Obscure SMS bug no need to panic
Published by Steve Litchfield at 17:22 GMT, December 31st 2008
I despair of the irresponsibility of the mainstream bloggers around the world who have gone into meltdown today over this announcement of an obscure bug in old versions of Symbian OS Messaging. Some comment and a link below. Short version. Move on, nothing to see. And no, you still don't need to pay money to a security firm...
Here's the original advisory.
Of course, this is a serious bug for Symbian to follow up, but it is just that - a bug. An almost impossibly-hard-to-hit-in-the-real-world one. And a serious one, in that you might need you to hard reset and resync your data back in order to restore full operation. But it's not something to be worried about.
This so-called 'Curse of Silence' is more 'nuisance-ware' than malware. In order to be affected, you've got to have a vulnerable device AND someone who's got it in for you AND has your mobile number AND knows the explicit (fiddly) details of how to contruct the special bug-hitting messages. Have you got that many enemies so as to make this a statistical likelihood? Thought not.
In the extreme circumstance that someone does go after you and tries this DoS-like attack, your device isn't then a 'brick', as stated in other irresponsible blogs, it's largely fully working and you'll be able to do last minute syncs and back up any important files on C. You'll need to hard reset/re-sync etc to get everything working again - but hey, you wanted to do a spring clean of your smartphone anyway. But, as I say, most people will never, ever, be hit by this rare exploit in the first place. So don't panic.
And everything running S60 3rd Edition FP2 (e.g. Nokia 6650, 6210, 6220, N79, N79, N85, N96, etc.) isn't affected anyway. Though I'd still look for Nokia to patch up many existing devices by rolling in the necessary Messaging bug fix into the next firmware. And, if the problem ever got even remotely serious, we're only talking about plain text SMS messages and it would be child's play for operators to simply blanket block these malformed messages in the first place.
Sigh. I despair, I really do. And you've been hyping up this story in order to get traffic to your site or blog then, as usual, shame on you.
Steve Litchfield, All About Symbian, 31 Dec 2008
PS. Happy New Year!
Categories: Links of Interest, Editorial Thoughts
Platforms: Series 60, S60 3rd Edition
News Discussion
Unregistered
It could cost you your saved SMSs, though.
And if you've hacked your phone, put the modified installserver in your sys folder, and then upgraded your firmware, you won't be able to re-hack your phone after the hard reset.
And if you've hacked your phone, put the modified installserver in your sys folder, and then upgraded your firmware, you won't be able to re-hack your phone after the hard reset.
Stezos
The first place I saw this was on engadget. As I have a spare N95-8GB that I didnt mind having to hard reset I tried the bug on it and as I posted on engadget........
Tested it on an N95-8GB. Got the out of memory error after the 11th message, sent a test message and it didnt come through, got out of memory again. Switched the phone off and on again and its back to normal, no hard reset required.
So at least on s60 3.1 you get a visual indication that your phone has been attacked (memory message) and a quick reboot fixes the problem.
Tested it on an N95-8GB. Got the out of memory error after the 11th message, sent a test message and it didnt come through, got out of memory again. Switched the phone off and on again and its back to normal, no hard reset required.
So at least on s60 3.1 you get a visual indication that your phone has been attacked (memory message) and a quick reboot fixes the problem.
slitchfield
Thanks, I'll tweak my text slightly 8-)
Stezos
Quote:
|
Originally Posted by slitchfield
Thanks, I'll tweak my text slightly 8-)
|
Unregistered
Steve, people like you are why Nokia gets away with crap like this.
In the US, and most developing countries, Nokia is not just continuing to sell "old" platforms, they
are still advertising them. Nokia, as always, has no interest in updating its "old" platforms, let alone every single SKU/product code. If we're lucky - very, very lucky - we may see Nokia update phones released this year with FP1. The rest of the world will be SOL.
And as for most people not being affected by this glitch, I'd ask whether you've ever bought from one of those disreputable sellers who advertise via email. No? I didn't think so. And yet, you get spammed.
