Yeah they can't admit it and I truly don't think they are use to this sort of thing and not staffed for it. Because in all honesty if they were staffed for it, they should be ashamed for taking this long to fix this issue that was brought to their attention weeks ago.

I disagree that they can't admit vulnerability. Admitting a mistake increases credibility of the company (i.e. "If they are honest when it makes them look bad, they are probably honest when they make their positive claims too.") Admitting a mistake and then fixing also shows you are looking out for your customers and are technically proficient.

Hiding your head in the sand and refusing to admit a mistake makes you look like a doofus.

"I disagree that they can't admit vulnerability. Admitting a mistake increases credibility of the company (i.e. "If they are honest when it makes them look bad, they are probably honest when they make their positive claims too.") Admitting a mistake and then fixing also shows you are looking out for your customers and are technically proficient.

Hiding your head in the sand and refusing to admit a mistake makes you look like a doofus."

Well, most consumers will likely never know or realize that this vulnerability existed on their phones. It's much better for them to just pretend it hasn't happened than to try and gain the attention of news organizations by issuing a press release or something along those lines.

I would have agreed that Mac is a different platform than PC if Apple had not made the move to off the shelf parts. Macs used to be exclusive Mac hardware, but now they (mostly) use standard PC parts. There is very little left for Apple to base its hardware manufacturer status/claim on.

@ Kali4:

This isn't a discussion about Macs or hardware; it's about an iPhone software security hole.

@ Everyone else:

Who knows why they haven't fixed it yet... Proper staffing may be part of it. It's just bad that they haven't patched it yet. Something like this should have been priority numero uno. Hopefully the patch will go out this weekend, or later today.

@Jeff

You're right, this is not a hardware discussion. Apple hiding behind the hardware manufaturer line just gets my dander up every once in a while. My apologies.

Insofar as the security loophole is concerned though.... If I were in their position I would not put it at priority number one either. The vulnerablity only affects those who broke the code in the first place. In other words, there is nothing wrong with the original code. There is no security loophole, unless you break the original code. If they wanted to please the jailbreak community, then yeah issue the patch. But why rush it for people who caused the problem?

Don't get all riled up now, this an honest debate where I am fishing for others' opinions to help me either modify my own, or reach a new conclusion. Thanks for the help guys.

@ Mark "Well, most consumers will likely never know or realize that this vulnerability existed on their phones. It's much better for them to just pretend it hasn't happened than to try and gain the attention of news organizations by issuing a press release or something along those lines."

If this is how Apple thinks, then they should not be producing products. They have an obligation to stand by their products and protect their customers from known harms. Just because most consumers will never know that a vulnerability existed does not mean Apple shouldn't warn us about it and do something to fix it. How would you like it if this is how the police responded to an escaped murderer in your neighborhood?

Cop #1: "Well, Chalie Manson escaped, but most people will never know or realize he's gone, so let's just ignore it."
Cop #2: "Yeah, totally. Except for the one or two people he offs and their families, no one will ever know!"
[High Five]

@ Kali4:

I didn't realize that the exploit was only for those who broke the code in the first place. If so, I agree 100%, and it doesn't need to be a big priority for Apple. But if it does affect users operating within the software license agreement (ie, a hacked iPhone gets the code and sends it to an unhacked iPhone in the address book), then it needs to be fixed.

"If this is how Apple thinks, then they should not be producing products. They have an obligation to stand by their products and protect their customers from known harms. Just because most consumers will never know that a vulnerability existed does not mean Apple shouldn't warn us about it and do something to fix it. How would you like it if this is how the police responded to an escaped murderer in your neighborhood?"

Don't get me wrong, I support their decision to do this; however, this is the most likely reason that I'm able to formulate as to why there has been no response and little done in the way of fixing this issue.

Demonstration of the vulnerability:

"Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.

My iPhone is not jailbroken and it is running iPhone OS 3.0. "

It turns out a iphone straoght out of a box is vulnerable to this.

Apple has painted themself into a corner with their advertisements. It's like airlane company advertising for safety and getting a planecrash. That's why no airlane company uses past performance for adverts. It's partly a game of chance. Its same with computers. The security is partly a game of chance and by advertising on security any vulnerability is going to hurt more.

Now tha osx has some userbase more hackers might start to look into it. It wouldnt surprice if apple started to downplay osx security in advertisements and go for some other features. Otherwise sooner or later this is going to bite apple.

Doesn't matter if it's fixed in the most recent phones, only affects jailbroken phones, etc.

