• Re: Almost every iOS & macOS app has had huge vulnerabilities for over

    From Bill Powell@21:1/5 to All on Wed Jul 3 08:09:46 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

    You are really a tragic figure in the english-speaking Usenet.

    Thank the Lord you know so much about Apple to declare that all those
    articles published today about this ten year long exploit are all wrong.

    What would we do on a technical ng without your wisdom?

    Millions of iOS apps were exposed to security breach found in CocoaPods https://9to5mac.com/2024/07/02/ios-apps-security-breach-cocoapods/

    Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain
    Attacks https://www.securityweek.com/critical-cocoapods-flaws-exposed-many-ios-macos-apps-to-supply-chain-attacks/

    'Perfect 10' Apple Supply Chain Bug - Millions of Apps at Risk of CocoaPods
    RCE
    https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/

    CocoaPods flaws left iOS, macOS apps open to supply-chain attack https://www.csoonline.com/article/2512935/cocoapods-flaws-left-ios-macos-apps-open-to-supply-chain-attack.html

    Thank God you are here to declare it's all wrong.
    Without you, we might have believed what security researchers say.

    But with you around, we're told, by you - that it's all wrong.
    Only you know what's right.

    Nothing to see here.
    Move on.

    Keep moving.
    Mind the gap.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Wed Jul 3 07:49:33 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    Am 03.07.24 um 07:38 schrieb Peter:
    A near inconceivable number of Apple iPhone & macOS apps have been exposed
    to critical vulnerabilities

    Another try, Arlen?
    You are really a tragic figure in the english-speaking Usenet.

    --
    "Manus manum lavat."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Oliver@21:1/5 to Bob Eager on Wed Jul 3 02:11:19 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 3 Jul 2024 07:59:01 GMT, Bob Eager <news0009@eager.cx> wrote

    So glad I have him killfiled. I recommend it.

    I don't think Joerg is who you think he is but your recommendation to hide
    your head in the sand in abject fear whenever bad news comes to the fore is typical for you. As a result, you will remain stupid for the rest of time.

    These bugs are real.
    And they've been there for ten years.

    In millions of iPhone/iPad and mac apps.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Eager@21:1/5 to All on Wed Jul 3 07:59:01 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

    Am 03.07.24 um 07:38 schrieb Peter:
    A near inconceivable number of Apple iPhone & macOS apps have been
    exposed to critical vulnerabilities

    Another try, Arlen?
    You are really a tragic figure in the english-speaking Usenet.

    So glad I have him killfiled. I recommend it.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Wed Jul 3 11:44:11 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    Am 03.07.24 um 08:09 schrieb Bill Powell:
    On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

    You are really a tragic figure in the english-speaking Usenet.

    Thank the Lord you know so much about Apple to declare that all those articles published today about this ten year long exploit are all wrong.

    Where the heck did I say or write that?
    You obviously do not have a clue how this sociopath Arlen contaminated
    and in the end destroyed the group misc.phone.mobile.iphone.

    What would we do on a technical ng without your wisdom?

    Kindergarten? At least you are incredibly trollish indeed, dear! *LOL*


    --
    "Manus manum lavat."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Wed Jul 3 11:45:11 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    Am 03.07.24 um 09:59 schrieb Bob Eager:
    On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

    Am 03.07.24 um 07:38 schrieb Peter:
    A near inconceivable number of Apple iPhone & macOS apps have been
    exposed to critical vulnerabilities

    Another try, Arlen?
    You are really a tragic figure in the english-speaking Usenet.

    So glad I have him killfiled. I recommend it.

    You must have a lot of his identities in your killfile! ;-)

    --
    "Manus manum lavat."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Wed Jul 3 11:51:26 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    Am 03.07.24 um 10:11 schrieb Oliver:
    On 3 Jul 2024 07:59:01 GMT, Bob Eager <news0009@eager.cx> wrote

    So glad I have him killfiled. I recommend it.

    I don't think Joerg is who you think he is but your recommendation to hide your head in the sand in abject fear whenever bad news comes to the fore is typical for you. As a result, you will remain stupid for the rest of time.

    You are a sociopath, Arlen. Nobody takes you serious in these groups.

    These bugs are real.

    Were, kiddie.
    You always spread *FUD* and bare lies.

    --
    "Manus manum lavat."

