[HN Gopher] About the security content of iOS 15.2.1 and iPadOS ...
___________________________________________________________________
About the security content of iOS 15.2.1 and iPadOS 15.2.1
Author : shantara
Score : 54 points
Date : 2022-01-12 19:39 UTC (3 hours ago)
(HTM) web link (support.apple.com)
(TXT) w3m dump (support.apple.com)
| Syonyk wrote:
| Dear Apple:
|
| User-set name strings _are not trusted data._ Even if you filter
| on submission, people _will_ find ways around it.
|
| This is the second "User can set the name of a device to a string
| that screws things up badly" bug in recent history. The other one
| was the "You can set your AirTag name to cross site scripting
| tags" one.
| [deleted]
| ripa wrote:
| there was also the WiFi name where it would disable the
| iPhone's WiFi. https://www.macrumors.com/2021/06/20/ios-bug-
| network-name-di...
| olliej wrote:
| If you can't trust users, who can you trust? :D
|
| I wonder if it was a "necessary" fault: I can _imagine_ someone
| going "let's validate this string and terminate if it's
| invalid". That mitigates security problems very effectively,
| however it's clearly actually a bad thing if you can trigger it
| trivially in a semi-permanent manner.
|
| Projects like webkit and blink aggressively use release asserts
| on internal invariants that should not happen, but they're not
| triggered on raw inputs.
| _jal wrote:
| Renaming your phone also triggered the Log4Shell vuln at one
| point.
|
| https://www.theverge.com/2021/12/13/22832552/iphone-tesla-sm...
| throw10920 wrote:
| This is a good point - here, the victim wouldn't have been
| the user, but Apple themselves, illustrating that
| (occasionally, not always) being lax with security can come
| and bite you (instead of just your users).
| olliej wrote:
| They weren't lax with security, they updated as quickly as
| every other major company did. They were caught out by the
| same zero day as everyone else.
|
| The whole point of a "zero day" is that people don't know
| about it ahead of time.
| vxNsr wrote:
| It really feels like sanitizing user inputs is a new concept to
| Apple.
| olliej wrote:
| The problem is really how you respond - a valid (from a
| security standpoint) response to invalid input is
| termination: it means that you can't exploit it.
|
| In this case such a response would be inappropriate (I have
| know idea what the actual bug in the code was, whether it was
| deliberate or unintentional). Hell I've seen utf8 libraries
| that terminate on invalid input, so good luck using those :-/
| musicale wrote:
| You'd think they'd have implemented data taint tracking or
| something in the Swift language/runtime/libraries to reduce
| the attack surface.
|
| You might even be able to implement it in the sandboxing
| system.
| xoa wrote:
| Ars amongst a number of others had an article covering this [0]
| last week. Not that trivial to exploit but sounded relatively
| nasty if it was triggered, so better late than never. Though
| HomeKit overall has been a pretty significant disappointment and
| definitely feels like one of those semi-afterthought type of
| Apple projects at this point. Important enough or with enough
| internal sway to not get dropped outright, but not enough to get
| any serious effort either. Like the Mac Pro maybe, though that
| one is even more disappointing. So I wonder how many people make
| much use of it, let alone share with others.
|
| ----
|
| 0: https://arstechnica.com/information-
| technology/2022/01/5-mon...
| mason55 wrote:
| > _Though HomeKit overall has been a pretty significant
| disappointment and definitely feels like one of those semi-
| afterthought type of Apple projects at this point._
|
| It's strange because they have clearly spent a LOT of time
| pushing partner channel development and certification. But the
| software side, the part that the user actually interacts with,
| seems so under thought.
|
| My random pet peeve is HomeKit garage door controls in CarPlay.
| If you have multiple garage doors and they are both in HomeKit,
| you can only see one of your garage doors in CarPlay, and
| there's not even a way to choose which garage door you see.
|
| We have two garage doors but only use one for cars. I wanted to
| have them both set up as HomeKit devices so that I could see
| status and get alerts if I left the second one open, but
| CarPlay decided that it wanted to use the second door, the one
| I don't use for cars. The only way to get CarPlay to pick the
| correct door was to completely disable HomeKit on my other
| garage door.
| radicaldreamer wrote:
| This is the same story with Siri...
| xoa wrote:
| > _It 's strange because they have clearly spent a LOT of
| time pushing partner channel development and certification.
| But the software side, the part that the user actually
| interacts with, seems so under thought._
|
| Yeah, and strategically it seems pretty important too. Even
| more so since that area is an important aspect to the future
| value of not just existing stuff like their watch or siri,
| but future wearables like AR. And it seems like something
| that should mesh fairly well with Apple's core competencies
| and business (unlike, for example, a frigging car). It's also
| an area with massive privacy and security concerns which
| should also be a natural extension of some of their efforts.
| Yet somehow it's just an unpleasant mess. Simultaneously too
| limiting and yet awkward to work with or troubleshoot. And
| even stranger, they've put real effort recently into power
| user automation stuff with their
| Shortcuts/Automation/Automator items.
