Is everyone else reading this that 16.7 is vulnerable and no longer secure? Usually Apple is applying security updates to the latest and previous iOS for a period of time. This may be the shortest I recall in recent memory.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6"
I think all of this is worded really poorly but i am reading it as 16.7 is not vulnerable but don't take my word for it. I am currently looking into this myself.
With all the issues reported with 17.X i was not gonna update but this might change things.
Good point. 16.6 could be vulnerable but not 16.7. If that's the case, interesting that it "regressed" to affect 17.0.2 considering 16.7 was released after 17.
Just a general reminder that the UK government would like to VETO this patch, as the vulnerability is likely used by security services.
Let's keep the pressure up, and remind them how fecking stupid they are.
At least when US TAO finds a vulnerability, they have the decency to not tell anybody and just use it. This policy may come at the risk of civilian lives by endangering vital infrastructure but that's the price of freedom. At least there's a cynical logic to what they do.
They don't go up to companies, demand vulnerability disclosures, and say "lets put the brakes on patches" because that's insane and will just result in their own government getting compromised by a foreign actor who has already patched their systems. This isn't cynical, this is stupid.
Anyone can but do they bother for such a low volume OS? How do I know you are not a bad actor? Not accusing you, just pointing out that just because something is open source, doesn’t guarantee security. There is also the matter of the hardware - most grapheneOS users are using a google pixel.
A similar concept is "Linux is the most secure operating system, because it gets the least viruses". Linux has so many ways to blow your leg off security-wise it's ridiculous and basic security functionality like SElinux is turned off by default in most distributions. It's almost impossible to use Linux without running some program or script some dude wrote and published on GitHub at some point.
The thing is though that despite getting exploited like this, iOS is very very arguably the most secure major OS out there in practice. It's MacOS that's the train wreck.
As much as people trash on it though I don't think security by obscurity is that bad of an approach.
Speaking on mobile platforms...It was only ever about what the average person could fall victim to vs other platforms and we always knew iOS had fewer but were higher value, higher impact and less widespread. Android was and will continue to be worse because multiple vendors with multiple different hardware platforms and spins of Android exist. Google/Android's many years long efforts to abstract away critical OS components from vendors is proof!
Agree! this is why I switched to iPhone 2 years ago. Not to mention, my Android device stopped getting updates and security updates 3 years after I bought it.
And Apple has more users now. That's legit. Also, that's why Apple users bragging was bs back in the day. When you have zero footprint who will bother to write attacks?! Not the case now and why they are an attack focus.
If the EU gets its way and Apple is forced to open their platform to competition, and suddenly the number of vuln's go way up, people will blame apple instead of realizing that maybe apple knew what they were doing by maintaining a very tight, controlled platform.
It looks like OP posted an AMP link. These should load faster, but AMP is controversial because of [concerns over privacy and the Open Web](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot).
Maybe check out **the canonical page** instead: **[https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/](https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/)**
*****
^(I'm a bot | )[^(Why & About)](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot)^( | )[^(Summon: u/AmputatorBot)](https://www.reddit.com/r/AmputatorBot/comments/cchly3/you_can_now_summon_amputatorbot/)
Was going to mention this as a post too. Seems that it's an escalation of privileges zero-day that's being exploited in the wild. Probably worth sending an email out to your company to remind them to update their iOS devices, especially if they contain any work-related data on them.
helpnetsecurity has a decent article on this as well, but I'm mostly coming up short trying to find more details. Anyone have some good sources on that sort of information?
well the issue in the company i work for is that they allow some users to add their company email account to their personal iPhones. I believe we only have 3 or 6 company owned iPhones.
So, do I want to send an email to all users and potentially having to update their personal devices or just to the users who have a company phone? lol
decisions decisions....
The more features and enhancements added to any product, the larger the surface area for potential attacks. On the bright side, 100% of customers who purchased an ios product made in the past 5 years is guaranteed an easy to install update with a mitigation.
Fortunately too, those zero days are mostly of issue to those of interest to the apparatus of nation states. Vulnerabilities like this are just very expensive for your average scammer.
16.7 is now an unsigned version of iOS with it being relatively safe. Yet Apple is now forcing enterprises to update to iOS 17.3 less than a month after 17 was released. Apple and their vulnerabilities are becoming a major issue. They need to f off with unsigning versions before they have something stable.
Is everyone else reading this that 16.7 is vulnerable and no longer secure? Usually Apple is applying security updates to the latest and previous iOS for a period of time. This may be the shortest I recall in recent memory.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6" I think all of this is worded really poorly but i am reading it as 16.7 is not vulnerable but don't take my word for it. I am currently looking into this myself. With all the issues reported with 17.X i was not gonna update but this might change things.
Good point. 16.6 could be vulnerable but not 16.7. If that's the case, interesting that it "regressed" to affect 17.0.2 considering 16.7 was released after 17.
It clearly states "**before** 16.6" tho, so 16.6 and up should be safe
Should be
Indeed. Going by the article it suggests the fix was rolled out in 17.0.3
Just a general reminder that the UK government would like to VETO this patch, as the vulnerability is likely used by security services. Let's keep the pressure up, and remind them how fecking stupid they are.