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Alan Browne@21:1/5 to Bill Powell on Wed Jul 3 08:51:05 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 2024-07-03 02:09, Bill Powell wrote:

    Millions of iOS apps were exposed to security breach found in CocoaPods https://9to5mac.com/2024/07/02/ios-apps-security-breach-cocoapods/

    Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain
    Attacks https://www.securityweek.com/critical-cocoapods-flaws-exposed-many-ios-macos-apps-to-supply-chain-attacks/

    'Perfect 10' Apple Supply Chain Bug - Millions of Apps at Risk of CocoaPods RCE
    https://securityboulevard.com/2024/07/cocoapods-apple-vulns-richixbw/

    CocoaPods flaws left iOS, macOS apps open to supply-chain attack https://www.csoonline.com/article/2512935/cocoapods-flaws-left-ios-macos-apps-open-to-supply-chain-attack.html

    I scanned those quickly and don't see any mention that the vulnerability
    was actually exploited. Hope it wasn't.

    Good thing CocoaPods have fixed the issue.

    It is another indication that dependencies or services managed by a
    third party can be a huge risk for developers and clients. Convenient,
    easy and cheap to have these things 3rd party managed - but their issues
    become everyone's issues.

    --
    "It would be a measureless disaster if Russian barbarism overlaid
    the culture and independence of the ancient States of Europe."
    Winston Churchill

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Larry Wolff@21:1/5 to Alan Browne on Wed Jul 3 10:48:35 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 7/3/2024 8:51 AM, Alan Browne wrote:

    I scanned those quickly and don't see any mention that the vulnerability
    was actually exploited. Hope it wasn't.

    It was. And is. They documented many actual exploit instances.

    But if you only read Apple cites, whenever Apple says "may", it means it
    was (even Apple is on record for saying that they use "may" for "was").

    It just sounds better to an Apple user who is scared they are exploited.
    It makes them feel better that this has been exploited for over 10 years.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jolly Roger@21:1/5 to badgolferman on Wed Jul 3 18:39:21 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 2024-07-03, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
    Alan Browne <bitbucket@blackhole.com> wrote:

    I scanned those quickly and don't see any mention that the
    vulnerability was actually exploited. Hope it wasn't.

    Good thing CocoaPods have fixed the issue.

    It is another indication that dependencies or services managed by a
    third party can be a huge risk for developers and clients.
    Convenient, easy and cheap to have these things 3rd party managed -
    but their issues become everyone's issues.

    I’ve always heard open source software is better because people can actually find vulnerabilities or back doors in them to report.

    That might be true if people didn't find and fix vulnerabilities in closed-source software every day.

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jolly Roger@21:1/5 to Chris on Wed Jul 3 18:46:19 2024
    XPost: uk.telecom.mobile, misc.phone.mobile.iphone

    On 2024-07-03, Chris <ithinkiam@gmail.com> wrote:
    badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
    Alan Browne <bitbucket@blackhole.com> wrote:

    I scanned those quickly and don't see any mention that the
    vulnerability was actually exploited. Hope it wasn't.

    Good thing CocoaPods have fixed the issue.

    It is another indication that dependencies or services managed by a
    third party can be a huge risk for developers and clients.
    Convenient, easy and cheap to have these things 3rd party managed -
    but their issues become everyone's issues.

    I’ve always heard open source software is better because people can
    actually find vulnerabilities or back doors in them to report.

    And for black hats to find them and exploit them.

    Not to mention malicious actors insert back doors into open source
    software undetected all of the time - some recent examples:

    <https://www.infosecurity-magazine.com/news/backdoor-xz-utils-linux-open-source/>

    <https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/>

    <https://cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/>

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Burns@21:1/5 to Jolly Roger on Wed Jul 3 19:52:03 2024
    XPost: uk.telecom.mobile, misc.phone.mobile.iphone

    Jolly Roger wrote:

    I often ignore posts from Google.

    Time for a .sig change?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jolly Roger@21:1/5 to Andy Burns on Wed Jul 3 20:12:28 2024
    XPost: uk.telecom.mobile, misc.phone.mobile.iphone

    On 2024-07-03, Andy Burns <usenet@andyburns.uk> wrote:
    Jolly Roger wrote:

    I often ignore posts from Google.

    Time for a .sig change?

    Arlen and his little troll boi gang recently had a bitch fit about my signature, and their salty tears are delicious so it stays for the time
    being. 🙂

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Your Name@21:1/5 to Bob Eager on Thu Jul 4 09:27:39 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 2024-07-03 07:59:01 +0000, Bob Eager said:
    On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:
    Am 03.07.24 um 07:38 schrieb Peter:

    A near inconceivable number of Apple iPhone & macOS apps have been
    exposed to critical vulnerabilities

    Another try, Arlen?
    You are really a tragic figure in the english-speaking Usenet.

    So glad I have him killfiled. I recommend it.

    Unfortunately the moron keeps chnaging his posting name and some people
    keep replying to his garbage. :-(

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jolly Roger@21:1/5 to Your Name on Thu Jul 4 03:53:26 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 2024-07-03, Your Name <YourName@YourISP.com> wrote:
    On 2024-07-03 07:59:01 +0000, Bob Eager said:
    On Wed, 03 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:
    Am 03.07.24 um 07:38 schrieb Peter:

    A near inconceivable number of Apple iPhone & macOS apps have been
    exposed to critical vulnerabilities

    Another try, Arlen?
    You are really a tragic figure in the english-speaking Usenet.