Finally, there is nothing in the video about the 5th edition, but I don't see it being ruled out either. I wonder in which world 5th edition is an "old" platform.
Instead of using your soapbox to suck up to Nokia, use it to get them to change their behaviour. When Apple, a company famous for screwing over its customer base has a better history of updating their old products than Nokia, a supposedly consumer-centric company, then something is amiss.
In the US, and most developing countries, Nokia is not just continuing to sell "old" platforms, they
are still advertising them. Nokia, as always, has no interest in updating its "old" platforms, let alone every single SKU/product code. If we're lucky - very, very lucky - we may see Nokia update phones released this year with FP1. The rest of the world will be SOL.
And as for most people not being affected by this glitch, I'd ask whether you've ever bought from one of those disreputable sellers who advertise via email. No? I didn't think so. And yet, you get spammed.
Finally, there is nothing in the video about the 5th edition, but I don't see it being ruled out either. I wonder in which world 5th edition is an "old" platform.
Instead of using your soapbox to suck up to Nokia, use it to get them to change their behaviour. When Apple, a company famous for screwing over its customer base has a better history of updating their old products than Nokia, a supposedly consumer-centric company, then something is amiss.
bartmanekul
Quote:
|
Originally Posted by Unregistered
And as for most people not being affected by this glitch, I'd ask whether you've ever bought from one of those disreputable sellers who advertise via email. No? I didn't think so. And yet, you get spammed.
|
Spamming = totally different.
Getting a spam email affects you, but a very unlikely security flaw wont, if not activated.
Quote:
|
Originally Posted by Unregistered
Finally, there is nothing in the video about the 5th edition, but I don't see it being ruled out either. I wonder in which world 5th edition is an "old" platform. Instead of using your soapbox to suck up to Nokia, use it to get them to change their behaviour. When Apple, a company famous for screwing over its customer base has a better history of updating their old products than Nokia, a supposedly consumer-centric company, then something is amiss. |
argh
Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it. Your sponsorship by Symbian is giving you an unhealthy bias - imagine if someone does have it in for you, and tries this. Even after a hard reset, they could just do it again and again. It sounds like there's no notification about who sent it, so you wouldn't even be able to attempt to track it down without the networks help!
Anyone who doesn't read these blogs won't even have a clue what's happening.
This is a very very bad issue that needs to be resolved as soon as possible by Nokia. There are so many devices out there that suffer from it, and requiring a hard reset to fix it is terrible and will cause many users frustration.
Not only that, but it's very easy to do and well documented, with no custom software needed. This is even worse than the old "newline in Bluetooth device name" bug that used to mess up S60 devices (I assume that this is no longer the case - I never have bluetooth on, unless I have to).
I haven't heard of such exploits against WM (although I'm sure that there must be some!) - so much for the security of Symbian. How about removing one or more points from all the S60v3 "Email" entries on the smartphone grid for this? ;)
Edit: Don't get the wrong idea about this - I use both WM and Symbian, and while I love the fiddling around that you can do in WM, I think that Symbian provides a better integrated phone, overall, but this really is a potentially bad issue, especially as it sounds like the people who discovered it gave Nokia time to fix it, which they don't appear to have done.
Anyone who doesn't read these blogs won't even have a clue what's happening.
This is a very very bad issue that needs to be resolved as soon as possible by Nokia. There are so many devices out there that suffer from it, and requiring a hard reset to fix it is terrible and will cause many users frustration.
Not only that, but it's very easy to do and well documented, with no custom software needed. This is even worse than the old "newline in Bluetooth device name" bug that used to mess up S60 devices (I assume that this is no longer the case - I never have bluetooth on, unless I have to).
I haven't heard of such exploits against WM (although I'm sure that there must be some!) - so much for the security of Symbian. How about removing one or more points from all the S60v3 "Email" entries on the smartphone grid for this? ;)
Edit: Don't get the wrong idea about this - I use both WM and Symbian, and while I love the fiddling around that you can do in WM, I think that Symbian provides a better integrated phone, overall, but this really is a potentially bad issue, especially as it sounds like the people who discovered it gave Nokia time to fix it, which they don't appear to have done.
slitchfield
@argh: Rubbish. If this was on WM, it would still be an obscure bug and I'd still be telling people not to worry. The only danger here is enough bloggers hyping and panicking and getting the minutae of the bug publicised unnecessarily.
