back to article It's 2017 – and your Mac, iPad, iPhone can all be pwned by an e-book

Apple has released security updates for both of its main operating systems, along with iTunes, Apple Watch, and Apple TV. All should be installed as soon as possible before they are exploited by miscreants. The updates, numbering seven in total, include fixes for security vulnerabilities in the Safari browser and WebKit engine …

  1. Anonymous Coward
    Anonymous Coward

    Who runs Itunes on a PC ?

    1. ITS Retired

      I do.

      I don't really like clouds for storing my stuff.

      1. VinceH

        Re: I do.

        Try a bird instead: Nightingale

    2. TheVogon

      " Who runs Itunes on a PC ?"

      Almost everyone that owns an iPhone / iPod

    3. jtaylor

      What version of iTunes doesn't run on a personal computer?

    4. WatfordJC

      Since Mac OS X Lion and later only works on PCs, I imagine most people running iTunes run it on a PC.

  2. Anonymous Coward
    WTF?

    Greedy Apple!

    But no updates for my iPhone 4S. Disgusted that Apple are hoarding fixes!

    1. Anonymous Coward
      Anonymous Coward

      Re: Greedy Apple!

      To be honest, I am neither upset with Apple or Microsoft for flagging products end of life and then treating them as, well, end of life. The only issue is that Apple hardware does tend to last (I even have an iPhone 3s in a drawer somewhere that actually still works), but I rather have software obsolescence than a hardware one.

      I don't expect hardware to last beyond 4..5 years (not without MTBF to rise), and in the hands of my kids I'm impressed if it survives two :).

      1. Eclectic Man Silver badge

        Re: Greedy Apple!

        No update for my (still in use) iPhone 3GS either. :o(

        But then I've not been able to sync it for several years.

      2. Ramazan

        Re: Apple hardware does tend to last

        I have a working Motorola StarTac and it can't be pwned by malicious web pages, fuck Apple!

    2. Anonymous Coward
      Anonymous Coward

      Re: Greedy Apple!

      But no updates for my iPhone 4S. Disgusted that Apple are hoarding fixes!

      Yes, but Apple (unlike MIcrosoft) aren't hypocritically and publicly criticising Security Services for hoarding vunerabilities and then shown to be hoarding their own patches. An ever rising custom support package at >$400 per machine, per year for an organisation like the NHS, is corporate Ransomware in my book.

      It really comes down to a clash of culture between the US and the British. We have free health care (at the point of use) and we expect the NHS to be treated with due respect and kindness for what it does, not exploited to the hilt, for profit.

      You can be rich and never use the NHS for most of your life, but one day your luck can change and the NHS is one of those safety nets, we should all treat very dearly, because with today's society it would never happen from scratch again.

      It grew out of a time, where there was a lot of goodwill around to make the NHS dream happen.

      1. Tom 7

        Re: Greedy Apple!

        Apple hardware tends to last? I've not seen an iPhone in someone's hand without a crack in it.My daughters spent more on new screens than the phone cost.

        1. Anonymous Coward
          Anonymous Coward

          Re: Greedy Apple!

          Apple hardware tends to last? I've not seen an iPhone in someone's hand without a crack in it.My daughters spent more on new screens than the phone cost.

          I don't blame the hardware for that, because that's not just Apple. That's just how kids treat the gear and frankly, giving gear to kids should be a standard part for milspec testing. There's no greater destructive force than a group of 5 year olds or a drunk bunch of teenagers..

          1. Anonymous Coward
            Anonymous Coward

            Re: Greedy Apple!

            I don't blame the hardware for that, because that's not just Apple.

            It may not be only Apple, but since Apple & Samsung want to charge premium prices, shouldn't they both get off their lazy, lazy backsides, and do what Motorola offered with the X-Force a year and a half ago?

            Wireless charging? Pffttt.

            NFC payments? Yaawwwwwwnn.

            16:9 screens? Ptooh.

            Wrap round dispays? Nahhh.

            Fingerprint and eyeball readers? Nope.

            Now offer me a really decent phone that's not fragile as a snowflake, now that's worth having - second only to order-of-magnitude improvement in battery life.

        2. Truckle The Uncivil

          Re: Greedy Apple!

          No doubt your daughters just throw their phone in their handbag, just as mine did. It stopped when I pointed out that neither their brother nor their father had to replace phones or screens every six months. Now they keep them in the pockets of their handbags (as do I) there are no problems.

  3. cb7

    So much for

    That "really secure" Unix foundation.

    "and a pair of flaws in iBooks (CVE-2017-2497, CVE-2017-6981) that allow ebooks to open arbitrary websites and execute code with root privilege"

    There's no denying it's a more secure model, but these patches just go to show that flaws and vulnerabilities can be found in almost all software.

    1. Korev Silver badge
      WTF?

      Re: So much for

      "and a pair of flaws in iBooks (CVE-2017-2497, CVE-2017-6981) that allow ebooks to open arbitrary websites and execute code with root privilege"

      Why on all earth does a normal application have stuff running as root?

      1. Anonymous Coward
        Anonymous Coward

        Re: So much for

        Why on all earth does a normal application have stuff running as root?

        An excellent question, and one that most software providers cannot justify. The only thing that needs root level access is something that needs drivers to work - even daemons should be able to work at user level. Furthermore, I would be very happy installing software so it would only work for my user account instead for all accounts I may somehow establish in a dim and distant future.