    So glad I have him killfiled. I recommend it.

    Unfortunately the moron keeps chnaging his posting name and some people
    keep replying to his garbage. :-(

    Including you.

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew@21:1/5 to Jolly Roger on Thu Jul 4 05:56:36 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    Jolly Roger wrote on 3 Jul 2024 18:39:21 GMT :

    I¢ve always heard open source software is better because people can
    actually find vulnerabilities or back doors in them to report.

    That might be true if people didn't find and fix vulnerabilities in closed-source software every day.

    Why do you think Apple never noticed the vulnerabilities in over a decade?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jolly Roger@21:1/5 to Andrew on Thu Jul 4 17:19:30 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    On 2024-07-04, Andrew <andrew@spam.net> wrote:
    Jolly Roger wrote on 3 Jul 2024 18:39:21 GMT :

    I¢ve always heard open source software is better because people can
    actually find vulnerabilities or back doors in them to report.

    That might be true if people didn't find and fix vulnerabilities in
    closed-source software every day.

    Why do you think Apple never noticed the vulnerabilities in over a
    decade?

    Answer: Because the vulnerabilities weren't in Apple software but in a repository system used by app developers, which is the same reason an
    enormous number of open source vulnerabilities remain unpatched for 10
    years and longer:

    Open source vulnerabilities remain unpatched for decades <https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>
    ---
    A new report reveals an enormous number of identified open source vulnerabilities remain unpatched for 10 years and longer, often because organisations have no idea what open source code they are using.
    .
    .
    .
    With software developers routinely taking code from open source
    repositories to embed in their company's products to speed up the
    development process, saving time and money, manually tracking
    components, their versions and their vulnerabilities is way beyond the capabilities of most organisations.

    The report recommends all organisations invest in an automated solution
    for identifying and patching known vulnerabilities. "You can't patch
    software if you don't know you are using it," the authors point out.
    ---

    This isn't the "gotcha" you think it is, little Arlen. It's not an
    uncommon phenomenon, and is a problem on all platforms.

    --
    E-mail sent to this address may be devoured by my ravenous SPAM filter.
    I often ignore posts from Google. Use a real news client instead.

    JR
  • From Peter Piper@21:1/5 to All on Fri Jul 5 17:03:45 2024
    Jörg Lorenz wrote:
    Am 03.07.24 um 08:09 schrieb Bill Powell:
    On Wed, 3 Jul 2024 07:49:33 +0200, Jörg Lorenz wrote:

    You are really a tragic figure in the english-speaking Usenet.

    Thank the Lord you know so much about Apple to declare that all those
    articles published today about this ten year long exploit are all wrong.

    Where the heck did I say or write that?
    You obviously do not have a clue how this sociopath Arlen contaminated
    and in the end destroyed the group misc.phone.mobile.iphone.

    That is Arlen you are replying to, Jörg.
    I count 6 different sock-puppet nyms of his in this thread.

    What would we do on a technical ng without your wisdom?

    Kindergarten? At least you are incredibly trollish indeed, dear! *LOL*

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew@21:1/5 to badgolferman on Mon Jul 8 03:14:14 2024
    XPost: misc.phone.mobile.iphone, uk.telecom.mobile

    badgolferman wrote on Sun, 7 Jul 2024 12:02:22 -0000 (UTC) :

    This situation reminds me of the Ford Explorer rollover debacle. Ford
    blamed Firestone and Firestone blamed Ford. In reality they both had a
    major part in the whole thing. Firestone tires were separating at the tread and Ford Explorers had weak suspensions and high center of gravity. Both of those caused the exceedingly high number of rollovers and deaths.

    Whom did the customer purchase the vehicle from, Ford or Firestone?
    The answer is Ford. So this is purely a Ford ecosystem problem.

    To wit, this huge security hole is purely an Apple ecosystem problem. https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

    What kind of ecosystem is so primitive that ANYONE ON THE PLANET could
    modify any of three million iOS/macOS apps at will - whenever they want?

    For ten years!

    Take your pick as to whom to blame, but it shows neither company performed adequate testing together or merely ignored warning signs.

    If Apple did NOT tout that their ecosystem provided safety and security, we could let Apple off the hook for never bothering to test that claim.

    As it is, it's clear that the one thing the primitive Apple ecosystem does
    NOT provide, is safety & security.

    I wonder if these zealots realize ANYONE ON THE PLANET FOR TEN YEARS could inject ANY CODE THEY WANTED TO INJECT into over three million iOS/mac apps.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)