Repeat: Yes, it's a serious bug. And needs fixing by new firmware on affected devices. But it's not a virus. it's not malware. It's not going to be commonplace. And there's no need for panic....
Repeat: Yes, it's a serious bug. And needs fixing by new firmware on affected devices. But it's not a virus. it's not malware. It's not going to be commonplace. And there's no need for panic....
Williamoni
@argh
I've not found the guys at AAS to be like that. They focus quite rightly on Symbian devices and issues.
As for ''Unregistered" I think it's cowardly to criticise Steve and not put your name to what you have to say.
Quote:
| Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it. |
As for ''Unregistered" I think it's cowardly to criticise Steve and not put your name to what you have to say.
tonyn
5th edition should be fine. Possibly Tobias did not know about 5th edition when he wrote the text. As the 5800 is only shipping in a few places so far so he would anyway find it hard to borrow one for testing.
Mobile operators have had warning about this, and some have filters in place to stop the messages.
Cheers,
Tony
Mobile operators have had warning about this, and some have filters in place to stop the messages.
Cheers,
Tony
Tzer2
First of all, Happy New Year! :-)
Now, back to the message...
When has AAS ever, ever, done a top story detailing problems with Windows Mobile or any other non-Symbian OS? We barely even mention other OSes, except where they're directly compared to Symbian.
AAS isn't a "Symbian is great, everyone else is rubbish" site, read the articles and you'll see plenty of criticism as well as praise. For example, Rafe's preview of the 5800 said the web browser was inferior to the iPhone's, giving details of their comparative performance on a browser testing site.
Steve, who wrote the above news post, also works on a site called "All About iPhone", and he writes for a magazine that covers all smartphone platforms. Just the other day he wrote on AAS that iPhone games are far better than anything on S60, which is hardly something that Nokia or Symbian would want us to say.
I just don't get this tribal X vs Y thing that comes up in practically every comments thread, or the conspiracy theories that AAS is somehow in the pockets of Nokia and/or Symbian.
AAS leans towards Symbian *coverage* because this is a Symbian-themed site.
But coverage isn't praise, it's coverage. Coverage is negative as well as positive because that's what Symbian users want: when something is broken we scream about it, when something works we praise it.
And Symbian coverage is not Nokia coverage, AAS gave lots of attention to Samsung's recent S60 offerings because they too run Symbian. And we give absolutely no coverage to Nokia's S40 phones despite them making up the majority of Nokia's sales and profits, because they don't run Symbian. We don't cover Nokia's internet tablets either for the same reason.
Steve's rants against security fearmongers are more to do with how little evidence the fearmongers produce for a problem, and how unlikely the circumstances are for a security breach to happen. That's not something confined to Symbian, practically every platform has loud sceptics criticising security software manufacturers for fearmongering (for example many Windows security apps describe cookies as "malware" on their routine scans, implying that practically every machine is infected with trojans).
Now, back to the message...
Quote:
| Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it. |
AAS isn't a "Symbian is great, everyone else is rubbish" site, read the articles and you'll see plenty of criticism as well as praise. For example, Rafe's preview of the 5800 said the web browser was inferior to the iPhone's, giving details of their comparative performance on a browser testing site.
Steve, who wrote the above news post, also works on a site called "All About iPhone", and he writes for a magazine that covers all smartphone platforms. Just the other day he wrote on AAS that iPhone games are far better than anything on S60, which is hardly something that Nokia or Symbian would want us to say.
I just don't get this tribal X vs Y thing that comes up in practically every comments thread, or the conspiracy theories that AAS is somehow in the pockets of Nokia and/or Symbian.
AAS leans towards Symbian *coverage* because this is a Symbian-themed site.
