XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

You are really a tragic figure in the english-speaking Usenet.

Thank the Lord you know so much about Apple to declare that all those
articles published today about this ten year long exploit are all wrong.

What would we do on a technical ng without your wisdom?

Millions of iOS apps were exposed to security breach found in CocoaPods https://9to5mac.com/2024/07/02/ios-apps-security-breach-cocoapods/

Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain
Attacks https://www.securityweek.com/critical-cocoapods-flaws-exposed-many-ios-macos-apps-to-supply-chain-attacks/

'Perfect 10' Apple Supply Chain Bug - Millions of Apps at Risk of CocoaPods
RCE
https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/

CocoaPods flaws left iOS, macOS apps open to supply-chain attack https://www.csoonline.com/article/2512935/cocoapods-flaws-left-ios-macos-apps-open-to-supply-chain-attack.html

Thank God you are here to declare it's all wrong.
Without you, we might have believed what security researchers say.

But with you around, we're told, by you - that it's all wrong.
Only you know what's right.

Nothing to see here.
Move on.

Keep moving.
Mind the gap.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

Am 03.07.24 um 07:38 schrieb Peter:

A near inconceivable number of Apple iPhone & macOS apps have been exposed
to critical vulnerabilities

Another try, Arlen?
You are really a tragic figure in the english-speaking Usenet.

--
"Manus manum lavat."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 3 Jul 2024 07:59:01 GMT, Bob Eager <news0009@eager.cx> wrote

So glad I have him killfiled. I recommend it.

I don't think Joerg is who you think he is but your recommendation to hide
your head in the sand in abject fear whenever bad news comes to the fore is typical for you. As a result, you will remain stupid for the rest of time.

These bugs are real.
And they've been there for ten years.

In millions of iPhone/iPad and mac apps.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

Am 03.07.24 um 07:38 schrieb Peter:

A near inconceivable number of Apple iPhone & macOS apps have been
exposed to critical vulnerabilities

Another try, Arlen?
You are really a tragic figure in the english-speaking Usenet.

So glad I have him killfiled. I recommend it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

Am 03.07.24 um 08:09 schrieb Bill Powell:

On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

You are really a tragic figure in the english-speaking Usenet.

Thank the Lord you know so much about Apple to declare that all those articles published today about this ten year long exploit are all wrong.

Where the heck did I say or write that?
You obviously do not have a clue how this sociopath Arlen contaminated
and in the end destroyed the group misc.phone.mobile.iphone.

What would we do on a technical ng without your wisdom?

Kindergarten? At least you are incredibly trollish indeed, dear! *LOL*


--
"Manus manum lavat."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

Am 03.07.24 um 09:59 schrieb Bob Eager:

On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

Am 03.07.24 um 07:38 schrieb Peter:

A near inconceivable number of Apple iPhone & macOS apps have been
exposed to critical vulnerabilities

Another try, Arlen?
You are really a tragic figure in the english-speaking Usenet.

So glad I have him killfiled. I recommend it.

You must have a lot of his identities in your killfile! ;-)

--
"Manus manum lavat."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

Am 03.07.24 um 10:11 schrieb Oliver:

On 3 Jul 2024 07:59:01 GMT, Bob Eager <news0009@eager.cx> wrote

So glad I have him killfiled. I recommend it.

I don't think Joerg is who you think he is but your recommendation to hide your head in the sand in abject fear whenever bad news comes to the fore is typical for you. As a result, you will remain stupid for the rest of time.

You are a sociopath, Arlen. Nobody takes you serious in these groups.

These bugs are real.

Were, kiddie.
You always spread *FUD* and bare lies.

--
"Manus manum lavat."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 2024-07-03 02:09, Bill Powell wrote:

Millions of iOS apps were exposed to security breach found in CocoaPods https://9to5mac.com/2024/07/02/ios-apps-security-breach-cocoapods/

Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain
Attacks https://www.securityweek.com/critical-cocoapods-flaws-exposed-many-ios-macos-apps-to-supply-chain-attacks/

'Perfect 10' Apple Supply Chain Bug - Millions of Apps at Risk of CocoaPods RCE
https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/

CocoaPods flaws left iOS, macOS apps open to supply-chain attack https://www.csoonline.com/article/2512935/cocoapods-flaws-left-ios-macos-apps-open-to-supply-chain-attack.html

I scanned those quickly and don't see any mention that the vulnerability
was actually exploited. Hope it wasn't.

Good thing CocoaPods have fixed the issue.

It is another indication that dependencies or services managed by a
third party can be a huge risk for developers and clients. Convenient,
easy and cheap to have these things 3rd party managed - but their issues
become everyone's issues.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 7/3/2024 8:51 AM, Alan Browne wrote:

I scanned those quickly and don't see any mention that the vulnerability
was actually exploited. Hope it wasn't.

It was. And is. They documented many actual exploit instances.

But if you only read Apple cites, whenever Apple says "may", it means it
was (even Apple is on record for saying that they use "may" for "was").

It just sounds better to an Apple user who is scared they are exploited.
It makes them feel better that this has been exploited for over 10 years.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 2024-07-03, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

I scanned those quickly and don't see any mention that the
vulnerability was actually exploited. Hope it wasn't.

Good thing CocoaPods have fixed the issue.

It is another indication that dependencies or services managed by a
third party can be a huge risk for developers and clients.
Convenient, easy and cheap to have these things 3rd party managed -
but their issues become everyone's issues.

I’ve always heard open source software is better because people can actually find vulnerabilities or back doors in them to report.

That might be true if people didn't find and fix vulnerabilities in closed-source software every day.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile, misc.phone.mobile.iphone

On 2024-07-03, Chris <ithinkiam@gmail.com> wrote:

badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:

Alan Browne <bitbucket@blackhole.com> wrote:

I scanned those quickly and don't see any mention that the
vulnerability was actually exploited. Hope it wasn't.

