Apple's latest software updates fix flaw resembling Android Stagefright

Wait a f**ing minute. You mean a big similar to android was capable on iOS?

Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

Can it be triggered without opening a message like StageFright?

cali said:

Wait a f**ing minute. You mean a big similar to android was capable on iOS?

Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

Can it be triggered without opening a message like StageFright?

If message previews are on, presumably it crashes the lockscreen... There've been a lot of vulnerabilities in TIFF over the years, I dunno why though. For "risky" apps such as Messages, Apple should be restricting API accesses related to received files to a minimum, i.e. only JPEG, PNG and GIF supported for images, at least. 

While exploits that don't require any user intervention are a serious matter, the reason why StageFright was (and continues to be) such a big deal are:

1. There is no facility to update literally hundreds of millions of vulnerable Android devices
2. Google's patch for the bug didn't fully address the vector and it was quickly worked around
3. The bug was being exploited "out in the wild"

The 1st point is serious because it means that the number of infected users will continue to grow overtime, despite efforts by Google/partners.

The 2nd point is serious as it drew significant attention to the vulnerability and how it worked - enabling many more nefarious actors to implement it

The 3rd point is serious because, unlike iOS, there was a demonstrable outcome to the vulnerability. This is different from iOS as the payload may not have been able to be effective due to other layers of iOS security coming into play (which has significantly limited the scope for damage with other iOS vulnerabilities in the past.)Unlike Android, this is not iOS's first day at the rodeo.

cali said:

Wait a f**ing minute. You mean a big similar to android was capable on iOS?

Stagefright is one of the biggest reasons why I defend iOS. Tell me it isn't the same only "similar" in a clickbait manner.

Can it be triggered without opening a message like StageFright?

It wasn't really similar for messages because there was no way to easily get out of the Messages sandbox without a separate exploit, especially given the privilege level Messages runs at. The issue with Stagefright is that Android had/has numerous known sandbox exploits that went unfixed based on which OEM made your phone.

The "passwords" thing only applied to Safari crashing when displaying the TIFF and it only had access to data in MobileSafari's address space (or APIs Safari had access to that didn't require XPC service privilege checks). This pretty much limited it to cookies and any websites you had visited with login forms visited during that Safari session (iOS frequently tombstones Safari in the background, which purges this memory).

Either way, it was announced after Apple had pushed out the update that fixed it. 

EsquireCats said:

While exploits that don't require any user intervention are a serious matter, the reason why StageFright was (and continues to be) such a big deal are:

1. There is no facility to update literally hundreds of millions of vulnerable Android devices
2. Google's patch for the bug didn't fully address the vector and it was quickly worked around
3. The bug was being exploited "out in the wild"

The 1st point is serious because it means that the number of infected users will continue to grow overtime, despite efforts by Google/partners.

The 2nd point is serious as it drew significant attention to the vulnerability and how it worked - enabling many more nefarious actors to implement it

The 3rd point is serious because, unlike iOS, there was a demonstrable outcome to the vulnerability. This is different from iOS as the payload may not have been able to be effective due to other layers of iOS security coming into play (which has significantly limited the scope for damage with other iOS vulnerabilities in the past.)Unlike Android, this is not iOS's first day at the rodeo.

I wasn't aware of any "in the wild" Stagefright infections tho it wouldn't be a huge surprise to me to read of some isolated cases. With that said a very quick search didn't find news of them. Where did you read about the number of infections? Honest question.