We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.
I can't side with Apple et al. here. Hire some more security analysts yourselves instead of hoping that academics will find the flaws for you and then fail to publish so as to allow you to hold off until the next product cycle. More crappy business cost cutting I'm afraid.
This is interesting stuff for those of us not in the know. Are there any large documented cases of a company actually waiting for the next product life cycle to implement a solution to a large security flaw?
I'd have to dig around for actual cases, but yes, before high-profile publication of exploits was common many companies were well aware of security problems for which code existed in the wild that exploited them and chose just to chug along towards the next iteration of their product rather than fix them. I'm old enough to remember when technical staff at companies would be upfront with their customers that there would not be a fix before the next major software release. Don't forget that before around 1988 (when Robert Morris' worm demonstrated its value) almost nobody outside intelligence and academic communities cared about computer security at all. It's a young discipline.
The camera adds a thousand barrels. - Steven Colbert
That might fix the buffer overflow but that doesn't mean there aren't other things that would need to fixed to properly protect against this attack. E.g. it's possible that just fixing the buffer overflow still makes the phone susceptible to Denial of Service attacks by the onslaught of rapid fire SMS control messages which is effectively what a similar attack did to Android (it would disable cell service but you couldn't take control of the phone) before Google fixed it (I'm assuming this is the fix Quinton referred to above).
No, I was talking about a possible remote exploit in the G1 wifi driver that was fixed before G1 launched, which was found by our security team. Android was affected by the SMS issue being discussed here, but it resulted in the telephony process getting stuck (SMS parser got confused and wedged), requiring a reboot. No remote code execution, but still annoying.
We were notified around the same time Apple was, I believe, and we deployed an over the air update to fix devices in the field prior to the public disclosure of this attack.
This is interesting stuff for those of us not in the know. Are there any large documented cases of a company actually waiting for the next product life cycle to implement a solution to a large security flaw?
Also, it's not even that the Black Hat community are such tremendous dicks that they can't be asked to delay the disclosure of an exploit (Don't bother watching all of it, they don't cover a lot of new ground).
Author
