Posted on 04/22/2020 7:19:57 PM PDT by cba123
Fair point, not to mention affinity for the globalist view of the world.
Made in Communist China. Data being harvested by the CCP.
I am sort of in-between at the moment.
I have been using a generic phone for quite some time, but am thinking of getting a iPhone SE, next.
Maybe. I think I’ll keep on my current phone until we’ve gotten coronavirus resolved, then make up my mind then, based on what else might also be out there, at that time.
Thanks bro.
Nothing now they can’t even stop a hacker from garage door openers nothing is safe.
That would be the Android phones, not Apple iPhones which are designed in the USA, with main processor chips designed by Apple, also in the USA. . . And fully hardware encrypted. Not so for Android phones.
Just ordered the new iPhone SE for the Wife. She has the older, smaller SE with only 16 GB Memory.
The new SE has enough Features for the average User with 64 GB standard. We paid an extra $50 for the 128 GB Model.
It is priced at $399 and it has the latest Chipset, the same one used on the iPhone 11.
The new one has a great Price Point and you get credit for trading in your older model iPhone.
Get the Apple Card and you get 0% Financing over 24 Months if you buy it directly from Apple.
I thought “Washintong” would have automatically been tagged as Racist!
Yeah...sounds a lot like a Chinese Tong gang to me.
Near as I can tell, there’s no there, there. The claim that it does not require opening the email, just receipt of the email is enough, according to ZecOp to activate their claimed potential “exploit” alone tells me they’re blowing smoke. That simply is not possible. It apparently may be something that might “crash” the iPhone, but I doubt even that. It may crash the app via a data overflow being allowed somewhere in the email header (I’ve noticed lately that Mail allows longer Subject lines), but the email body itself is loaded into a non-executable, sandboxed, memory location and nothing, such as scripts, are auto-executed within mail itself, nor can anything but specifically constrained HTML codes be displayed.
A vulnerability from a data overflow in the header may result in locking the screen, requiring a reboot to return to operational status, but it’s not going to spill out into giving access to secure data for other apps, such as contacts other than perhaps email addresses of those who have been received from or sent to in Mail App, with the same being limited to photos in the mail app. It would ALSO result in ZecOp having the offending email in hand to analyze the weaponized code that attacked the device. That is NOT what ZecOp claimed they did. Instead, Avraham stated ZecOp had to RECONSTRUCT a suitable attack vector to re-create the reports they saw in the error logs. WHY? Would it not be much easier to just reconstruct the attack from the code in the email?
Where is the offending email? Nowhere does ZecOp report the attack deleted the attacking email to cover it’s tracks. Nope. The VAST majority of email on Apple devices are handled by IMAP type accounts, which are kept on the server regardless if they are deleted on the device. This is especially true of Fortune 500 companies which require archiving of correspondence for legal purposes. Ergo, there is no malignant email attack because were there one, it would be easily retrieved for analysis. That never happened, so it doesn’t exist. Nothing.
Nor has any other security firm been able to duplicate the attack on this vulnerability. That is extremely suspicious to me. A REAL exploit has to be duplicatable to be a threat, yet an equally expert security firm, although agreeing it “sounds credible,” could not duplicate ZecOp’s crash results, even with guidance of their paper on how to do it. That’s says loads.
Is there a vulnerability? Oh, yes, very likely. Everything can have some vulnerabilities. They are created by people. People are fallible. Are they exploitable? Conceivably. Easily? Not necessarily. Perhaps, if a chain of events occur just exactly correctly, or wrongly, then possibly they can be.
ZecOp has a throw-away line in their report that states that the attacker “could” exploit this vulnerability only if the attacker controlled the email server. Say what???!!! That’s an important prerequisite, but they just toss it out there as if it were of no, or minimal, consequence!
This tells me that attacking vector has to be injected immediately prior to being sent to the target device, that it most likely cannot survive passage through multiple ISPs, where it would either crash the servers or be stripped out due to being detected as being an impermissible data overflow by validation checks. In other words, this is only exploitable as a targeted attack from someone who has first hijacked the target’s email server. If so, that attack target already has a much more severe problem than an attack on their personal portable devices.
To me, it seems obvious that Apple does not consider this an exploitable vulnerability requiring a stand alone security update for all versions of iOS since iOS 11.3. It’s not, given the parameters you can read between in the reports. It’s a minor glitch easily handled in a major update when it’s due to be released. ZecOp did not like that time line so they jumped the gun and made a press release to get credit beyond what is earned for minor vulnerabilities. This is not ZecOP’s first foray with this approach to getting attention.
By the way, the iPhone SE is being released right now. It was announced on Monday and I posted an article on it, but the Admin Mods deemed it an advertisement and zapped it. It was a legitimate article, one of numerous ones in the press.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.