let it go, OS X (and the iPhone) is going to have a rough year. The patch that came out wednesday is proof of this.

My suggestion is, unplug your computer until it is over and Apple gets their ducks in a row.

That this particular exploit is patched is totally irrelevant, the jail break code released hours after this was patched makes it vulnerable again.

Oh, I should run and hide the same way Windows users run and hide from those 60,000 known viruses for Windows? Whatever, dude.

You obviously haven't been reading what I've been writing about for the past 12 hours. OS X security has nothing to do with iPhone security, which runs in a closed environment at root. OS X does not run at root and has several security features, because OS X has been an open environment since it was released in 2001.

You can keeping hoping, but it's not going to happen, brother. Meet me back here in a year and I guarantee you'll be eating those words.

clak,

You can't guarantee squat, because you are already wrong. You don't even know what a privilege level escalation exploit is, and assume OS X is safe from them. (hint there were a bunch of them fixed in the patch on wednesday)

And this does reflect upon OS X security, for example I would have never known about the failure of OS X's firewall in the shipping version of Leopard, if not for this hack.

And believe me, I am not sticking my head in the sand with regards to Windows failings, that's why I pwned you in this argument. I minimally knew what I was talking about when you did not.

clak,

You lose again. You can't complain about third party hyperbole when talking about Apple. You... Just... Can't...

ok mr grega, lets say you have an iphone. if i was to get a mallet and hit your iphone with it really really hard, it would break. if i watched you type your password on your iphone and then nicked it and typed it in, i would have access to it.

this is more of a reply to your previous posts but seriously. the iphone is a phone. easy to hack

and as for mac i dont believe in the whole macs will get hacks thing i agree with clak on this one. it wont forever be virgin to viruses, but osx is one tough cookie compared to windows.

stfu man you talk too much

I love how you add stuff later, disrupting the flow of the argument, as you've done GregA.

I'm sorry if I got out of hand, but when people start suggesting that OS X is not secure because an exploit or a hack has been created either to unlock or install applications on the iPhone, I have to speak up, because that's exactly the sort of ignorance holding back innovative companies like Apple.

And I understand that Farrow hacked the iPhone remotely, but you can't equate that to the vast majority of the hacks that people have engineered by having local access to the iPhone itself. It just doesn't work that way.

I think it's also hypocritical for people to criticize Apple for keeping the phone closed, when Steve Jobs has been saying all along that the reason the phone is closed is for security reasons. You can't have both ways. Anyway, thanks for calming the tone, Will. I appreciate it.

I get knocked down
But I get up again
You're never going to keep me down

Pissing the night away
Pissing the night away

He drinks a whisky drink
He drinks a vodka drink
He drinks a lager drink
He drinks a cider drink

He sings the songs that remind him
Of the good times
He sings the songs that remind him
Of the better times

Don't cry for me
Next door neighbour

I get knocked down
But I get up again
You're never going to keep me down

GregA is the epitome of a vacuous fanboy. He can't support his argument so he resorts to insults, leet speak and now, singing!

Apparently you missed the post by Will Bourne. No local access needed, check. Probably easy to reproduce, check. Farrow installed and accessed ssh remotely on a iphone by "tricking" a user to click on a link, check.

That part of the argument, I am the definitive winner. QED.

Clak went on to claim that there were no viruses on OS X. However, There is a very serious virus in the wild for OS X right now. I am not going to post a link to it, because Clak (and probably you as well) will disagree that a Trojan horse that exploits a quick time vulnerability and installs a fake dns server on the local computer is a threat...

Clak then continues to insist that the OS X firewall offers protection, even though said Trojan horse virus exploits deficiencies in in the OS X firewall to phone home.

Clak then resorts to name calling, petty insults and semantics to somehow deduce that all the facts are irrelevant. Which is my que to declare victory and do a little victory dance while singing Tubthumper, because you know internet flame wars have such a rich history of the loser admiting defeat, LOL.

Got it yet? Pwned... But only because as it turns out I am acutally leet.

But this is now VERY boring because nothing new has been said for like 10 posts.

GregA is still promoting baseless FUD. You are right in assuming that I wouldn't equate this trojan to a virus.

Look up "computer virus" on Wikipedia (http://en.wikipedia.org/wiki/Computer_virus) and you'll find this:

"A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. However, the term "virus" is commonly used, albeit erroneously, to refer to many different types of malware programs."

The trojan you are referring to, UltraCodec 1237, first has to be downloaded by a Mac user from a porn site. Now in the current version of Leopard, there is a new tagging feature to track this type of malware. I'll reproduce the feature directly from Apple's web site here:

(http://www.apple.com/macosx/features/300.html)

"Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from."

Okay, so getting back to this so-called virus (trojan) that GregA is talking about, first the user has to download and click through a warning built into Leopard, which allows the user to see the source of the aforementioned trojan. But there's another layer of security. Before you actually install any application in OS X, you have to type in your Administration password, at which point you're infected.

Now if you go back to the definition of a virus, the first criteria is that a virus "copy itself and infect a computer without permission or knowledge of the user." So the UltraCodec trojan doesn't meet the first criteria, since user interaction is necessary for it to be useful. Getting infected with this virus would be tantamount to a person who pays for a state of the art security system and installs dead bolts into his home, only to give out his keys and the password to his security system to first shady looking character on the street. That doesn't mean his house (or in this case, OS X) is any less secure.

The second criteria of a virus, is that it copies itself. From every source I've read about this virus, the UltraCodec is a phishing trojan, which simply redirects your web traffic. It is not, however, malicious in the sense that it can propagate, spreading itself to other machines.

If you trust Wikipedia (I'm citing Wikipedia because I doubt the majority of readers are going to go out and purchase the myriad security manuals I could cite here), the second criteria is that a virus copies itself. From every source I've read about this virus, the UltraCodec is a phishing trojan, which simply redirects your browser.

The definition of a trojan, according to Wikipedia:

"In the context of computing and software, a Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action, but in fact, performs another. Contrary to popular belief, this action, usually encoded in a hidden payload, may or may not be acutely malicious, but Trojan horses are notorious today for their use in the installation of backdoor programs. Simply put, a Trojan horse is not a computer virus."

For more in depth information about this trojan, you can also go and read what Carl Howe's blog, who sums up all these issues rather nicely, in a plain, easy to understand diction.

http://blackfriarsinc.com/blog/2007/11/mac-os-x-malware-myth-continues-and-no

Well, at least some Mac users have a sense of humor. Since so many people have been referring to the iPhone as the "Jesus Phone," seems to me that a biblical reference would be appropriate. Of course, you're probably the first person to make the connection.

And to think, I had given up on the intelligence of the blog reading public!