Apple should have come out with a statement by now. It's remiss in not clarifying the matter. Even if it's "Yes, there is a vulnerability, and it does affect all iPhones. We're working to fix it ASAP."

"Don't get me wrong, I support their decision to do this"

Oops. I meant that I don't support their decision not to discuss this.

We have a saying in Texas...

When you assume once you make a U, then you can't be an ass again!

My brain hurts from reading that.. crazy Texans.

I've always heard it like this:

when you assume you make an ass out of you and me (ass/u/me)

OMGYOWTFGTFO!

OMGYOWTFGTFO!

Now, I am not a Mac user; but I think Apple is the only PC manufacturer that does write its own OS. Microsoft is a software company. IBM is hardware. Sun does both, but only adapts OSs to it's needs. Sony is hardware, so is Toshiba, Dell, Acer, Asus, HP, etc. Their OS has been good enough to keep the company going and their users rabidly dedicated for years. Mac OS can be said to be related to Unix, but it is also funamentally different enough to not BE Unix. Just like Solaris, Linux, and others.

I thought Windows mobile and Android were also at risk from the same type of exploit.

I read it, and he says:

"Our iPhone OS targets were running OS version 2.2 and 2.2.1."

No mention of even trying it on OS 3.0, or jail breaking?

Scare mongering?

@adrian

Yes but they were competent enough to patch their phones.

Demonstration to a journalist

"Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.

My iPhone is not jailbroken and it is running iPhone OS 3.0. "

3.0 is vulnerable

@Mark Anderson - uh, no. WinMo has not been patched against this.

The AP report of Apple's fix states, "Similar weaknesses were found in phones running Google Inc.'s Android and Microsoft Corp.'s Windows Mobile operating systems. The Android problem has been fixed, and Microsoft is investigating the vulnerability reported in its software." (this was on the wires yesterday)

So Android was fixed ages ago, iPhone yesterday, but MS are only "investigating" the WinMo vulnerability.

I find it interesting that, since all three platforms had vulnerabilities that were announced pre-conference, Engadget and others chose to make this an "Apple-only" story when only Android had a fix out at that point in time. Why did they not mention the WinMo vulnerability as well as the iPhone's, and why did they only slam Apple for not patching? Especially now that Apple has beat MS to the patching, it makes Engadget look biased ... *against* Apple!

Yeah, it isn't surprising the Engadget in their usual effort to point out every bad thing they can about the iPhone, has so far neglected to mention win mobile and android phones has the exact same flaw.

Why should they point it out when the other providers actually patched their phones?

No, seriously?

That may be true, but I think the real issue here is that it was discovered on Apple's platform and that the iPhone, unlike many (non-smart) phones has an OS people are very familiar with. If you somehow pulled this off on a RAZR, or some random Nokia, I doubt it would be as effective.

Not to mention the iPhone is supremely popular. Not to say that other phones aren't, but it goes back to the prior point.

Also I think there's a shock factor when a huge (?) exploit comes from a Mac OS product, since the whole Mac and PC commercials seems to try and convey otherwise.

"Yeah, it isn't surprising the Engadget in their usual effort to point out every bad thing they can about the iPhone, has so far neglected to mention win mobile and android phones has the exact same flaw."

There are about a15 stories per day about the iPhone, with dozens more references past that. Rarely do they say anything negative. And you seriously think they go out of their way to say negative stuff about it?

Android fixed it last month, when it was reported.

@ Mark Anderson (again) WinMo has not been patched against the SMS vulnerability demonstrated at the Black Hat conference.

@ Look_Around_You - I find it hard to remember a pro-Apple article from Engadget in the last few weeks. We've seen Engadget slam Apple for this vulnerability (and not patching it), for rejecting Google Voice and only having Latitude as a web app, for not having MMS until 3.0 and still not having tethering in the US (many times), and of course that editorial devoted to explaining why the iPhone is no good in a corporate environment ("Taking the iPhone off the job market", I believe it was called.)

I believe the phrase "Rarely do they (Engadget) say anything negative (about the iPhone)" to be inaccurate - they have said many negative things about it, on many articles (including some that appear to have a pro-iPhone stance from the headline). It just is not the case that Engadget has been gushing about the iPhone - sure, to some haters it may appear that way because they will not tolerate anyone saying anything positive at all, and so a few positive remarks here and there becomes "Engadget is biased towards Apple" in their heads. But in terms of cold, hard words; no, there is no bias on Engadget towards OR against the iPhone.

you know?