Hacker News new | ask | show | jobs
About the security content of iOS 9.3 (support.apple.com)
52 points by wooster 3741 days ago
7 comments
jgrahamc 3741 days ago
Waiting for the paper on this:

    Impact: An attacker who is able to bypass Apple's certificate pinning, 
    intercept TLS connections, inject messages, and record encrypted attachment-
    type messages may be able to read attachments

    Description: A cryptographic issue was addressed by rejecting duplicate 
    messages on the client.

    CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, 
    and Michael Rushanan of Johns Hopkins University
link
runesoerensen 3741 days ago
The blog post (which includes link to the paper) has been submitted here: https://news.ycombinator.com/item?id=11332377
link
mhw 3741 days ago
Hmm:

    CVE-2016-1752 : CESG
    CVE-2016-1750 : CESG
I wonder if that's <https://www.cesg.gov.uk/>, which is "the Information Security Arm of GCHQ". If so I guess we should be thankful that they saw these vulnerabilities is a risk rather than an opportunity.
link
pbarnes_1 3741 days ago
Government uses iPhones -> Government reports iPhone vulns.
link
matt_wulfeck 3741 days ago
And this is exactly the way it should work.
link
kabdib 3741 days ago
Apple's basically saying "Here are a bunch of bugs that are not fixed in the version of the phone the FBI has. You don't need us, or source code, or anything other than to hire someone to take advantage of these holes. Go away."

Nice timing.

Probably pissed off a bunch of the intelligence community today.

link
abritishguy 3741 days ago
So many memory corruption issues, I'd like to think in 5/10 years time this would be solved and everything written in a safe language but maybe I'm being optimistic.
link
knodi 3741 days ago
Thats the same thing people said 10 years ago.
link
wtallis 3741 days ago
The people saying that 10 years ago were quite obviously being unrealistic. Holding such an opinion back then was essentially predicting that C++ would be replaced by Java, Python, etc.

Now, we've got languages like Rust that offer improved safety mechanisms without really sacrificing expressiveness or runtime performance the way "managed" languages do, so there's a real alternative for software that needs the highest performance or best battery life.

link
tambourine_man 3741 days ago
If by safe you mean memory managed by default with opting out (unsafe keyword, or something similar), then I would bet so.

If you mean safe like there's no way a programer can screw this (100% memory managed like JavaScript, Python, Ruby) than I'd bet not.

link
abritishguy 3741 days ago
The former, something like Rust.
link
daenney 3741 days ago
"This issue was addressed through improved input validation." Valuable refresher for everyone.
link
brokentone 3741 days ago
Is the big security roll up here due to external or internal scrutiny of iOS security spawned by the FBI inquiry perhaps?
link
saidajigumi 3741 days ago
Seems doubtful. The overwhelming majority of the CVEs have external reporters cited.

Instead, I expect iOS 10 and the fall hardware announcements are where we'll start seeing signs of any really big changes, e.g. an Apple push to seal itself (and government actors) completely away from customer data access.

link
0x0 3741 days ago
This is nothing special in iOS terms, most point releases have security release notes that are often even longer than this one.
link
kevincox 3741 days ago
Am I reading this wrong or does it not say which devices received fixes? Or is it not including which devices were affected?
link
robin_reala 3741 days ago
The issues reports are OS level rather than device level. Every device that can run iOS 9 gains these fixes. Full list is at https://www.apple.com/ios/whats-new/#compatibility , but basically iPhone 4S+ / iPad2+.
link
IMcD23 3741 days ago
These fixed are OS-wide, meaning they apply to all devices running iOS 9.
link