New iPhone/iPad iOS 0 day exploits

[rage2]

Patch your iOS devices! Pretty sophisticated shit for the tech/security nerds. Attack looks to be used on high value targets, but with the public disclosures, expect to see variations in the wild in the near future. Good read for us nerds:

https://citizenlab.org/2016/08/milli...nso-group-uae/

[Xtrema]

At least not remote exploit and you have to hit a site. Been reading it all morning.

Still took them 3 months to fix it after being reported in May.

[taemo]

the scary and sad part though is that a lot of users just click any links sent from an unknown person

[rage2]

Originally posted by Xtrema
At least not remote exploit and you have to hit a site. Been reading it all morning.

Still took them 3 months to fix it after being reported in May.

It was remotely exploitable back in July via MMS through the TIFF exploit. That flaw was patched in 9.3.3.

This wasn't reported in May. The messages were sent to the victim 10 days ago, although the 2 privilege escalation bugs have been around for a long time, as far back as iOS 7 from the looks of things.

[googe]

Originally posted by Xtrema
At least not remote exploit and you have to hit a site. Been reading it all morning.

Still took them 3 months to fix it after being reported in May.

You will hit a site. There is no sound security strategy that involves avoiding potentially bad sites. The main reason is because legitimate sites and ad networks get hacked and those get used to host the malicious content.

The way they targeted this guy that reported it was lazy and dumb, and there are way more sneaky ways to ensure that users are hit by it.

I don't think this one will get re-used in mass-exploitation, but it could, and the time when that kind of thing will happen to random users is definitely getting close.

These are so expensive to find/make though that nobody would burn them on the general public, so staying up to date should minimize your risk unless you're an enemy of the state. If they get used en masse, it'll be because some lower tier group analyzed it long after it was public and patched, and they'll just go for the percentage of users that didn't bother updating. Sucks for jailbreakers!

[ZenOps]

Ouch. With this and "touch disease" hardware problems, Apple could be having a rough year.

[The_Rural_Juror]

Originally posted by taemo
the scary and sad part though is that a lot of users just click any links sent from an unknown person

How else would you get to know said unknown person?

[rage2]

Originally posted by ZenOps
Ouch. With this and "touch disease" hardware problems, Apple could be having a rough year.

This was patched in 10 days on all devices, so like googe says unless you're a high value target you have nothing to worry about if you're patched. Analysts are still touting Apple as the most secure smartphone platform compared to its competitors.

[Aaaaaron]

It still boggles my mind how many Android phones are still affected by stagefright. Granted no high profile targets would be running anything lower then Lollipop most likely.

This is one of the reasons I don't mind paying Apple's premium.

[Xtrema]

Originally posted by Aaaaaron
It still boggles my mind how many Android phones are still affected by stagefright. Granted no high profile targets would be running anything lower then Lollipop most likely.

This is one of the reasons I don't mind paying Apple's premium.

Other than Nexus line which get more steady updates, all Android phones are horrible security wise.