|
| Guess we're seeing the classic shadow cast by internal
| organizational politics, power, and attention that's all out
| of view. May just be another aspect of Apple's organizational
| structure, which is excellent at singular vertical efforts
| but mediocre at multitasking.
| travisgriggs wrote:
| > It's strange because they have clearly spent a LOT of time
| pushing partner channel development and certification. But
| the software side, the part that the user actually interacts
| with, seems so under thought.
|
| This is usually a sign that the MBAs are taking over and
| playing software developers via spec driven development, the
| actual software artisans having been reduced to a transpiling
| transfer function.
|
| I don't have any contacts inside of Apple these days; it
| would be interesting to hear whether developers on the inside
| are feeling this is the case.
| wronglebowski wrote:
| Wouldn't they just be pushing the channel to get the fees
| from certification? Like the made for iPod/iPhone program?
|
| The way I see it Apple believes they are entitled to a
| percentage of all things in life. They can't sell Home
| automation as a service yet but they can certainly make up
| some of the cost by gouging their partners to join the
| ecosystem.
| [deleted]
| paxys wrote:
| Mac App Store met a similar fate. Lots of developers published
| there because Apple asked them to, but it is an afterthought
| for both developers and users.
|
| I think the biggest problem with HomeKit is that for most
| people the primary UI for their smart home is a connected
| speaker, but a $150-$300 HomePod isn't something you can
| scatter all over your house the same way as a $20 Echo.
| wlesieutre wrote:
| There's only one HomePod anymore and it's $100 (unless we're
| talking about non-US pricing). Still more than an Echo, but a
| lot more reasonable than the original HomePod was.
| Matheus28 wrote:
| > There's only one HomePod anymore
|
| Which is a shame, the original one has such good sound
| quality for its size
| jakeva wrote:
| Even doubly so, since at least for some of us they were
| bricked somehow recently. I had two. One is flashing the
| volume buttons and is unresponsive otherwise. I can't
| even replace it without going to ebay and paying double.
| https://www.reddit.com/r/HomePod/comments/g3lm0e/flashing
| _vo...
| lotsofpulp wrote:
| >I think the biggest problem with HomeKit is that for most
| people the primary UI for their smart home is a connected
| speaker
|
| The iPhone, Watch, iPad, or laptop can all do the same thing
| as HomePod speakers.
| emptybottle wrote:
| It's a shame there isn't an alternate software path for iOS
| devices that have aged out of security updates.
|
| I have an iPad whose hardware has life left in it, but as time
| goes on it's more and more it's worrisome to run a connected
| device without security updates.
| bxparks wrote:
| Yeah, I have an iPad4 that looks like it's brand new. I bought
| it for my mom, she treated it like a baby for a few years, then
| returned it to me. It is stuck on iPadOS 10.3.3. It now sits on
| a shelf, running Yahoo Weather and nothing else. What a waste
| of a perfectly good hardware.
| musicale wrote:
| It's too bad. Apple hardware tends to last a lot longer than
| the software.
|
| At least my iPad Air 2 from 2014 is still getting updates.
| knolan wrote:
| That's a nine year old tablet. It's far from useless just
| because it runs iOS 10.
|
| My partner's mother has an old iPad mini from the same year
| and it's perfect for FaceTime calls. It's basically an iPad 2
| SoC.
|
| I wouldn't do any personal banking on it however.
| 2muchcoffeeman wrote:
| My mom still uses my iPad 2. 11 years. It must have stopped
| receiving updates a couple of years ago. But they won't
| upgrade. The only reason they upgraded their phones was
| that their storage ran out and they wanted more pictures of
| their grandkids.
| ChrisMarshallNY wrote:
| I use these types of things for testing.
|
| I recently brought a used SE (1st gen), as a low-end test
| (running iOS 14).
|
| I also purchased a used iPhone 8Plus.
| petecooper wrote:
| >CVE-2022-22588
|
| Wow. 12 days into 2022 and we're already up to 22k CVEs filed.
|
| Edit: I was wrong. Thanks @minhazm and @geofft.
| minhazm wrote:
| 606 in 2022 so far according to:
|
| https://www.cvedetails.com/vulnerability-list/year-2022/vuln...
| geofft wrote:
| CVEs are allocated to major users (vendors, distros, etc.) in
| blocks, so this might just be the 88th CVE from whoever has the
| 22500-23000 block or whatever.
| [deleted]
| webinvest wrote:
| There was only 1 Denial of Service bug patched. No where as many
| exploits patched as in prior versions:
|
| https://news.ycombinator.com/item?id=29198901
| p49k wrote:
| Background: https://trevorspiniolas.com/doorlock/doorlock.html
| hosteur wrote:
| This should be the article linked in the story.
| Operyl wrote:
| That article was discussed at length already, the current
| linked page is the conclusion from Apple (not mentioned on
| the article from GP).
___________________________________________________________________
(page generated 2022-01-12 23:00 UTC)