Comment by JumpCrisscross
12 hours ago
> Haven't we learned our lesson on this?
What is the purported lesson we should have learned? Users choose phones with rich messaging features. This was a major selling point for iPhone, first, with iMessage, and later with Android until iOS caught up with RCS.
One of the things Apple's Lockdown mode does is disable previews of images or links that are sent to you.
It seems like the lesson is that you shouldn't be processing data sent to the device by random strangers without the user explicitly choosing to open the file or follow the link.
That should be the default behavior, not a special lock down option that also disables other features.
Why can't they just make it like most email clients? No preview by default, give a banner with an option to explicitly allow a preview for that specific message or conversation?
I tend to agree.
But how does that prevent one from receiving and opening a malicious message?
3 replies →
Sorry, but that is an insanely defeatist attitude blended with a hint of blaming users for wanting features.
Image decoders are pure functions and all should have been rewritten as 100% safe Rust years ago.
Users need functionality.
It’s up to us to figure out how to provide that safely.
Saying to users they shouldn’t have those features isn’t sage advice, it’s admitting failure.
The thing is, nobody's happy just previewing jpegs and pngs.
Before you know it, people want to preview SVGs, PDFs, video, HTML and so on.
And to do that properly means you've got to support obscure formats like JBIG2 and CCITT Fax. Malicious vector images with a billion elements to render. XML that lets one file embed another.
And good luck getting the budget to re-implement them all from scratch in a better language, when the only business value the feature delivers is a postage-stamp-sized preview image.
3 replies →
Well, one could argue that the lesson from CVE-2017-0780[1] should've been "don't automatically decode rich messages from untrusted sources".
[1]: https://www.trendmicro.com/en_us/research/17/i/cve-2017-0780...
Where are users being given an actual choice? There is no option for "iphone without these features", and I would wager that it has 0 bearing on anyone's decision to purchase a new iphone
There is a choice, but almost nobody uses it: https://support.apple.com/en-us/105120
> What is the purported lesson we should have learned?
Not to automatically execute things within data that we have been sent.
The subtle lesson, which we won't learn is [astronaut meme] all communication is potentially remote code execution. This isn't a computer thing, it's in the inherent nature of how communication works for us too. You can be more or less careful, but you can't eliminate the problem entirely or else communicating ceases to be effective.
I think it's "don't use parsers written in unsafe languages".
I think it's simpler: don't touch untrusted content unless/until you need to.
1 reply →
Didn't Android switch their codec stack to rust?