iPad Left Vulnerable After Record iPhone Patch Job

CWmike writes "With Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical. However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may have been left vulnerable to some or all of the 65 bugs. iOS 4 cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall. The bug count is a record for the iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0. Formerly known as iPhone OS 4, iOS 4 included 35 bugs, or 54% of the total, that were tagged with the phrase 'arbitrary code execution.' It's unclear how many, if any, of the vulnerabilities affect Apple's iPad. The media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April. But according to the Common Vulnerabilities & Exposures database, it's likely that many of the flaws fixed on Monday still exist in 3.2."

Re:They're no bugs in Apple products!

[BarryJacobsen]

I'm more surprised that a phone is subject to so many vulnerabilities. Yet again, it is a pretty sophisticated piece of software. Hence, thanks for fixing the stuff, Apple; better late security than no security.

According to the article, 50 of the bugs are bugs in Webkit (side note: which would mean these bugs are likely present in Android, as Google uses Webkit for their browser, too), so it appears that web browsing is the most sophisticated piece (understandably.)

Re:Funny

[phantomfive]

In the old days, in addition to Microsoft's OS being an open door, a lot of those computers were left on the open internet, making it easy for viruses to find computers to attack. Also, OS distributors didn't really catch on to the idea that leaving services open was a bad idea (it just seemed like being a good netizen to leave your finger port open). For example, I don't think RedHat stopped shipping with the FTP port open by default until 2001 or 2002. And that was a secure OS, Windows was much worse.

In comparison, most iPads and iPhones are hidden behind a firewall, or are natted. You can't randomly probe ip addresses hoping to find one that is an iPad with a vulnerability that you're looking for. Maybe the best you can do is hope someone with the right device will surf to your web page with the exploit.

That doesn't stop email viruses, but given that iPads are only a fraction of the computers out there, I think we're more likely to see a serious email virus from a bug in Outlook than one on an iPad.

Re:It's a phone

[Stray7Xi]

A phone which is able to broadcast your real-time location.
A phone which has all your mails, all your texts and logs of all your calls, and a few private photoes to boot.
A phone with verified contact information for all your friends, and sellable information on yours and their preferences.
A phone that can call any number, including premium-rated ones owned by shady organizations.

Yeah. Who cares is someone else gains control of that?

Worse, how as a user can you even mitigate this risk?
You can't stick it behind a firewall (except on wifi) to detect weird traffic patterns.
There is no task manager of any kind (yes stock has very limited multitask but malware can jailbreak to rootkit)
There is no booting off a bootdisk to get a checksum of firmware.
It's like being logged onto windows with a locked down user account, unable to view the OS in any way.

The only thing as a user you can do is monitor your bills closely for unusual patterns.