[HN Gopher] About the security content of iOS 15.2.1 and iPadOS ... ___________________________________________________________________ About the security content of iOS 15.2.1 and iPadOS 15.2.1 Author : shantara Score : 54 points Date : 2022-01-12 19:39 UTC (3 hours ago) (HTM) web link (support.apple.com) (TXT) w3m dump (support.apple.com) | Syonyk wrote: | Dear Apple: | | User-set name strings _are not trusted data._ Even if you filter | on submission, people _will_ find ways around it. | | This is the second "User can set the name of a device to a string | that screws things up badly" bug in recent history. The other one | was the "You can set your AirTag name to cross site scripting | tags" one. | [deleted] | ripa wrote: | there was also the WiFi name where it would disable the | iPhone's WiFi. https://www.macrumors.com/2021/06/20/ios-bug- | network-name-di... | olliej wrote: | If you can't trust users, who can you trust? :D | | I wonder if it was a "necessary" fault: I can _imagine_ someone | going "let's validate this string and terminate if it's | invalid". That mitigates security problems very effectively, | however it's clearly actually a bad thing if you can trigger it | trivially in a semi-permanent manner. | | Projects like webkit and blink aggressively use release asserts | on internal invariants that should not happen, but they're not | triggered on raw inputs. | _jal wrote: | Renaming your phone also triggered the Log4Shell vuln at one | point. | | https://www.theverge.com/2021/12/13/22832552/iphone-tesla-sm... | throw10920 wrote: | This is a good point - here, the victim wouldn't have been | the user, but Apple themselves, illustrating that | (occasionally, not always) being lax with security can come | and bite you (instead of just your users). | olliej wrote: | They weren't lax with security, they updated as quickly as | every other major company did. They were caught out by the | same zero day as everyone else. | | The whole point of a "zero day" is that people don't know | about it ahead of time. | vxNsr wrote: | It really feels like sanitizing user inputs is a new concept to | Apple. | olliej wrote: | The problem is really how you respond - a valid (from a | security standpoint) response to invalid input is | termination: it means that you can't exploit it. | | In this case such a response would be inappropriate (I have | know idea what the actual bug in the code was, whether it was | deliberate or unintentional). Hell I've seen utf8 libraries | that terminate on invalid input, so good luck using those :-/ | musicale wrote: | You'd think they'd have implemented data taint tracking or | something in the Swift language/runtime/libraries to reduce | the attack surface. | | You might even be able to implement it in the sandboxing | system. | xoa wrote: | Ars amongst a number of others had an article covering this [0] | last week. Not that trivial to exploit but sounded relatively | nasty if it was triggered, so better late than never. Though | HomeKit overall has been a pretty significant disappointment and | definitely feels like one of those semi-afterthought type of | Apple projects at this point. Important enough or with enough | internal sway to not get dropped outright, but not enough to get | any serious effort either. Like the Mac Pro maybe, though that | one is even more disappointing. So I wonder how many people make | much use of it, let alone share with others. | | ---- | | 0: https://arstechnica.com/information- | technology/2022/01/5-mon... | mason55 wrote: | > _Though HomeKit overall has been a pretty significant | disappointment and definitely feels like one of those semi- | afterthought type of Apple projects at this point._ | | It's strange because they have clearly spent a LOT of time | pushing partner channel development and certification. But the | software side, the part that the user actually interacts with, | seems so under thought. | | My random pet peeve is HomeKit garage door controls in CarPlay. | If you have multiple garage doors and they are both in HomeKit, | you can only see one of your garage doors in CarPlay, and | there's not even a way to choose which garage door you see. | | We have two garage doors but only use one for cars. I wanted to | have them both set up as HomeKit devices so that I could see | status and get alerts if I left the second one open, but | CarPlay decided that it wanted to use the second door, the one | I don't use for cars. The only way to get CarPlay to pick the | correct door was to completely disable HomeKit on my other | garage door. | radicaldreamer wrote: | This is the same story with Siri... | xoa wrote: | > _It 's strange because they have clearly spent a LOT of | time pushing partner channel development and certification. | But the software side, the part that the user actually | interacts with, seems so under thought._ | | Yeah, and strategically it seems pretty important too. Even | more so since that area is an important aspect to the future | value of not just existing stuff like their watch or siri, | but future wearables like AR. And it seems like something | that should mesh fairly well with Apple's core competencies | and business (unlike, for example, a frigging car). It's also | an area with massive privacy and security concerns which | should also be a natural extension of some of their efforts. | Yet somehow it's just an