But coverage isn't praise, it's coverage. Coverage is negative as well as positive because that's what Symbian users want: when something is broken we scream about it, when something works we praise it.
And Symbian coverage is not Nokia coverage, AAS gave lots of attention to Samsung's recent S60 offerings because they too run Symbian. And we give absolutely no coverage to Nokia's S40 phones despite them making up the majority of Nokia's sales and profits, because they don't run Symbian. We don't cover Nokia's internet tablets either for the same reason.
Steve's rants against security fearmongers are more to do with how little evidence the fearmongers produce for a problem, and how unlikely the circumstances are for a security breach to happen. That's not something confined to Symbian, practically every platform has loud sceptics criticising security software manufacturers for fearmongering (for example many Windows security apps describe cookies as "malware" on their routine scans, implying that practically every machine is infected with trojans).
n0k1a
I cannot help noticing the similarity between this issue and the WatcherMainThread problem which affected my E61 about a year ago (search for 'watchermainthread' on AAS or Google, and the first hit should be the relevant thread).
To summarize, my E61 began to have problems with SMS messaging, and repeatedly displayed an error that WatcherMainThread had terminated. I found many references to similar symptoms, but no solution. I eventually determined that the problem began when I received an SMS from a contact with an unusually long name. I fixed the problem by shortening that contact's name...old messages from him which I never saw immediately appeared, the error messages stopped, and the device has worked fine ever since.
What struck me was the description of this new exploit...the email address has to be at least the same length as the length of my problematic contact name. The inability to receive further SMS messages is exactly what I experienced. More than a coincidence, I think...
Has anyone who has replicated this exploit tried it on a device with error messages enabled (such as by SysExplorer)? If so, did you happen to receive the WatcherMainThread termination message? I would try this myself, but I am traveling at the moment and only have a few devices with me. I do not want to risk any data loss at this time. I will try it later when I have access to more devices.
Also, the F-Secure site seems to imply that their app will clean the 'infected' (yeah, I hate that term for this type of thing too) files off of an affected device. Is that truly the case? Does it do so without need for a reformat, and without loss of any other data? If so, that would almost appear to constitute a potentially useful feature of the program. If already installed, is it capable of intercepting such a malformed message before it affects the device? If so, that would seem to be even more useful. It would be even better if it would display the originating number of the malformed message.
To summarize, my E61 began to have problems with SMS messaging, and repeatedly displayed an error that WatcherMainThread had terminated. I found many references to similar symptoms, but no solution. I eventually determined that the problem began when I received an SMS from a contact with an unusually long name. I fixed the problem by shortening that contact's name...old messages from him which I never saw immediately appeared, the error messages stopped, and the device has worked fine ever since.
What struck me was the description of this new exploit...the email address has to be at least the same length as the length of my problematic contact name. The inability to receive further SMS messages is exactly what I experienced. More than a coincidence, I think...
Has anyone who has replicated this exploit tried it on a device with error messages enabled (such as by SysExplorer)? If so, did you happen to receive the WatcherMainThread termination message? I would try this myself, but I am traveling at the moment and only have a few devices with me. I do not want to risk any data loss at this time. I will try it later when I have access to more devices.
Also, the F-Secure site seems to imply that their app will clean the 'infected' (yeah, I hate that term for this type of thing too) files off of an affected device. Is that truly the case? Does it do so without need for a reformat, and without loss of any other data? If so, that would almost appear to constitute a potentially useful feature of the program. If already installed, is it capable of intercepting such a malformed message before it affects the device? If so, that would seem to be even more useful. It would be even better if it would display the originating number of the malformed message.
My-Symbian.com
Dear Steve,
I think that you are overrreacting.
Aren't there more important things to get so excited about? For example the infamous Symbian OS security hack (promoted with pride by so many websites considering themselves Symbian OS fansites), which I have never seen you complaining about, while IMHO it did more damage to the Symbian ecosystem than anything else, boosting piracy to uncontrollable levels, scaring away serious developers and thus affecting quality and range of available 3rd party software and the way the S60 platform is often being seen, i.e. a "platform for the masses, bigger brother of S40" rather than a serious mobile computing platform.
