• Re: iOS 15.0.2 is out

    From Robin Goodfellow@21:1/5 to Jolly Roger on Wed Oct 13 00:18:22 2021
    XPost: misc.phone.mobile.iphone, comp.sys.mac.apps

    Jolly Roger <jollyroger@pobox.com> asked
    "Patching known vulnerabilities quickly is bad, y'all!"

    Idiot trolls can GTFO...

    What Steve and any sensible person is worried about is the sheer number of exploited zero-day holes in iOS - which is far larger than _any_ OS alive.

    In terms of zero day holes exploited in the wild, *nobody is as bad as Apple*. Nobody.

    *Apple has a whopping zero-day hole a month to its operating system*
    (because Apple has _never_ even once fully tested any software it ships!)

    But in the last 9-1/2 months, *Apple added 17 zero-day holes alone*!
    That's a spectacularly sordid _two_ zero-day exploits every month, JR.

    *Nobody has this many zero-day holes*, Jolly Roger.
    Nobody.

    Just Apple.
    --
    Project Zero proved Apple has never even once tested their released code! CVE-2021-1782 (Kernel) - A malicious application may be able to elevate privileges
    CVE-2021-1870 (WebKit) - A remote attacker may be able to cause arbitrary code execution
    CVE-2021-1871 (WebKit) - A remote attacker may be able to cause arbitrary code execution
    CVE-2021-1879 (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting
    CVE-2021-30657 (System Preferences) - A malicious application may bypass Gatekeeper checks
    CVE-2021-30661 (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30663 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30665 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30666 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30713 (TCC framework) - A malicious application may be able to bypass Privacy preferences
    CVE-2021-30761 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30762 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30807 (IOMobileFrameBuffer) - An application may be able to execute arbitrary code with kernel privileges
    CVE-2021-30858 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
    CVE-2021-30860 (CoreGraphics) - Processing a maliciously crafted PDF may lead to arbitrary code execution
    CVE-2021-30869 (XNU) - A malicious application may be able to execute arbitrary code with kernel privileges
    CVE-2021-30883 (WebContent) - A memory corruption in the app sandbox making for good LPE exploits in chains

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From sms@21:1/5 to Robin Goodfellow on Tue Oct 12 18:53:51 2021
    XPost: misc.phone.mobile.iphone, comp.sys.mac.apps

    On 10/12/2021 5:18 PM, Robin Goodfellow wrote:
    Jolly Roger <jollyroger@pobox.com> asked
    "Patching known vulnerabilities quickly is bad, y'all!"

    Idiot trolls can GTFO...

    What Steve and any sensible person is worried about is the sheer number of exploited zero-day holes in iOS - which is far larger than _any_ OS alive.

    In terms of zero day holes exploited in the wild, *nobody is as bad as Apple*.
    Nobody.

    *Apple has a whopping zero-day hole a month to its operating system*
    (because Apple has _never_ even once fully tested any software it ships!)

    This is not a testing issue. It's a design issue.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robin Goodfellow@21:1/5 to sms on Wed Oct 13 03:29:01 2021
    XPost: misc.phone.mobile.iphone, comp.sys.mac.apps

    sms <scharf.steven@geemail.com> asked
    *Apple has a whopping zero-day hole a month to its operating system*
    (because Apple has _never_ even once fully tested any software it ships!)

    This is not a testing issue. It's a design issue.

    Steve,

    You may be right. It may be just sloppy coding more so than lack of QA.

    Whatever it is, Apple has the worst zero-day record of _any_ OS alive.

    I've been struggling to figure out exactly why Apple had one zero-day
    exploit a month (almost always also exploited in the wild) in the past few
    iOS releases (where iOS 13 was a shit storm, and iOS 14 wasn't any better);
    but now the rate of exploits has skyrocketed to almost two a month lately.

    There have been 17 zero-day exploits in 2021 alone, which must be a record, even for Apple's horribly sordid record on poor design and even worse QA.

    I looked a bit into _why_ this bug existed, which was something Apple
    _should_ have caught (it's a sophomoric error, as are most Apple holes).

    Just as it was proven Facetime had never even once been tested before it was released, I'm not sure (yet) if the cause is poor design or poor QA.

    You have a point that it's poor design, given that even Google's Project
    Zero showed almost every huge Apple hole was a sophomoric coding error...

    *But shouldn't Apple have run even a basic QA test to have caught this?*
    (Note: It's a repeat of a similar bug that was _told_ to Apple a while ago!)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)