About the security content of iOS 9.3 (opens in new tab)

(support.apple.com)

52 pointswooster10y ago18 comments

18 comments

Waiting for the paper on this:

    Impact: An attacker who is able to bypass Apple's certificate pinning, 
    intercept TLS connections, inject messages, and record encrypted attachment-
    type messages may be able to read attachments

    Description: A cryptographic issue was addressed by rejecting duplicate 
    messages on the client.

    CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, 
    and Michael Rushanan of Johns Hopkins University

runesoerensen10y ago

The blog post (which includes link to the paper) has been submitted here: https://news.ycombinator.com/item?id=11332377

mhw10y ago

Hmm:

    CVE-2016-1752 : CESG
    CVE-2016-1750 : CESG

I wonder if that's <https://www.cesg.gov.uk/>, which is "the Information Security Arm of GCHQ". If so I guess we should be thankful that they saw these vulnerabilities is a risk rather than an opportunity.

pbarnes_110y ago

Government uses iPhones -> Government reports iPhone vulns.

matt_wulfeck10y ago

And this is exactly the way it should work.

kabdib10y ago

Apple's basically saying "Here are a bunch of bugs that are not fixed in the version of the phone the FBI has. You don't need us, or source code, or anything other than to hire someone to take advantage of these holes. Go away."

Nice timing.

Probably pissed off a bunch of the intelligence community today.

abritishguy10y ago

So many memory corruption issues, I'd like to think in 5/10 years time this would be solved and everything written in a safe language but maybe I'm being optimistic.

knodi10y ago

Thats the same thing people said 10 years ago.

wtallis10y ago

The people saying that 10 years ago were quite obviously being unrealistic. Holding such an opinion back then was essentially predicting that C++ would be replaced by Java, Python, etc.

Now, we've got languages like Rust that offer improved safety mechanisms without really sacrificing expressiveness or runtime performance the way "managed" languages do, so there's a real alternative for software that needs the highest performance or best battery life.

tambourine_man10y ago

If by safe you mean memory managed by default with opting out (unsafe keyword, or something similar), then I would bet so.

If you mean safe like there's no way a programer can screw this (100% memory managed like JavaScript, Python, Ruby) than I'd bet not.

abritishguy10y ago

The former, something like Rust.

daenney10y ago

"This issue was addressed through improved input validation." Valuable refresher for everyone.

brokentone10y ago

Is the big security roll up here due to external or internal scrutiny of iOS security spawned by the FBI inquiry perhaps?

saidajigumi10y ago

Seems doubtful. The overwhelming majority of the CVEs have external reporters cited.

Instead, I expect iOS 10 and the fall hardware announcements are where we'll start seeing signs of any really big changes, e.g. an Apple push to seal itself (and government actors) completely away from customer data access.

0x010y ago

This is nothing special in iOS terms, most point releases have security release notes that are often even longer than this one.

kevincox10y ago

Am I reading this wrong or does it not say which devices received fixes? Or is it not including which devices were affected?

robin_reala10y ago

The issues reports are OS level rather than device level. Every device that can run iOS 9 gains these fixes. Full list is at https://www.apple.com/ios/whats-new/#compatibility , but basically iPhone 4S+ / iPad2+.

IMcD2310y ago

These fixed are OS-wide, meaning they apply to all devices running iOS 9.

j / k navigate · click thread line to collapse

18 comments

jgrahamc10y ago

Waiting for the paper on this:

    Impact: An attacker who is able to bypass Apple's certificate pinning, 
    intercept TLS connections, inject messages, and record encrypted attachment-
    type messages may be able to read attachments

    Description: A cryptographic issue was addressed by rejecting duplicate 
    messages on the client.

    CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, 
    and Michael Rushanan of Johns Hopkins University

runesoerensen10y ago

The blog post (which includes link to the paper) has been submitted here: https://news.ycombinator.com/item?id=11332377

mhw10y ago

Hmm:

    CVE-2016-1752 : CESG
    CVE-2016-1750 : CESG

pbarnes_110y ago

Government uses iPhones -> Government reports iPhone vulns.

matt_wulfeck10y ago

And this is exactly the way it should work.

kabdib10y ago

Nice timing.

Probably pissed off a bunch of the intelligence community today.

abritishguy10y ago

So many memory corruption issues, I'd like to think in 5/10 years time this would be solved and everything written in a safe language but maybe I'm being optimistic.

knodi10y ago

Thats the same thing people said 10 years ago.

wtallis10y ago

The people saying that 10 years ago were quite obviously being unrealistic. Holding such an opinion back then was essentially predicting that C++ would be replaced by Java, Python, etc.

tambourine_man10y ago

If by safe you mean memory managed by default with opting out (unsafe keyword, or something similar), then I would bet so.

If you mean safe like there's no way a programer can screw this (100% memory managed like JavaScript, Python, Ruby) than I'd bet not.

abritishguy10y ago

The former, something like Rust.

daenney10y ago

"This issue was addressed through improved input validation." Valuable refresher for everyone.

brokentone10y ago

Is the big security roll up here due to external or internal scrutiny of iOS security spawned by the FBI inquiry perhaps?

saidajigumi10y ago

Seems doubtful. The overwhelming majority of the CVEs have external reporters cited.

0x010y ago

This is nothing special in iOS terms, most point releases have security release notes that are often even longer than this one.

kevincox10y ago

Am I reading this wrong or does it not say which devices received fixes? Or is it not including which devices were affected?

robin_reala10y ago

IMcD2310y ago

These fixed are OS-wide, meaning they apply to all devices running iOS 9.

j / k navigate · click thread line to collapse