MacDailyNews - Where Mac news comes first

Sounds like a bunch of hooey to me. They say "Attackers could exploit a bug ...". Is this a VIRTUAL bug, or one they actually found? I think this is conjecture, not reality. This company just wants to make a name for themselves.

If this is true Apple needs to fix this fast....

Very fast....

Is it fixed yet?

Hooey, you say?

I've already racked up $840 in 900 calls to a dominatrix phone service ... she keeps leaving me messages not to play with my micro softie. She is soooo emasculating.

Do not use a car! Its use can lead to accidents. A bad driver of another vehicle could hit your car and destroy it as well as put you in the hospital.

Now everyone should put out pointless threats to spread fud!!

Damn! There goes another of my money making schemes!!

I was going to install an endless loop caller to my Camel's Milk hotline, so that I could continue making money if my Camel's Milk sales hit rock bottom....

I wonder who's bottom has turned into solid rock this week?

I suppose it is possible - with a little javascript trickery as well as malicious HTML.

But then again, lets be more realistic here...if you are viewing a web page with a phone number, it is probably a company's contact us page or a directory service. Both of these types of websites have very valid and important reasons NOT to mess up your iPhone!

So this is really how the first year of the iPhone goes, right?

It's a major security risk; It's bringing down an entire university's wireless network; It's a threat to national security; The Russians are coming; The Chinese are here; In short, we're all gonna die. Stop using the iPhone, get Apple to stop making cleverly designed and incredibly useful personal computing devices, stop the madness! KILL APPLE!

You know, even with its billions MS is going to go broke one of these days having to pay out so much undercover money to techno-mercenaries to create the huge piles of FUD they concoct with the release of every new device - yikes.

Read this yesterday at MacCentral, and posted this reply:

"the feature could be misused"
"Attackers could exploit"
"iPhone could even be stopped"
"Phone has the potential"
"bad guys would have to either trick iPhone users"
"not releasing detailed information on how the Web dialing feature could be exploited"
"Safari could be used to misdial numbers"
"this could be done more easily than previously thought"
"“Yes,” said Aitel. “If they know a lot of hackers and are a special target.”"

And the earth COULD BE hit by a meteor today, but I don't think I'll worry about that either, not until they say WILL BE. Does anyone else think that this guy is into some serious speculation, or does he really have something that warrants consideration? (I vote speculation, since I count 6 "could be"s in the article.)

Sounds like a bunch of hooey to me. They say "Attackers could exploit a bug ...". Is this a VIRTUAL bug, or one they actually found? I think this is conjecture, not reality. This company just wants to make a name for themselves.

I agree, the default position should always be to ignore expert advice and instead trust your own uninformed opinion.

"According to SPI Labs, the feature can be exploited to redirect and track phone calls, as well as placing calls without knowledge of the user. Hackers could also cause mischief that makes the iPhone unusable until it is turned off."

THIS JUST IN, strapping jumper cables to your scrotum and starting the car could be exploited by angry unsatisfied girlfriends and/or wives to gain attention to fact that security analysts/hackers put more time into technology than actually having a life.

Your friend from across the pond,

CheekyGit

So... do you think MDN is just IGNORING the new Mac OS X worm proof-of-concept, or are they just trying to delay reporting it as long as possible?

Had it been a Windows worm, MDN would have reported it yesterday when the news broke. Been almost 24 hours since the story hit, yet it's nowhere on MDN. So much for the word "daily" in Mac DAILY News.

Worse than 900 numbers are the numbers that look like local numbers, but are billed like 900 numbers.

For readers outside the USA, 900 is the area code for caller paid services. Calls to those numbers are billed at a much higher rate than merely the telephone call rate, sometimes a several US$ per minute, or even much higher. Typically they provide "entertainment" services, though some tech companies offer a 900 option for paid tech support calls. Hope this helps someone.

Capt. Obvious,

Do you really think a possible vulnerability in the iPhone's browser that could possibly take advantage of the user is the same as simply driving a car? Maybe if every once in a while, you tune to a radio station that takes over your steering wheel and sends you over a cliff, that would be an apt comparison.

I'm not giving much credence to this finding, but I'm certainly not going to give some knee-jerk denial without knowing anything about the possible bug.

By not taking an objective look at this, you're no better than those spreading FUD. It's just called rabid fanboyism.