Good thing CocoaPods have fixed the issue.

It is another indication that dependencies or services managed by a
third party can be a huge risk for developers and clients.
Convenient, easy and cheap to have these things 3rd party managed -
but their issues become everyone's issues.

I’ve always heard open source software is better because people can
actually find vulnerabilities or back doors in them to report.

And for black hats to find them and exploit them.

Not to mention malicious actors insert back doors into open source
software undetected all of the time - some recent examples:

<https://www.infosecurity-magazine.com/news/backdoor-xz-utils-linux-open-source/>

<https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/>

<https://cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/>

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile, misc.phone.mobile.iphone

Jolly Roger wrote:

I often ignore posts from Google.

Time for a .sig change?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: uk.telecom.mobile, misc.phone.mobile.iphone

On 2024-07-03, Andy Burns <usenet@andyburns.uk> wrote:

Jolly Roger wrote:

I often ignore posts from Google.

Time for a .sig change?

Arlen and his little troll boi gang recently had a bitch fit about my signature, and their salty tears are delicious so it stays for the time
being. 🙂

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 2024-07-03 07:59:01 +0000, Bob Eager said:

On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

Am 03.07.24 um 07:38 schrieb Peter:

A near inconceivable number of Apple iPhone & macOS apps have been
exposed to critical vulnerabilities

Another try, Arlen?
You are really a tragic figure in the english-speaking Usenet.

So glad I have him killfiled. I recommend it.

Unfortunately the moron keeps chnaging his posting name and some people
keep replying to his garbage. :-(

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 2024-07-03, Your Name <YourName@YourISP.com> wrote:

On 2024-07-03 07:59:01 +0000, Bob Eager said:

On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

Am 03.07.24 um 07:38 schrieb Peter:

A near inconceivable number of Apple iPhone & macOS apps have been
exposed to critical vulnerabilities

Another try, Arlen?
You are really a tragic figure in the english-speaking Usenet.

So glad I have him killfiled. I recommend it.

Unfortunately the moron keeps chnaging his posting name and some people
keep replying to his garbage. :-(

Including you.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

Jolly Roger wrote on 3 Jul 2024 18:39:21 GMT :

I¢ve always heard open source software is better because people can
actually find vulnerabilities or back doors in them to report.

That might be true if people didn't find and fix vulnerabilities in closed-source software every day.

Why do you think Apple never noticed the vulnerabilities in over a decade?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

On 2024-07-04, Andrew <andrew@spam.net> wrote:

Jolly Roger wrote on 3 Jul 2024 18:39:21 GMT :

I¢ve always heard open source software is better because people can
actually find vulnerabilities or back doors in them to report.

That might be true if people didn't find and fix vulnerabilities in
closed-source software every day.

Why do you think Apple never noticed the vulnerabilities in over a
decade?

Answer: Because the vulnerabilities weren't in Apple software but in a repository system used by app developers, which is the same reason an
enormous number of open source vulnerabilities remain unpatched for 10
years and longer:

Open source vulnerabilities remain unpatched for decades <https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>
---
A new report reveals an enormous number of identified open source vulnerabilities remain unpatched for 10 years and longer, often because organisations have no idea what open source code they are using.
.
.
.
With software developers routinely taking code from open source
repositories to embed in their company's products to speed up the
development process, saving time and money, manually tracking
components, their versions and their vulnerabilities is way beyond the capabilities of most organisations.

The report recommends all organisations invest in an automated solution
for identifying and patching known vulnerabilities. "You can't patch
software if you don't know you are using it," the authors point out.
---

This isn't the "gotcha" you think it is, little Arlen. It's not an
uncommon phenomenon, and is a problem on all platforms.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Jörg Lorenz wrote:

Am 03.07.24 um 08:09 schrieb Bill Powell:

On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

You are really a tragic figure in the english-speaking Usenet.

Thank the Lord you know so much about Apple to declare that all those
articles published today about this ten year long exploit are all wrong.

Where the heck did I say or write that?
You obviously do not have a clue how this sociopath Arlen contaminated
and in the end destroyed the group misc.phone.mobile.iphone.

That is Arlen you are replying to, Jörg.
I count 6 different sock-puppet nyms of his in this thread.

What would we do on a technical ng without your wisdom?

Kindergarten? At least you are incredibly trollish indeed, dear! *LOL*

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: misc.phone.mobile.iphone, uk.telecom.mobile

badgolferman wrote on Sun, 7 Jul 2024 12:02:22 -0000 (UTC) :

This situation reminds me of the Ford Explorer rollover debacle. Ford
blamed Firestone and Firestone blamed Ford. In reality they both had a
major part in the whole thing. Firestone tires were separating at the tread and Ford Explorers had weak suspensions and high center of gravity. Both of those caused the exceedingly high number of rollovers and deaths.

Whom did the customer purchase the vehicle from, Ford or Firestone?
The answer is Ford. So this is purely a Ford ecosystem problem.

To wit, this huge security hole is purely an Apple ecosystem problem. https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
modify any of three million iOS/macOS apps at will - whenever they want?

For ten years!

Take your pick as to whom to blame, but it shows neither company performed adequate testing together or merely ignored warning signs.

If Apple did NOT tout that their ecosystem provided safety and security, we could let Apple off the hook for never bothering to test that claim.

As it is, it's clear that the one thing the primitive Apple ecosystem does
NOT provide, is safety & security.

I wonder if these zealots realize ANYONE ON THE PLANET FOR TEN YEARS could inject ANY CODE THEY WANTED TO INJECT into over three million iOS/mac apps.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)