unpleasant mess. Simultaneously too | limiting and yet awkward to work with or troubleshoot. And | even stranger, they've put real effort recently into power | user automation stuff with their | Shortcuts/Automation/Automator items. | | Guess we're seeing the classic shadow cast by internal | organizational politics, power, and attention that's all out | of view. May just be another aspect of Apple's organizational | structure, which is excellent at singular vertical efforts | but mediocre at multitasking. | travisgriggs wrote: | > It's strange because they have clearly spent a LOT of time | pushing partner channel development and certification. But | the software side, the part that the user actually interacts | with, seems so under thought. | | This is usually a sign that the MBAs are taking over and | playing software developers via spec driven development, the | actual software artisans having been reduced to a transpiling | transfer function. | | I don't have any contacts inside of Apple these days; it | would be interesting to hear whether developers on the inside | are feeling this is the case. | wronglebowski wrote: | Wouldn't they just be pushing the channel to get the fees | from certification? Like the made for iPod/iPhone program? | | The way I see it Apple believes they are entitled to a | percentage of all things in life. They can't sell Home | automation as a service yet but they can certainly make up | some of the cost by gouging their partners to join the | ecosystem. | [deleted] | paxys wrote: | Mac App Store met a similar fate. Lots of developers published | there because Apple asked them to, but it is an afterthought | for both developers and users. | | I think the biggest problem with HomeKit is that for most | people the primary UI for their smart home is a connected | speaker, but a $150-$300 HomePod isn't something you can | scatter all over your house the same way as a $20 Echo. | wlesieutre wrote: | There's only one HomePod anymore and it's $100 (unless we're | talking about non-US pricing). Still more than an Echo, but a | lot more reasonable than the original HomePod was. | Matheus28 wrote: | > There's only one HomePod anymore | | Which is a shame, the original one has such good sound | quality for its size | jakeva wrote: | Even doubly so, since at least for some of us they were | bricked somehow recently. I had two. One is flashing the | volume buttons and is unresponsive otherwise. I can't | even replace it without going to ebay and paying double. | https://www.reddit.com/r/HomePod/comments/g3lm0e/flashing | _vo... | lotsofpulp wrote: | >I think the biggest problem with HomeKit is that for most | people the primary UI for their smart home is a connected | speaker | | The iPhone, Watch, iPad, or laptop can all do the same thing | as HomePod speakers. | emptybottle wrote: | It's a shame there isn't an alternate software path for iOS | devices that have aged out of security updates. | | I have an iPad whose hardware has life left in it, but as time | goes on it's more and more it's worrisome to run a connected | device without security updates. | bxparks wrote: | Yeah, I have an iPad4 that looks like it's brand new. I bought | it for my mom, she treated it like a baby for a few years, then | returned it to me. It is stuck on iPadOS 10.3.3. It now sits on | a shelf, running Yahoo Weather and nothing else. What a waste | of a perfectly good hardware. | musicale wrote: | It's too bad. Apple hardware tends to last a lot longer than | the software. | | At least my iPad Air 2 from 2014 is still getting updates. | knolan wrote: | That's a nine year old tablet. It's far from useless just | because it runs iOS 10. | | My partner's mother has an old iPad mini from the same year | and it's perfect for FaceTime calls. It's basically an iPad 2 | SoC. | | I wouldn't do any personal banking on it however. | 2muchcoffeeman wrote: | My mom still uses my iPad 2. 11 years. It must have stopped | receiving updates a couple of years ago. But they won't | upgrade. The only reason they upgraded their phones was | that their storage ran out and they wanted more pictures of | their grandkids. | ChrisMarshallNY wrote: | I use these types of things for testing. | | I recently brought a used SE (1st gen), as a low-end test | (running iOS 14). | | I also purchased a used iPhone 8Plus. | petecooper wrote: | >CVE-2022-22588 | | Wow. 12 days into 2022 and we're already up to 22k CVEs filed. | | Edit: I was wrong. Thanks @minhazm and @geofft. | minhazm wrote: | 606 in 2022 so far according to: | | https://www.cvedetails.com/vulnerability-list/year-2022/vuln... | geofft wrote: | CVEs are allocated to major users (vendors, distros, etc.) in | blocks, so this might just be the 88th CVE from whoever has the | 22500-23000 block or whatever. | [deleted] | webinvest wrote: | There was only 1 Denial of Service bug patched. No where as many | exploits patched as in prior versions: | | https://news.ycombinator.com/item?id=29198901 | p49k wrote: | Background: https://trevorspiniolas.com/doorlock/doorlock.html | hosteur wrote: | This should be the article linked in the story. | Operyl wrote: | That article was discussed at length already, the current | linked page is the conclusion from Apple (not mentioned on | the article from GP). ___________________________________________________________________ (page generated 2022-01-12 23:00 UTC)