
About the security content of iOS 10.3 - pdog
https://support.apple.com/en-us/HT207617
======
azinman2
To me this is quite depressing. The sure amount of bounds errors and whatnot
in things like font handling, audio, images, etc mean that evil
websites/email/etc have a strong chance of owning your device for years to
come.

Highlights the value of languages like Swift or Rust that build in bounds
checking into the language itself, preventing such attacks (as long as you
don't call any explicitly unsafe bits). I do wonder if Apple is considering
re-writing any of these core services in a safer language.

~~~
pjmlp
And it is not an unknown thing, for decades!

"A consequence of this principle is that every occurrence of every subscript
of every subscripted variable was on every occasion checked at run time
against both the upper and the lower declared bounds of the array. Many years
later we asked our customers whether they wished us to provide an option to
switch off these checks in the interests of efficiency on production runs.
Unanimously, they urged us not to--they already knew how frequently subscript
errors occur on production runs where failure to detect them could be
disastrous. I note with fear and horror that even in 1980 language designers
and users have not learned this lesson. In any respectable branch of
engineering, failure to observe such elementary precautions would have long
been against the law."

\-- C. A. R. Hoare, Turing award lecture in 1981,
[http://cacm.acm.org/magazines/1981/2/10949-the-emperors-
old-...](http://cacm.acm.org/magazines/1981/2/10949-the-emperors-old-
clothes/pdf)

> I do wonder if Apple is considering re-writing any of these core services in
> a safer language.

Apple already uses C++ for device drivers, which allows for more safety
oriented programming as straight C.

In any case, even if it isn't fully ready today, they view Swift as a C and
Objective-C replacement in the long term.

"Fast. Swift is intended as a replacement for C-based languages (C, C++, and
Objective-C). " \-- [https://swift.org/about/](https://swift.org/about/)

"Swift is a successor to both the C and Objective-C languages." \--
[https://developer.apple.com/swift/](https://developer.apple.com/swift/)

The dock and launchd in Sierra were rewritten in Swift.

~~~
huxley
> Apple already uses C++ for device drivers, which allows for more safety
> oriented programming as straight C

Just to qualify that a bit, IOKit uses a restricted form of C++ based on
Embedded C++

[https://en.wikipedia.org/wiki/Embedded_C%2B%2B](https://en.wikipedia.org/wiki/Embedded_C%2B%2B)

[https://developer.apple.com/library/content/documentation/De...](https://developer.apple.com/library/content/documentation/DeviceDrivers/Conceptual/WritingDeviceDriver/CPluPlusRuntime/CPlusPlusRuntime.html)

~~~
pjmlp
It still is C++ and way safer than plain C, assuming devs care to use RAII,
reference parameters, string and array wrappers with bounds checking, enums.

------
Manozco
It's written that they updated LibreSSL to version 1.17.0 (in the part
HTTPProtocol) but the first version of LibreSSL is 2.0 and the last is 2.5.2
([https://www.libressl.org/releases.html](https://www.libressl.org/releases.html)).

How did they do ?

~~~
randomsofr
They are referring to nghttp2's version .

------
caf
The takeaway here is that if you have a device that's so old it's not
supported for iOS 10 updates, it's a doorstop.

~~~
CalChris
iOS 10 supports the iPhone 5 which was released September 21, 2012 or about 4
1/2 years ago. If you're getting 4.5 years out of your iPhone, that's great.
Unnecessary but great.

~~~
caf
Isn't the more relevant date when they ceased sale of the iPhone 4S, which was
September 2014 (2½ years ago)?

~~~
cstejerean
No, because if you bought a 4S at that point you knew you were buying a 3 year
old device.

~~~
kobeya
I expect support periods for my device to start when I bought it from the
manufacturer, not when it happened to first go into production.

------
nonsince
Jesus, this reeks of a big company throwing programmers at a problem until it
goes away. Myriad memory corruption issues all solved with input validation.
Surely there has to be some kind of process improvements they could implement,
at the very least fuzzing and valgrind (or similar). How do you not read this
and want to rethink your strategy.

------
sdegutis
This is pretty terrifying. So many "arbitrary code execution with root
privileges" exploits! They may be fixed, but how many more are still only
known to malicious third parties?

And without even needing to install anything! "Processing maliciously crafted
web content may lead to arbitrary code execution."

~~~
walterbell
I can't recall so many (80?) security fixes in a recent iOS update. A
malicious font, audio file, image file or website can cause arbitrary
execution?! When a file parser or Safari is vulnerable, why doesn't the iOS
sandbox block device/root modifications?

What happens if your device is already infected? Does the update process
replace all OS files or could an infected device still contain malware after
upgrade to 10.3?

Are there tools or apps that can report system level logs, e.g. could iOS 10.3
detect and report if known-malicious files are present on a device?

~~~
besselheim
The sandbox does block such modification, but a useful exploit would combine
the arbitrary code execution vulnerability with a sandbox escape, using e.g.
some arbitrary read/write vulnerability in the kernel or similar.

~~~
walterbell
In that case, would the list of iOS 10.3 security fixes mention at least one
sandbox escape or kernel vulnerability? Since it does not, can we assume that
most (all?) of the listed "arbitrary code executions" would be isolated by the
iOS application sandbox?

Or should we assume that competent attackers are hoarding sandbox escapes and
thus most app vulnerabilities can be escalated to device compromise?

~~~
tptacek
No, you can't make any such assumptions from the text of the update. But you
can probably assume there's localhost sandbox escape (or kernel RCE) available
to serious attackers.

------
tambourine_man
I wasn't aware that Carbon was there in iOS.

I imagine none of the GUI stuff, but drivers and other C stuff

~~~
kalleboo
Well looking at the bug it seems like it at least is used to support loading
old TrueType fonts...

------
nathankleyn
It's extremely impressive how many of these bugs were found by Google's
Project Zero team.