I expressed my quite sarcastic opinion about this "exploit" on our discussion forums and I think it's the best answer.
Happy New Year!
I think that you are overrreacting.
Aren't there more important things to get so excited about? For example the infamous Symbian OS security hack (promoted with pride by so many websites considering themselves Symbian OS fansites), which I have never seen you complaining about, while IMHO it did more damage to the Symbian ecosystem than anything else, boosting piracy to uncontrollable levels, scaring away serious developers and thus affecting quality and range of available 3rd party software and the way the S60 platform is often being seen, i.e. a "platform for the masses, bigger brother of S40" rather than a serious mobile computing platform.
I expressed my quite sarcastic opinion about this "exploit" on our discussion forums and I think it's the best answer.
Happy New Year!
iolo003
I have already been hit by this bug and that was 2 months ago. Geez!! I thought it was just a full internal memory. I brought my phone to the sim operator and they didn't tell me the reason why my phone crashed, maybe to avoid mass panic, what they did was reflash my N82 and everything went back to normal. I wonder who sent me those bugs, Samsung freaks maybe because I vehemently condemn that company in my blog hehehe..
kflyer
Dear My-symbian.com,
The truth however is that Steve was the first mainstream blogger to complain about the OS hack - taking a rather harsh view of it. You might need to dig a bit more deep into the AAS archives !
The truth however is that Steve was the first mainstream blogger to complain about the OS hack - taking a rather harsh view of it. You might need to dig a bit more deep into the AAS archives !
slitchfield
Indeed. http://www.allaboutsymbian.com/featu...ll_hacking.php From March 2008, condemning over-reaction (again)
DanielW
Uh, I don't get it.
This is the worst security bug in mobile phones i've ever heard of. Millions of phones are affected and there is nothing you can do other than switching it off.
Sure, you will most likely not get hit by it and even when you will not really lose anything except your time (easily a few hours in my case).
The problem is: You do not need any special hard or software to trigger the bug on someone else phone. So I think we will see a thousands of "killed" phones the next weeks. That is not really much, but Nokia knew about it for 6 months.
Steve should not blame websites making it public but Nokia for really bad support. A firmware update fixing this should be available for months now. It is not some obscure thing which only happens when you use some uncommon feature with a nearly never used option when installed some unknown software like many other problems. It is one of the main features of a mobile phone SMS. You can not disable it. You will get it over SMS or not. All someone else needs is your nr.
Sure, I don't see a possibility to make money from it or get famous so it will most likely not become a mass phenomenon. But expect some kiddies to have a lot of fun by sending such an SMS to all their "friends" in their school class for example.
Nokia should have fixed this by now and it is disappointing they didn't.
This is the worst security bug in mobile phones i've ever heard of. Millions of phones are affected and there is nothing you can do other than switching it off.
Sure, you will most likely not get hit by it and even when you will not really lose anything except your time (easily a few hours in my case).
The problem is: You do not need any special hard or software to trigger the bug on someone else phone. So I think we will see a thousands of "killed" phones the next weeks. That is not really much, but Nokia knew about it for 6 months.
Steve should not blame websites making it public but Nokia for really bad support. A firmware update fixing this should be available for months now. It is not some obscure thing which only happens when you use some uncommon feature with a nearly never used option when installed some unknown software like many other problems. It is one of the main features of a mobile phone SMS. You can not disable it. You will get it over SMS or not. All someone else needs is your nr.
Sure, I don't see a possibility to make money from it or get famous so it will most likely not become a mass phenomenon. But expect some kiddies to have a lot of fun by sending such an SMS to all their "friends" in their school class for example.
Nokia should have fixed this by now and it is disappointing they didn't.
snoyt
After all the publicity I don't think the bug is that obscure. It is a very annoying bug and I could pester anyone I dislike with it. Knowing the technological level of the common man, an undetected case of the sms bug could really damage a consumers conception of Nokia's product quality. Far more than pinkish photo's. As such it should fixed ASAP with a firmware update Nokia would do well to inform their users of it. It should certainly not be dismissed as trivial. Few people know how to hard reset a phone.
