Apple's iOS 7.0.4 fixes a "too easy to buy stuff" security flaw

Filed Under: Apple, Featured, iOS, Vulnerability

If you're an avid iDevice user, you've probably already received Apple's fourth bug-fix release of iOS 7, unsurprisingly named 7.0.4.

At an average of one update every two weeks since iOS 7 launched in September 2013, you might view this a sign that Apple's code quality has gone down, following the argument that more vulnerabilities needing patching must mean worse code.

We often hear this argument trotted out against other software vendors, with a count of known vulnerabilities used an an inverse measure of security.

On the other hand, you might view it as a sign that Apple is becoming more responsive to security issues by pushing out updates quickly, rather than waiting to bundle multiple fixes into a single patch.

Obviously, well-written software without security holes will never need updates, and will therefore rack up zero patches.

But it doesn't work the other way around.

You can't make poorly-written software secure by neglecting, or even refusing, to publish patches for it, so a low patch count can't be used as a quality metric on its own.

And don't forget that exploit-finding is now worth money, sometimes big money, so vulnerability counts are likely to rise, all other things - including software quality - being equal.

A lot of the coverage for the iOS 7.0.4 update has focused on a non-security bug fix in FaceTime, but there's also an officially-listed security patch:

App and In-App purchases may be completed with insufficient authorization.

Description: A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

As far as we can tell, this flaw doesn't mean that you can buy stuff on someone else's dime without knowing their password.

But it could allow purchases on your device to be approved unexpectedly (or unscrupulously), so it's good to have it fixed.

Many users probably already have the update, or will want to grab it promptly.

The only users left in uncertainty here are those who are hoping to jailbreak their iOS 7 devices some time in the future.

The irony, of course, is that jailbreaking relies on experts finding an exploitable vulnerability that can be used to liberate your iPhone or iPad from Apple's strict lockdown.

Word on the street seems to be that a jailbreak for iOS 7 is likely soon, and will probably work against versions up to iOS 7.0.3.

But Apple might quietly have found the same hole that the jailbreakers are working away at, and have fixed it in iOS 7.0.4.

Once you upgrade, you can't - or you're not supposed to be able to - downgrade, which is Apple's way of stopping you jailbreaking newer iOSes by reverting to the buggy ways of older versions.

Some hackers are saying "not to worry," because the changes in 7.0.4 are minor enough that they shouldn't make any difference to the current progress towards iOS 7 "freedom."

Until they're sure iOS 7.0.4 is jailbreak-safe, though, some avid jailbreakers are likely to wait.

It's a pity that Apple won't embrace the jailbreaking community: Naked Security readers certainly seem to think they should.

, , , , , ,

You might like

6 Responses to Apple's iOS 7.0.4 fixes a "too easy to buy stuff" security flaw

  1. 4caster · 689 days ago

    Please explain what "jailbreaking" is, and why users should have it, or not have it.

    • Paul Ducklin · 689 days ago

      As mentioned in the article, "jailbreaking" is where you unlock your device to remove Apple's restrictions, notably on what software you can install and where you are allowed to get it from.

      Apple doesn't want you to do this, partly for security reasons (you potentially open up your phone to new risks such as malware and hackers) and partly for commercial reasons (iOS is based around the idea that Apple is is control of what you are allowed to run on it, and so you can *only* shop at Apple's "company store" to get new software.)

      A vocal minority of users like to jailbreak their devices for the additional freedom it gives them to try new things, make configuration changes Apple won't allow, and use software that isn't limited to playing inside Apple's technical and commercial limitations. And since it's their device, that they've already paid for, the law in most countries, including the US, says they can jailbreak if they want. On the other hand, the law doesn't say Apple has to make it easy :-)

      Apple, indeed, does its best to stop people jailbreaking, even though most users probably wouldn't bother anyway, so the jailbreak experts have to find holes in iOS by means of which they can turn off Apple's deliberate limitations.

  2. Anonymous · 689 days ago

    Thank sophos for finding, and quarantined, a Trojan for spyware the other day on my husbands Mac! How long will it take apple to find it and create a patch for the exploit?

    • Paul Ducklin · 689 days ago

      The infection might not have arrived via an exploit - it might have arrived in email, for instance, or in a download, or via numerous other routes.

      It's hard to say without more information whether this was down to a hole left by Apple or some other means. (If not, then waiting for a patch won't help.)

      Or it might have entered via an exploit against some non-Apple component, e.g. Java or Flash. Do you have those installed? Are they up-to-date as well?

      Lastly, it might not have been an active infection - you didn't say, but if you already had Sophos installed and it kicked in as the malware was trying to activate, then it was probably blocked before it could actually do anything.

      It's tricky for us to support the free Mac product on Naked Security, as it's not a good forum for extended discussions, so I suggest heading to our online support forum:

  3. Ashok · 672 days ago

    On upgrading to ios7.0.4 the data have been tampered with. The names of all the contacts have disappeared and where do we get them back from ? In all updates should the software designer not take care of the data of the user. If there is a problem then they should give a warning that your data is going to be affected and the same can be saved like this-- the procedure should be a part of the update. Let these software giants not take us as goats. Fools you are working because there are customers who buy from you. You need to care for your customers.

  4. Sean · 668 days ago

    Ashok... Likely the culprit is the iCloud. Even if you think it was not turned on for Contact. Even so, go into settings and turn it on/off or off/on/off and reboot. Your contacts should reappear. This happened to my wife's phone, but not mine, post 7.0 upgrade but not directly following an update, apparently just randomly. Yikes! Anyway, this "fix" worked for her phone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog