from Hacker News

About the security content of iOS 9.3

by wooster on 3/21/16, 7:48 PM with 18 comments

  • by jgrahamc on 3/21/16, 7:56 PM

    Waiting for the paper on this:

        Impact: An attacker who is able to bypass Apple's certificate pinning, 
    intercept TLS connections, inject messages, and record encrypted attachment-
    type messages may be able to read attachments

    Description: A cryptographic issue was addressed by rejecting duplicate 
    messages on the client.

    CVE-2016-1788 : Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, 
    and Michael Rushanan of Johns Hopkins University

  • by mhw on 3/21/16, 10:26 PM

    Hmm:

        CVE-2016-1752 : CESG
    CVE-2016-1750 : CESG
    I wonder if that's <https://www.cesg.gov.uk/>, which is "the Information Security Arm of GCHQ". If so I guess we should be thankful that they saw these vulnerabilities is a risk rather than an opportunity.

  • by kabdib on 3/22/16, 12:06 AM

    Apple's basically saying "Here are a bunch of bugs that are not fixed in the version of the phone the FBI has. You don't need us, or source code, or anything other than to hire someone to take advantage of these holes. Go away."

    Nice timing.

    Probably pissed off a bunch of the intelligence community today.

  • by abritishguy on 3/21/16, 8:33 PM

    So many memory corruption issues, I'd like to think in 5/10 years time this would be solved and everything written in a safe language but maybe I'm being optimistic.

  • by daenney on 3/21/16, 10:11 PM

    "This issue was addressed through improved input validation." Valuable refresher for everyone.

  • by brokentone on 3/21/16, 9:26 PM

    Is the big security roll up here due to external or internal scrutiny of iOS security spawned by the FBI inquiry perhaps?

  • by kevincox on 3/21/16, 10:57 PM

    Am I reading this wrong or does it not say which devices received fixes? Or is it not including which devices were affected?