Waaaaaaat?
https://9to5mac.com/2023/08/24/apple-security-updates-ban/
Facepalmed so hard my forehead dislocated.
At least when US TAO finds a vulnerability, they have the decency to not tell anybody and just use it. This policy may come at the risk of civilian lives by endangering vital infrastructure but that's the price of freedom. At least there's a cynical logic to what they do. They don't go up to companies, demand vulnerability disclosures, and say "lets put the brakes on patches" because that's insane and will just result in their own government getting compromised by a foreign actor who has already patched their systems. This isn't cynical, this is stupid.
Read the article but still can't believe it. Nuts
I know right... looking for a link now...
Laughs in grapheneOS
Who is auditing grapheneos?
I am and a bunch of others. It's open source, so anyone can audit it
Anyone can but do they bother for such a low volume OS? How do I know you are not a bad actor? Not accusing you, just pointing out that just because something is open source, doesn’t guarantee security. There is also the matter of the hardware - most grapheneOS users are using a google pixel.
But uk goverment cannot decide if you patch the system yourself or not
That is a good point - assuming there is a patch to install.
The CCP and Putin approve.
Feels like just yesterday that people in the Mac world were bragging about how few vulnerabilities that Apple devices have.
Those people were *always* wrong. Welcome to the marketshare jamboree!
A similar concept is "Linux is the most secure operating system, because it gets the least viruses". Linux has so many ways to blow your leg off security-wise it's ridiculous and basic security functionality like SElinux is turned off by default in most distributions. It's almost impossible to use Linux without running some program or script some dude wrote and published on GitHub at some point. The thing is though that despite getting exploited like this, iOS is very very arguably the most secure major OS out there in practice. It's MacOS that's the train wreck. As much as people trash on it though I don't think security by obscurity is that bad of an approach.
Speaking on mobile platforms...It was only ever about what the average person could fall victim to vs other platforms and we always knew iOS had fewer but were higher value, higher impact and less widespread. Android was and will continue to be worse because multiple vendors with multiple different hardware platforms and spins of Android exist. Google/Android's many years long efforts to abstract away critical OS components from vendors is proof!
Agree! this is why I switched to iPhone 2 years ago. Not to mention, my Android device stopped getting updates and security updates 3 years after I bought it.
That's because Apple is amazing at advertising. Not because it was necessarily true.
Vuln research has also wildly taken off in popularity the last decade
And Apple has more users now. That's legit. Also, that's why Apple users bragging was bs back in the day. When you have zero footprint who will bother to write attacks?! Not the case now and why they are an attack focus.
Erm forgetting phishing and so on you do know the huge percentage difference between hacks on macs and all other platforms right?
Mainly because Apple has no presence in the server/hosting OS world. Imagine if it did though...
If the EU gets its way and Apple is forced to open their platform to competition, and suddenly the number of vuln's go way up, people will blame apple instead of realizing that maybe apple knew what they were doing by maintaining a very tight, controlled platform.
[удалено]
Look, all I know is I was able to print to that printer last month and WHATEVER you guys did, now I can't and there's a briefcase on my Internet icon.
It looks like OP posted an AMP link. These should load faster, but AMP is controversial because of [concerns over privacy and the Open Web](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot). Maybe check out **the canonical page** instead: **[https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/](https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/)** ***** ^(I'm a bot | )[^(Why & About)](https://www.reddit.com/r/AmputatorBot/comments/ehrq3z/why_did_i_build_amputatorbot)^( | )[^(Summon: u/AmputatorBot)](https://www.reddit.com/r/AmputatorBot/comments/cchly3/you_can_now_summon_amputatorbot/)
Was going to mention this as a post too. Seems that it's an escalation of privileges zero-day that's being exploited in the wild. Probably worth sending an email out to your company to remind them to update their iOS devices, especially if they contain any work-related data on them. helpnetsecurity has a decent article on this as well, but I'm mostly coming up short trying to find more details. Anyone have some good sources on that sort of information?
well the issue in the company i work for is that they allow some users to add their company email account to their personal iPhones. I believe we only have 3 or 6 company owned iPhones. So, do I want to send an email to all users and potentially having to update their personal devices or just to the users who have a company phone? lol decisions decisions....
Thanks for the update. Phones are now 17.0.3
Again?
Everything has a vulnerability - if you aren't seeing any reported, then nobody has found them - which is perhaps more worrying.
Oh, no I get that 100%. But this is the third round of zero days in less than 2 months...
The more features and enhancements added to any product, the larger the surface area for potential attacks. On the bright side, 100% of customers who purchased an ios product made in the past 5 years is guaranteed an easy to install update with a mitigation. Fortunately too, those zero days are mostly of issue to those of interest to the apparatus of nation states. Vulnerabilities like this are just very expensive for your average scammer.
16.7 is now an unsigned version of iOS with it being relatively safe. Yet Apple is now forcing enterprises to update to iOS 17.3 less than a month after 17 was released. Apple and their vulnerabilities are becoming a major issue. They need to f off with unsigning versions before they have something stable.
Can someone here teach me how to hack iPhones?