And if the bug could be used to upload a virus, with 40% of the consumermarket having a Nokia, imagine what will happen with your phonebook. Ahhh I love doomscenario's....
And if the bug could be used to upload a virus, with 40% of the consumermarket having a Nokia, imagine what will happen with your phonebook. Ahhh I love doomscenario's....
Unregistered
Hi Steve and all others,
I think IMHO that there might even be more coming after this (although I might be wrong). This is, as already mentioned, a bad glitch in the operating system uncovered by the guys at CCC. I myself am working for a security company and I usually take those vulnerabilities serious since these glitches might also lead to buffer or heap overflows which then again might lead to remote code execution.
Okay this of course is worst case and might not happen BUT on the other hand S60v3 is a platform which is widely used in cellphones not a lot unlike windows on PCs. So just painting the worst case, improbable as it may be, further: what if mobile phones might be used as a vehicle for anonymizing whatever form of criminal actions by hijacking them with remotely executable code? What if using remotely executable code as a man-in-the-middle attack in online banking done on cellphones? You can think of a lot of szenarios.
Again, these scenarios are maybe improbable but still though: a glitch is a glitch and this one in my opinion is a bad one because it can be done remotely. And of course: remote exploits always begin like that: someone finds a glitch and someone else finds a way to possibly exploit this glitch.
So in my opinion we and of course especially Nokia should take this glitch seriously and fix it. Such glitches should not be underestimated since there are some people around which might try to exploit it.
I for myself am thankful that FortiNet introduced a tool to prevent the CurseSMS (I'm not in whatever form related to FortiNet).
Regards
I think IMHO that there might even be more coming after this (although I might be wrong). This is, as already mentioned, a bad glitch in the operating system uncovered by the guys at CCC. I myself am working for a security company and I usually take those vulnerabilities serious since these glitches might also lead to buffer or heap overflows which then again might lead to remote code execution.
Okay this of course is worst case and might not happen BUT on the other hand S60v3 is a platform which is widely used in cellphones not a lot unlike windows on PCs. So just painting the worst case, improbable as it may be, further: what if mobile phones might be used as a vehicle for anonymizing whatever form of criminal actions by hijacking them with remotely executable code? What if using remotely executable code as a man-in-the-middle attack in online banking done on cellphones? You can think of a lot of szenarios.
Again, these scenarios are maybe improbable but still though: a glitch is a glitch and this one in my opinion is a bad one because it can be done remotely. And of course: remote exploits always begin like that: someone finds a glitch and someone else finds a way to possibly exploit this glitch.
So in my opinion we and of course especially Nokia should take this glitch seriously and fix it. Such glitches should not be underestimated since there are some people around which might try to exploit it.
I for myself am thankful that FortiNet introduced a tool to prevent the CurseSMS (I'm not in whatever form related to FortiNet).
Regards
Pansies
MySymbian:
Those sites ARE Symbian OS fansites because they're providing Symbian OS users with news that will BENEFIT them. What is your link between the OS hack and the supposed boosting of piracy? The main thing that has boosted piracy is the developer certificates from the Chinese websites, not hacking. It's not just the piracy scaring away developers. It's Symbian Signed that is scaring away developers, why do you think the big players like Psiloc are still in the game? Because they can easily get their stuff signed unlike small time developers like Samir - why has none of his stuff been signed? The expensive and annoying Symbian Signing process is what is preventing new blood from developing for S60. Windows mobile is still thriving despite the massive possibility for pirating apps.
Steve:
I don't know why you always play down things like this and then try to insult other websites, is it you Symbian sponsorship? The prototypes that Nokia give you?
How the hell can you tell people not to panic in this situation? Seriously?
The guys that found this exploit told Nokia about it months ago. Some networks have already taken notice and stopped it but Nokia have done nothing to protect people with older phones.
