[192420] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Ronald F. Guilmette)
Thu Oct 27 20:17:24 2016
X-Original-To: nanog@nanog.org
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: nanog@nanog.org
In-Reply-To: <20161027204258.CD18057D529E@rock.dv.isc.org>
Date: Thu, 27 Oct 2016 17:17:09 -0700
Errors-To: nanog-bounces@nanog.org
In message <20161027204258.CD18057D529E@rock.dv.isc.org>,
Mark Andrews <marka@isc.org> wrote:
>> The problem is, as I have said, this device is now the Apple equivalent
>> of Windows XP. There could be a horrendous collection of a dozen or
>> more known critical security bugs in the thing by now, but as someone
>> noted, the last update Apple issued for the thing was in Feb 2014.
>
>But is there? Can you list a single security bug in iOS 6.1.6 that
>would require a iOS 6.1.7?
An entirely reasonable and logical question, Mark.
I'll admit, it took me a bit of digging, but the answer would appear to
be "yes":
https://threatpost.com/apple-fixes-cookie-access-vulnerability-in-safari-on-billions-of-devices/112246/
Note that I have the latest and greatest IOS 6.1.6 on my 3GS.
The Safari HTTP User-Agent string is apparently as follows:
Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_6 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B500 Safari/8536.25
So, Q.E.D. ?
Regards,
rfg
