Update??

So I’m happily using my computer this evening, browsing around the web, and suddenly the Apple Software Update program pops up.  I hadn’t seen it in a while, so I figured there must be an update to iTunes or QuickTime since I have it set to check for updates automatically and those are the only programs from Apple that I have.  Then I looked at what Apple wanted me to “update”

Look at that list of software.  No iTunes.  No QuickTime.  No update!  They are using their update engine to push out new software.  I have never installed Safari, nor do I have any wish to install it.  I really hate it when updates try to push new programs on me.  The worst offender used to be Java, which would offer me the Google Toolbar and OpenOffice during an update, but this just takes the cake.  The worst part is that I almost clicked through the screen without thinking about it.  I’ve had adware that was less obnoxious than this.  Software updates should be a sacred process, and developers have to fight for the trust of their users.  If a user doesn’t trust that an update is important, or this case even relevant, then they are less likely to update.  If users are slow to patch and update their software then they leave themselves open and vulnerable to attack.  A great example of this is the Code Red computer worm that took advantage of a hole in IIS that had been patched a month earlier.  If users had quickly applied the update supplied by vendors, then the worm outbreak could have been prevented.  It astonishes me that a major software company doesn’t understand this concept and is willing to stoop to this level of intrusion just for market share.  Then again, we’ve already talked about Apple’s lack of regard for the update process.   

Hacking the iPhone: Throwing caution to the wind

I am sure everyone is fully aware of the ongoing battle between hackers and Apple engineers over unlocking the new iPhone and iPod Touch.  I don’t plan to take sides on the issue, it is really of little interest to me, but what is grabbed my attention is the complete lack of regard for the users security by both sides.

We are currently on round two of the hack.  The first break in was wiped out by the latest firmware update sent out by Apple.  The latest version utilizes a bug in the way the phone handles TIFF image files.  A specially crafted TIFF file, when supplied to Safari causes a stack based buffer overflow with the possibility of remote code execution.  How is this helpful to iPhone users?  Well, all applications run as root on the iPhone, meaning that once execution has been hijacked, the injected code is running with the highest permissions possible.  By simply browsing to a website and viewing this TIFF file, Safari is giving up complete read/write access to the entire system.  From the website http://toc2rta.com/:

So its offical we have released the tiff exploit code. You can navigate in safari to http://jailbreak.toc2rta.com on your Itouch or Iphone 1.1.1. It will crash your Safari but then you will be able to browse the file system with full read/write access.

Well that’s just grand.

The fact that this exploit has been received so well by users and tech writers alike confounds me.  Why would anyone be celebrating an exploit like this?  Do they not realize that if Niacin and Dre have figured out how to malform the bytes of a TIFF file correctly then someone else probably has too?  Someone who might not be so friendly?  The thought of mobile malware should be troubling to everyone.  Imagine for a minute, a worm that dials 911 on your cell phone on loop, or even one that makes a call to a 900 number when your phone is idle.  There are serious ramifications with a bug like this, and everyone, not just iPhone users, is at risk until Apple fixes this.

Apple claims that they are protecting users by not allowing third party applications to run on the iPhone or releasing an SDK.  Steve Jobs was quoted in a Newsweek interview saying, “Cingular doesn’t want to see their West Coast network go down because some application messed up.”  What he has failed to realize is that his engineers aren’t nearly good enough to keep hackers out of the iPhone (an impossible task).  All this has done is put thousands of people at risk because users are forced to find a way to root their phone so they can run the applications they want.

Just like the previous firmware update, version 1.1.2 will undoubtedly fix this bug in Safari and render the unlocking technique useless.  Faced with the prospect of losing all of their third-party applications, many users will chose not to update their device.  In other words, people will be choosing to run a buggy, exploitable browser in order to use their device the way they want to.  That is a scary thought.  Apple needs to remedy this situation quickly, and do as much as they can to reverse this notion that hacking is good, and updating is bad.  The existence of this exploit should not be celebrated, people should be worried that the security of their phone is so porous.  Hopefully this will all be resolved before a serious outbreak of malicious mobile code hits us all.