I think in order to maintain the cachet of the iPhone, we should bash anyone who might attempt to make the product more secure by noting any vulnerabilities and working with Apple to correct the problem. That will ensure iPhone's prestige.

It's true. I've seen it happen.

A hacker took control of my call and I started saying things like "I love you" and "of course I'll respect you".

Man was that weird. That needs to be fixed FAST!!!!

I was talking with the Surgeon General just yesterday and he mentioned the rise in folks strapping jumper cables to their scrotum since car manufacturers have been advertising it as a new feature but he was reluctant to issue a warning because he didn't think it was necessary to warn against such an obvious threat -- it would be like telling people to wear sun screen in the summer sun.

"...if you are viewing a web page with a phone number, it is probably a company's contact us page or a directory service. Both of these types of websites have very valid and important reasons NOT to mess up your iPhone!"

Or it could be a malicious third party spoofing a company's contact us page or a directory service.

"Had it been a Windows worm, MDN would have reported it yesterday when the news broke. Been almost 24 hours since the story hit, yet it's nowhere on MDN. So much for the word "daily" in Mac DAILY News."

so far the story is, "someone claims to have a worm but offers exactly no proof. even if true, it is a proof of concept only that seems to only affect local subnets. in other news, if a hacker can sit down at your desk and use your computer uninterrupted, they pretty much own it...."

now i agree that they could mention it. that would be a good thing. but it is a pretty brief and pointless story so far.

Obviously something Apple must be working on feverishly and it shouldn't be downplayed even if we all would like the iPhone to be the idealist's perfect device of our dreams.

I suspect however that this has more to do with how phone systems work and would either require a kind of filter or some involvement from the provider (AT&T;).

There are a bazillion "special numbers" that can be dialed on cell phones that are used to perform configuration or other non-call functions (e.g. transfering calls). Hiding such special coded functions behind a seemingly inocuous number displayed on the web page would be easy. Perhaps this "vulnerability/bug" is no more than a means of triggering special functions using these phone number codes.

That's what you get when a modern device is used to access a legacy system (the phone network) initially designed to provide a simple service (making calls) and later coersed into performing other functions using cludgy workarounds.

A blatant example of this, in more recent history, is Web based applications that use a document formatting protocol (HTML) to provide interactive user input. We all know how difficult it is to make this patchwork of workarounds secure. Imagine how difficult it's gonna be to make an even older sytsem (phone network) secure while maintaining it's compatibility with numeric only devices.

The new Mac OS X worm supposedly exploits specific vulnerabilities that include the potential for arbitrary code execution from opening a maliciously crafted PDF document.

I just this morning received an email from a source not known to me. It contained an email attachment named email.pdf; naturally I did not open it, but rather deleted the message. If I had opened it--even though I did not know the person or organization who sent the message--any harm done would have been my own stupid fault.

Maybe I should have forwarded the email to Apple for their research.

You must have stopped at the headline of the 'iPhone worm' article. The so called "iPhone worm" is actually virus that infects Windows computers. It activates when the user tries to purchase an iPhone by redirecting them to a spoof web page to capture their bank account information.
The "worm" does not spread via the iPhone, rather through your infected Windoze Craputer.

Nonetheless, MDN should 'report' it so we can all be informed about this new threat from Microsoft.

Not to sound alarmist, but there does seem to be more to the SPI phone vulnerability. To me it seems the scariest part is that whatever this exploit is, it gets around the confirmation dialog when you click on a phone number to dial on a web page, or visit a web page with malicious javascript that "clicks" the phone link for you. It sounds like it can do other things too.

@Altos, I don't see why AT&T;would have to be involved. From my reading of SPI's report, it sounds like a fix in Safari could alleviate the issue. And from reading the comments on the SPI blog, I wonder if other smartphones with this feature are also vulnerable.

@ Beryllium - There was an article recently in MacLife or Macworld about the trend for spammers to move from image spam to PDF spam to pump their crap stocks. That's prolly all it was.

This may be FUD to some degree, but it is also important to help users of the iPhone to understand how this new device can be exploited against them.

Just like going to an WiFi hotspot, connecting to an unsecured web site and revealing personal information is not a good idea, the seamless switch of the iPhone from EDGE to WiFi could allow prviate information to be captured. MacCentral has a good article on that today.