The millions of people that have signed up for My Nokia or other online services, what if an employee of Nokia goes rogue and uses the database of all those numbers to attack all those people with this exploit? Are you really suggesting that people hardreset their phones and then spend hours setting it back up again for something that Nokia had the ability to fix but DID NOT?
This is no small issue here and I really don't understand how you could possibly be defending Nokia in a situation like this.
Those sites ARE Symbian OS fansites because they're providing Symbian OS users with news that will BENEFIT them. What is your link between the OS hack and the supposed boosting of piracy? The main thing that has boosted piracy is the developer certificates from the Chinese websites, not hacking. It's not just the piracy scaring away developers. It's Symbian Signed that is scaring away developers, why do you think the big players like Psiloc are still in the game? Because they can easily get their stuff signed unlike small time developers like Samir - why has none of his stuff been signed? The expensive and annoying Symbian Signing process is what is preventing new blood from developing for S60. Windows mobile is still thriving despite the massive possibility for pirating apps.
Steve:
I don't know why you always play down things like this and then try to insult other websites, is it you Symbian sponsorship? The prototypes that Nokia give you?
How the hell can you tell people not to panic in this situation? Seriously?
The guys that found this exploit told Nokia about it months ago. Some networks have already taken notice and stopped it but Nokia have done nothing to protect people with older phones.
The millions of people that have signed up for My Nokia or other online services, what if an employee of Nokia goes rogue and uses the database of all those numbers to attack all those people with this exploit? Are you really suggesting that people hardreset their phones and then spend hours setting it back up again for something that Nokia had the ability to fix but DID NOT?
This is no small issue here and I really don't understand how you could possibly be defending Nokia in a situation like this.
slitchfield
@pansies: Sigh. I'm *not* defending Nokia. Or Symbian. And yes, they should absolutely have fixed this ages ago. I just despair that these things get blown up out of all proportion. Without the hype, noone would EVER inadvertently run into this bug. As has been said above, we'll probably get a spate of kids annoying classmates with vulnerable phones for a few weeks.... not exactly the end of the world though, is it?
It's also worth noting that none of us knows how many world phone networks have *already* blocked these malformed messages.
It's also worth noting that none of us knows how many world phone networks have *already* blocked these malformed messages.
udewal
Fully agree with Steve. Just one thought though. Think it may be helpful to write an article stating how to identify if your handset has got hit with the bug and then what needs to be done to get it back working ? Can I help ?
Umesh
Umesh
Unregistered
Hi all,
first of all: why don't we just calm down a bit and think about this a bit more professional? Insults aren't worth a damn and don't let's get religious here! I personally stated my opinion a few posts back up (with the description of the worst case).
On one hand I do understand Steve: we shouldn't get hysterical about this issue. I personally own an E90 because it best suits my needs. I am not crazy for Nokia. And I will switch to another brand as soon as another brand produces something which better suits my needs. Still though I beg to disagree with Steve:
There is a very well known statement in the security community: your opinion about keeping this under the table and hoping that none will run into this is called "security by obscurity" and is proven to never have worked. I appreciate the work of the CCC of bringing this to attention. Now there is a workaround (thanks to FortiNet) and I for myself am using it (I do not like to invest hours of work of reinstalling all my applications). Usually what happens with keeping something under the table is that something bigger might develop under the table and we get hit by surprise.
at pansies:
to my knowledge at least in Germany only the provider D1 filters those SMS out when they are send from a D1 user but they don't filter inbound SMS of such type. Therefore in Germany you only know that no D1 user can hit you but still it can hit also a D1 user.
So please, just a few things:
- Nokia, go fix this issue --- and FAST
- at community: I agree with Steve on one part: don't get hysterical and calm down
Regards,
Grmmpf (see also my posts over at my-symbian and no Steve, I'm NOT a Nokia fan ;-) )
first of all: why don't we just calm down a bit and think about this a bit more professional? Insults aren't worth a damn and don't let's get religious here! I personally stated my opinion a few posts back up (with the description of the worst case).