        Given that root/admin levels are the path for a lot of malware to gain a permanent foothold you'd expect SW suppliers to fix that, but so far the signs are not good on macos as well as Windows. Even Linux tends to demand root level privileges to install applications.

        1. Anonymous Coward
          Anonymous Coward

          Google Chrome will ask for escalated privileges, even though it will install without.

          An interesting qwirk, is Google Chrome will still install even if you deny it Escalated Privileges in Windows. It seems to be Google Update that needs it, not Google Chrome itself.

          Interesting, in that Google go for the jugular to get as much Administrator "root" Rights, as possible (by default) but back off when you actually say, "Hold on, what do you need escalated privileges for, you're just installing a App/Browser"

          1. Anonymous Coward
            Anonymous Coward

            Re: Google Chrome will ask for escalated privileges, even though it will install without.

            >> An interesting qwirk, is Google Chrome will still install even if you deny it Escalated Privileges in Windows. It seems to be Google Update that needs it, not Google Chrome itself.!

            It's very annoyingly deliberate to allow people to install it in restricted rights situations and in companies, etc. We block all the download URLs for it as Chrome is one of the worst browsers on the planet for security vulnerability counts.

            1. Anonymous Coward
              Anonymous Coward

              Re: Google Chrome will ask for escalated privileges, even though it will install without.

              "...one of the worst browsers on the planet for security vulnerability counts."

              But one of the lowest if you map out the relative severity of the vulnerabilities. Compare to IE, with fewer total vulnerabilities but far more severe-rated (e.g. arbitrary code execution) ones.

      2. Eclectic Man Silver badge

        Re: So much for

        "Why on all earth does a normal application have stuff running as root?"

        No idea. When I was a sysadmin for a cluster of Sun Workstations (tells you how old I am), we had a graphics package call SunAlis. It had to run with root privileges, so once a user had sent something to the printer, only I could stop it, and it had the 'feature' that if a diagram got to over 2Mb in size (it was a long time ago), it crashed and you lost the whole thing.

        Deleting it was a relief, and the only time I have, as root, actually typed in "rm - r *.*" and hit 'return'.

        1. Truckle The Uncivil

          Re: So much for

          What do you think *.* would achieve on a sun sys V system?

      3. DougMac

        Re: So much for

        And why does an eBook need to open a web page?

    2. TheVogon

      Re: So much for

      "There's no denying it's a more secure model, "

      More secure that what? Windows Mobile is way better for security than IOS if you are looking for secure.

  4. Anonymous Coward
    Anonymous Coward

    I'd love to install the IPad security updates, but first I need to find a friendly wifi network.

    I have an IPad with unlimited LTE, but Apple has a 100MB limit for downloading apps and OS updates. The app restriction I can bypass... but not the OS updates.

    How stupid is that? This is one area where Apple is living in the past.

    1. Anonymous Coward
      Anonymous Coward

      Apple has a 100MB limit for downloading apps and OS updates

      You have a limit? That's interesting, I've never bumped into that one but I must admit that I seek out WiFi for updates, maybe I simply never came across that. Learned something new..

    2. JibberJabberBadger
      Unhappy

      So that's why it's asking me to connect my iPhone7 to my wireless network - which is a pain as living in a major city in Australia means my home internet is piss-poor, especially given that it rained today, so it's considerably slower than my mobile connection... about 28 mins remaining for the download...

  5. teknopaul

    webkit

    youd have thought that bugs in WebKit would need simultaneous patches for chrome chromium opera etc etc, no? Any one know if Apple is late or early?

  6. Anonymous Coward
    Joke

    Fix For IWatch...

    ...so everyone.....time to get them out of the drawer, dust them off and patch.

    1. Anonymous Coward
      Anonymous Coward

      IWatch...intelligent strap-ons coming soon

      the eye-watch, hmm, it sort-of was a fairly pointless/useless product when I bought it - tho' it allegedly is now quietly wiping the floor with all the other wearables. (mostly as it is nearly accurate enough for "sport" use)

      Following Apple's alleged hiring of 200 bioengineering PhD's, when their allegedly non-invasive 'real-time' blood-glucose mmol/litre sensing i-strap comes out, sales might get even better! (but will it need the other i-strap composed of mostly batteries, that is also being rumored?)

      Personally, I made sure to buy iWatch version 0 when version 1 came out, at a great price (I recently bought the last Pebble too, at a better discount, once fitbit had embraced & extinguished that) as buying last year's tech is quite a good way to enjoy these products, that are not yet obsolete, might end up in a niche market rather than a drawer? still worth watching

      1. Naselus

        Re: IWatch...intelligent strap-ons coming soon

        " it sort-of was a fairly pointless/useless product when I bought it - tho' it allegedly is now quietly wiping the floor with all the other wearables."

        Worth noting that's still not exactly a high bar. Wearables still haven't actually found a good reason to exist yet, so wiping the floor with the competition is like being the hardest kid in preschool.

  7. Ian Joyner Bronze badge

    Language

    >>Apple has kicked out iOS 10.3.2.<<

    Do you mean dropped? Oh you mean released. Stop with this trendy, yet ambiguous language - I had to stop and think about what you meant. You are wasting my time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like