
A major iOS/OS X vulnerability comparable to Android Stagefright - willlll
http://www.forbes.com/sites/thomasbrewster/2016/07/19/apple-iphone-ios-9-vulnerabilities-like-stagefright/#6695b1f33947
======
nhm
If you're allergic to Forbes, I wrote a short summary on my company blog:
[https://thisdata.com/blog/bug-in-apple-products-allows-
passw...](https://thisdata.com/blog/bug-in-apple-products-allows-password-
stealing-update-now/)

Tyler Bohan's original disclosure writeup (with some technial details) is
here:
[http://www.talosintelligence.com/reports/TALOS-2016-0171/](http://www.talosintelligence.com/reports/TALOS-2016-0171/)

~~~
mrmondo
Thanks, yes an invalid certificate then a paywall / adwall tends to put me
off.

~~~
w-ll
Cert wasn't invalid for me, just adbolock-blockers.

------
comex
Just for context: almost every update fixes multiple code execution
vulnerabilities in WebKit, and browsers are usually much easier and more
reliable to exploit than most things due to the JavaScript VM. This bug is
arguably more scary than those because it only requires the ability to send
someone an image, not an HTML page, but then again, it's not generally hard to
get someone to click on your link (think fake URL shortener), and while
perhaps this bug is powerful enough to be exploited reliably (100%
success/non-crash rate across all unpatched Apple OSes that might receive the
message), if it isn't, that would make it considerably less stealthy in
practice. (On a webpage you can see the target device and version before even
starting the attack.) I don't think it's really worth freaking out much over,
unless you're new to the realization that most modern Internet-connected
devices are hellishly insecure. :) Though of course you should patch as soon
as possible; critically, unlike with Stagefright, all modern iOS devices can,
and will be prompted to, install the update.

~~~
mevile
> This bug is arguably more scary than those because it only requires the
> ability to send someone an image...

I remember one of the jailbreaks was loading a PNG way back when. This
happened before.

~~~
frankzinger
FYI, the guy you're replying to jailbroke iOS in 2007 by exploiting a flaw in
Safari's TIFF parser:
[https://en.wikipedia.org/wiki/JailbreakMe](https://en.wikipedia.org/wiki/JailbreakMe)

~~~
coldtea
Don't you just love HN?

------
mrmondo
FYI, the major part of this is actually a vulnerability in the upstream
libxml2 library which is an XML C parser maintained by the GNOME project.

The library itself is widely used across various operating systems and
software so this is a reminder to please make sure you keep both your OS and
your applications up to date. [http://xmlsoft.org](http://xmlsoft.org)

~~~
swiley
Honestly not surprising that the problem came from the gnome project.

~~~
fucking_tragedy
Why?

------
therealmarv
Getting so annoyed by forbes.com welcome message. I don't understand why they
stick to it.

~~~
newman314
This.

Plus "prise" not "prize". I see an increasing number of articles where the
writers appear to just use what they think is right. Just yesterday, "tow the
line". _facepalm_

~~~
drauh
OED lists "prize" as common US spelling. [0]

[0]
[http://www.oed.com/view/Entry/151652?rskey=W7yb3q&result=6#e...](http://www.oed.com/view/Entry/151652?rskey=W7yb3q&result=6#eid)

~~~
scintill76
Maybe it's just me, but I think "pry" is much more common to Americans.

~~~
hyperpape
You are correct. Prize is a word in American English, but not one that makes
sense in context.

------
deanclatworthy
From the article:

> The bugs uncovered by Bohan work across all widely-used Apple operating
> systems, however, including Mac OS X, tvOS and watchOS. Indeed, Bohan noted
> that Mac OS X doesn’t have sandboxing, giving an attacker remote access to
> the PC with the victim’s passwords. That potentially makes it a more severe
> threat to owners of Apple’s PCs, as a simple email could prize Macs open.

Sounds like it could be pretty bad.

~~~
Someone
Doesn't _have_ sandboxing? It may not be used much, but there is
[https://developer.apple.com/library/mac/documentation/Securi...](https://developer.apple.com/library/mac/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html),
and Safari uses it, for example to Mail.app, FaceTime, quicklook plug-ins,
sandbox its PDF parser and (if still present) Flash player
([http://www.apple.com/osx/what-is/security/](http://www.apple.com/osx/what-
is/security/))

~~~
deanclatworthy
Yep. The main reason I thought this was worth mentioning though was the
original title of the article singled out iOS :)

------
tedunangst
Why is iOS storing wifi passwords in the iMessage process? (Somebody please
translate the article from Forbes to reality for me.)

~~~
zarriak
If you go down to the bottom of the article they actually provide the link to
the Apple Update page[1]. The actual vulnerability report page [2]. They also
have a zeroday report for LibTiff so I guess they found something similar in
the library.

[1]: [https://support.apple.com/en-us/HT206902](https://support.apple.com/en-
us/HT206902) [2]:
[http://www.talosintelligence.com/reports/TALOS-2016-0171/](http://www.talosintelligence.com/reports/TALOS-2016-0171/)

~~~
tedunangst
There's the links I was looking for. "Investigating further we see RAX is
pointing to the very end of a heap block yet there is still a lot of data to
be written as RDX (counter) is still 0xFE." Why can't Forbes write in such
plain English?

------
iLoch
Anyone know if the patch has been applied to iOS 10 developer previews?

~~~
pcl
The latest iOS 9 and 10 builds appear to be patched.

~~~
iLoch
Thanks!