On one hand I do understand Steve: we shouldn't get hysterical about this issue. I personally own an E90 because it best suits my needs. I am not crazy for Nokia. And I will switch to another brand as soon as another brand produces something which better suits my needs. Still though I beg to disagree with Steve:
There is a very well known statement in the security community: your opinion about keeping this under the table and hoping that none will run into this is called "security by obscurity" and is proven to never have worked. I appreciate the work of the CCC of bringing this to attention. Now there is a workaround (thanks to FortiNet) and I for myself am using it (I do not like to invest hours of work of reinstalling all my applications). Usually what happens with keeping something under the table is that something bigger might develop under the table and we get hit by surprise.
at pansies:
to my knowledge at least in Germany only the provider D1 filters those SMS out when they are send from a D1 user but they don't filter inbound SMS of such type. Therefore in Germany you only know that no D1 user can hit you but still it can hit also a D1 user.
So please, just a few things:
- Nokia, go fix this issue --- and FAST
- at community: I agree with Steve on one part: don't get hysterical and calm down
Regards,
Grmmpf (see also my posts over at my-symbian and no Steve, I'm NOT a Nokia fan ;-) )
argh
One site labelling it a "worm" was certainly off the mark and seemed to indicate that it would spread like wildfire. That obviously isn't the case but it's still a damning issue.
I also agree that buying security software for phones is still un-needed.
I don't think it's correct to describe the messages as "malformed" though, is it, Steve? Having an email address over 32 characters is valid, last time I looked at the RFC 5322.
I didn't realise that Nokia had known about this issue for 6 months. As they've rolled out firmware updates for most of the recent phones in this time period, I'm surprised they didn't take action on this.
And as far as this site being balanced about what it says about different platforms (while obviously focussing on Symbian), Steve did recently post a point about iPhone games being very good, but a short while earlier there was also a post that Steve made on an iPhone blog which he admitted on here that he wouldn't have posted on here as the audience wouldn't like it.
i.e. there is some bias in the posting and he doesn't mention all the down-sides of the platform.
That's not a problem for me in most cases, and I've loved seeing the recent support for hardware acceleration from the some of the head posters at AAS! (Please listen, Nokia!)
In this case, though, I do think that some of Steves venom should be directed towards Nokia, who should have fixed it on recent phones before it became public, as well as the bloggers that helped spread the details once it was public.
Edit: Also, happy new year to everyone here at AAS :)
I also agree that buying security software for phones is still un-needed.
I don't think it's correct to describe the messages as "malformed" though, is it, Steve? Having an email address over 32 characters is valid, last time I looked at the RFC 5322.
I didn't realise that Nokia had known about this issue for 6 months. As they've rolled out firmware updates for most of the recent phones in this time period, I'm surprised they didn't take action on this.
And as far as this site being balanced about what it says about different platforms (while obviously focussing on Symbian), Steve did recently post a point about iPhone games being very good, but a short while earlier there was also a post that Steve made on an iPhone blog which he admitted on here that he wouldn't have posted on here as the audience wouldn't like it.
i.e. there is some bias in the posting and he doesn't mention all the down-sides of the platform.
That's not a problem for me in most cases, and I've loved seeing the recent support for hardware acceleration from the some of the head posters at AAS! (Please listen, Nokia!)
In this case, though, I do think that some of Steves venom should be directed towards Nokia, who should have fixed it on recent phones before it became public, as well as the bloggers that helped spread the details once it was public.
Edit: Also, happy new year to everyone here at AAS :)
tonyn
Quote:
|
Originally Posted by DanielW
Uh, I don't get it.
This is the worst security bug in mobile phones i've ever heard of. Millions of phones are affected and there is nothing you can do other than switching it off. |
Quote:
|
Originally Posted by DanielW
... but Nokia knew about it for 6 months.
|
Quote:
|
Originally Posted by DanielW
Steve should not blame websites making it public but Nokia for really bad support. A firmware update fixing this should be available for months now.
|
Speculation: maybe a good outcome from this will be that more people upgrade their firmware, and that more operators will support distribution of firmware updates for their branded phones.
ttfn