back to article It's 2019 and you can still pwn an iPhone with a website: Apple patches up iOS, Mac bugs in July security hole dump

On Monday Apple released a fresh round of security fixes for a load of its operating systems and applications. The July patch batch addresses vulnerabilities in iOS, MacOS, Safari, watchOS, and tvOS, though many of the updates are for common components across each of the platforms, such as the WebKit browser engine. These …

  1. Cavehomme_
    FAIL

    Who’s worse?

    Apple going the same way as Microsoft, no testing and QA?

    1. LDS Silver badge

      Re: Who’s worse?

      Your code is totally bug free? If so, you could become rich explaining how you do it....

      Just llok, for example, at the Linux kernel CVEs for 2019:

      https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2019/Linux-Linux-Kernel.html

      And that's the kernel only. Add all the CVEs for libraries, tools, etc.

      Going the same way as MS, Apple, Google, etc?

      1. AMBxx Silver badge
        Linux

        Re: Who’s worse?

        All that's really changed over the last 10-15 years is that Apple is now a big enough target to take the trouble to attack.

        1. LDS Silver badge

          Re: Who’s worse?

          It was always a good target to attack - as the average users was usually a more remunerative target to attack compared to other systems.

          1. Pascal Monett Silver badge

            Re: Who’s worse?

            From a ROI point of view, it is far less efficient to spend time crafting an attack for 5% of the market than it is for 95%.

            Now that Apple has upped its market share, it is becoming a better attack surface from that point of view.

            If I decide to try to scam Bill Gates out of a billion, I am going to spend years of effort to get to know him, his family, his house and his habits, and it will cost me a small fortune for no guaranteed return.

            On the other hand, if I craft a threatening letter over torrenting or somesuch, hire a spammer and split the proceeds for an attack of 10 million people, I'll likely cover my costs and reap a nice bundle, while likely staying out of reach of the law.

            If I were such a criminal, what do you think I would prefer ?

            1. LDS Silver badge

              Re: Who’s worse?

              Depends on the kind of attack. A ROI can be far worse if you end up attacking mostly nerds with little money still living in their parents' basement.

              Sure, if your plan is to scam a few dollars from each, or you need a botnet, it can work, you can make money, and it may require less skills.

              On the other end if you attack 5% of the market but that market is mostly made of more affluent people, upper managers and so on, and your aims is to scam more money from each, and you skills are adequate, why not? You get targeted advertisingvictims, after all.

            2. Charlie Clark Silver badge

              Re: Who’s worse?

              When "iconic" white headphones came out, it made things a lot easier to pick targets. Or so I've heard said.

              MacOS, at least since X, had a headstart in security over Windows, because it came from a system with a well-understood permission system. It's taken a while but Microsoft has largely caught up, while Apple has expanded the attack surface with things like Safari, QuickLook, etc. Though some of this is unavoidable for the provision of some services.

              Still, Apple could do a whole lot better if it adopted a more standard unix (BSD) approach for keeping system components up to date.

            3. MrDamage

              Re: Who’s worse?

              > "it is far less efficient to spend time crafting an attack for 5% of the market than it is for 95%."

              That depends on the target. Apple users were (and some still are) convinced that Apple products could not get infected by virii etc.

              So if 95% of banks had their current security setup, but 5% of banks didn't believe bank robbers would target them for "insert reason here", and thus didn't implement sufficient security, which would you go for?

              1. doublelayer Silver badge

                Re: Who’s worse?

                That's a false equivalence. For the bank example, an attacker picks a single target and would try to optimize lack of security with other factors. A malware attack is almost always targeted at everyone they can. If you want to pursue the bank analogy, it's like saying "In one town, you have 5% of the banks. In the other town, you have 95% of the banks. All banks in each town keep their money in the same place, but with different security. Which big vault are you going to break into?". In order to choose the 5%, you either have to know a good way into their vault that you don't have for the 95%, or you have to be really confident that they have more money. If you're opportunistic and just choosing one, you'll probably try for the one that has the more money, which is likely to be the one used by 95% of the banks.

    2. J. R. Hartley Silver badge

      Re: Who’s worse?

      iPhone? Lol are they still a thing? Haven't seen one in a few years. Only the old fuddy duddys have them now. They're the new BlackBerry. Except they're shite.

  2. Not also known as SC
    Angel

    I'm safe

    I only ever visit the The Register on my iPhone.

  3. karlkarl Silver badge

    It's 2019 and you can still pwn an iPhone with a website

    ... thats a good thing right? Things like this makes it easier to jailbreak in some cases ;)

  4. Anonymous Coward
    Anonymous Coward

    What is it with this headline format?

    What is this nonsense with this headline format?

    It's 2019 and you can still....

    What has the year got to do with it?

    You'll still be able to pwn devices with malicious code running on a web sire next year.

    Are you going to continuously write It's 2020 and you can still.... ?

    Honestly it's as tiresome as always putting an exclamation mark after each word in an article about Yahoo!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020