Apple may have to tightened it's security measures for the iPhone and we will also have to learn to be careful how we use personal information on the iPhone, just like we should be doing with laptops on public WiFi sites.

"You must have stopped at the headline of the 'iPhone worm' article"

Actually, you must have not even seen the article I'm talking about. It has absolutely nothing to do with the iPhone.

http://arstechnica.com/journals/apple.ars/2007/07/17/anonymous-blogger-claims-proof-of-concept-mac-worm

It is regarding the mDNSResponder service in MacOS X.

Do some reading outside of MDN. You'll learn a LOT more!

Well, there goes the "war on terror!"

I think this is cool. Did you catch that hackers can make the iPhone useful *after* its turned off? Wow! Mine is only useful when its on.

It's like the MAACO commercial: "You won't even know its been repaired."

Magic word: "really" as in: Maybe that's not really what they meant.

Their is a problem that needs to be fixed. It will get fixed. No reason to get defensive about it. Just because you spend $600 dollars and a two year contract does not insure that a 1.0 v product will be infallible in every way. To avoid this, simply do not use this feature, big deal, it's still a pretty good offering with out this feature, so stop the apologetic or over reaching "their is not a problem" comments. Actually their seems to be a lot more that Apple could have done to insure even more secure information transit on the iPhone that will probably get revised sooner or later. So get your head out of the sand and check this Macworld article that will open your eyes.

http://www.macworld.com/2007/07/features/iphone_security/index.php

Their = belongs to them

Thanks, I keep on getting THEM confused. You know with the English as a second language thing and all.

Essentially, this is advice web users keep hearing all the time - beware of clicking on suspect links on web pages, or going to suspect web sites.

And since the iPhone accesses the full browser, every caution that applies to ordinary web surfing from your computer also applies to web surfing over the iPhone.

In short, this is just stating the obvious.

@Abdullah
With one exception, computers do not inherently dial phone numbers from web pages. Yes, you could have phone functionality software on your computer, but not out of the box, like the iPhone, so this warning is not that obvious, since this is not a typical exploit on a computer.

Woody: Thanks for the info. I will continue to delete such messages, whether they contain malware or PDF spam.

@Mac-nugget

You have a point there in that the iPhone's in-built phoning capabilities add an extra dimension to the risk of careless behavior on the web. But if I am reading the warning correctly, you would still need to make the first call yourself in order to allow the loophole to open. So I suppose iPhone users should pay even more attention to conventional web-user wisdom when surfing on the iPhone.

STOP PRESS!

Security firms announce that DO NOT use ANY part of the Windows OS for any computing tasks.

Basic rules of ANY web or email use:

1. NEVER click on links unless you are sure that they are ok.
2. NEVER open email attachments from businesses or individuals who are not in your address book.

I live by these 2 rules and surprise surprise I have no problems at all.

Like a previous poster stated " its common sense".

Ptthhbbbtt... a big glowing raspberry to these guys and every other so-called security firm out there.

You know how 'dangerous' the internet is these days, right? Well, I've been running a Windows XP/SP2 machine now for over a year with NO VIRUS PROTECTION at all and haven't seen the first one. We install a copy of Norton once every three months and scan it to check, then remove it when we're done. So far - nothing. If you believe all the FUD out there these guys put out, this machine should have been toast the first day we fired it up.

Sure, this stuff is possible - but will you yourself encounter it? Not likely, unless you're dialing number off a porn or other such shady site. Gimme a break, I'm so tired of reading this kind of crap. Enjoy your iPhones, folks - dial on!

Without exploit details, speculation is futile. However I did notice that the iPhone pops open a confirmation dialog when clicking on phone number links that displays the number to be dialed and gives you a chance to cancel the dial. I would think any "useful" exploit would have to bypass this confirmation or fake the number to be dialed in there somehow.

@Ryan
"Without exploit details, speculation is futile. However I did notice that the iPhone pops open a confirmation dialog when clicking on phone number links that displays the number to be dialed and gives you a chance to cancel the dial. I would think any "useful" exploit would have to bypass this confirmation or fake the number to be dialed in there somehow."

This is exactly what it dose. The number you see confirmed is not the one dialed. That is precisely the problem. Here you think you are dialing Dominos Pizza and reality it's dialing Dominatrics Pissas.