Apple Disputes Some Details of Google's Project Zero Report on iOS Security Vulnerabilities [Updated]

[I7guy]

Apple spreads tons of FUD, constantly saying their competitors sell user data. Apple carefully words their attacks to not specifically name google but say competitors.

While google project zero provides no context. Based on the scenario I happen to think Apple is not spreading any fud. Ymmv.

Supply and demand. There is a huge supply of iOS exploits that the black market price for them has gone down.

https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/

Yes and the number went down after Apple patched the vulnerabilities. I suppose if there is a silver lining let the hackers focus on android as this is one case where android market share is better for iOS. Right? /s

 

[falainber]

Hope Apple does this to google. Finds vulnerabilities and work their propaganda to hurt Google

But first Apple need to figure out how to find vulnerabilities in their own software.
[doublepost=1567795644][/doublepost]Apple says the attack was "narrowly-focused" rather than a broad-based exploit of iPhones as described.

Perhaps Apple should have said that a broad-based exploit was used for narrowly-focused attack. The fact that the exploit was broad-based was firmly established. The fact that attack was narrowly-focused is based on limited data (did they check all the websites on the world?)

 

[steve62388]

Supply and demand. There is a huge supply of iOS exploits that the black market price for them has gone down.

https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/

Yep, supply and demand. Or I could spin it different from your ‘there is an over supply of iOS vulnerabilities’, to ‘there is a higher demand for Android vulnerabilities because there is a much larger target base’. Works both ways.

 

[slightly_sour]

And it was fixed in 10 days, but 180 days later they made a publication about the exploit, already knowing it was fixed. Hence, zero credibility.

That is how responsible disclosure works...

 

[realtuner]

Supply and demand. There is a huge supply of iOS exploits that the black market price for them has gone down.

https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/

And this means, what, exactly? Are you seriously trying to pretend Android is more secure based on pricing for exploits?

 

[russell_314]

People misunderstand the concept of security. Security is making yourself a hard target so the attacker will go elsewhere. It doesn't make you invincible. If you're being targeted by a nation state for some reason I would say don't use electronic communication for anything secret. Other than that you're &))$

 

[falainber]

And this means, what, exactly? Are you seriously trying to pretend Android is more secure based on pricing for exploits?

Is not this very logical, though? If Android exploits were readily available (like the ones for iOS) why would anyone paid more for them? You are implying that those people are stupid. You'd better provide some facts to back up this claim.

 

[dannyyankou]

A simple “thanks” would’ve been fine, lol

 

[falainber]

I heard that all Uighurs switched from iPhones to Android phones after this revelation.

 

[BulkSlash]

Google believes thousands of visitors accessed these websites per week over two years

In fairness Google probably is right about this as they spy on everyone and compromise their anonymity by tracking them all across the web. Perhaps the reason they exposed the exploit is that they like to be the only ones doing all the spying and data collection?

 

[btrach144]

Google's timing couldn't be anymore suspicious, considering the iPhone announcement is days away and Google is a direct competitor.

With that being said, Apple isn't denying that there was a major security hole in iOS. They clearly need to take security more serious. With such a serious exploit, 10 days sounds like too long.

Google and Apple could wise up a little bit here. The world is a better place when we work together and try not to tear each other down.

 

[Mascots]

Well, if they or Google *knew* of other websites that have exploited these vulnerabilities, I'm sure they would have been mentioned. It's not "skirting the truth" when the truth isn't known.

There is a discrepancy in timeline and impact between Apple and Google which means that either one is clearly mistaken and acting from invalid data or one, or both, are withholding details that simply bridge the gap. IMO either of them withholding such information while making such bold claims can amount to skirting the truth.

 

[falainber]

Rene Ritchie covered this comprehensively in his Vector podcast a few days ago: "How iPhone Users Were Attacked — By Google's Project Zero". Anyone who is not sure can see the details there. His provides references to everything he cited in that video in the YouTube description.

I highly recommend Rene's video series -- especially this episode.

Blogger Rene Ritchie aka Apple shill? What does he know about computer security?

 

[FamVR]

“First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community.”

First. Most attacks these days are sophisticated, and it Ian Beer literally wrote:

“Earlier this year Google's Threat Analysis Group (TAG) discovered a small collection of hacked websites”.

So what is your point Apple? Damage control maybe?

“Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”

Let’s start with a link to the blog post:

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

Now point me to the line were Google implied two years. Oh. You mean that iOS 10, iOS 11 and iOS 12 were vulnerable, and it took you two years to get it fixed. Ten days after you learned about it. Or are you saying that you were busy fixing the bugs during this period of two year?

I also like to mention that any of the security exploits can, at least in theory, have been exploited on other websites without anyone knowing about it. During the two years that the exploits were left unpatched. Or do you (Apple) have any evidence that this is not the case?

It’s cool that you (Apple) fixed it, after you got notified about it, but come on. This is a shameful attack on security researchers.

 

[lowendlinux]

I just don't see a problem Google found a problem and now it's fixed, your device is now more secure than it was and that's a good thing. If you think Google is worse go poke holes in it and report them to Google so they can be fixed safer devices are good for everyone.

I personally want everyone friends or competitor trying to poke holes in all the software I use so it can be fixed. When there are billions of devices and trillions to lose pride is stupid.

 

[realtuner]

Is not this very logical, though? If Android exploits were readily available (like the ones for iOS) why would anyone paid more for them? You are implying that those people are stupid. You'd better provide some facts to back up this claim.

The conclusion implied by the OP (and you) is seriously flawed. Exploits are like a commodity - the prices fluctuate over time based on supply & demand. iOS exploits have been far more valuable since.....well, since people started paying for them. A sudden change in price for exploits has no bearing at all on whether one OS is more/less secure than another.

Do you actually think that Android suddenly became super-secure overnight? Or that iOS suddenly became insecure overnight? The most logical explanation is too many people have been concentrating on iOS exploits (due to the larger bounty) and in order to shift research teams over to Android they've temporarily increased the bounty to even things out.

Further, they already said they had to turn some researchers away. Why would you turn away someone with a valid zero-day exploit? Easy. Because another research team beat you to it and they already collected the payout. Which implies that there are so many teams working on iOS exploits that you're finding different teams discovering the same exploit. Which also lines up with altering the payouts to shift research teams around by offering more for Android.

 

[I7guy]

Is not this very logical, though? If Android exploits were readily available (like the ones for iOS) why would anyone paid more for them? You are implying that those people are stupid. You'd better provide some facts to back up this claim.

Market share. The only way the market share argument works against android is getting to compromise more phones.

 

[realtuner]

Blogger Rene Ritchie aka Apple shill? What does he know about computer security?

Ah, yes. Ad hominem. Attack the person making the argument instead of trying to refute their argument.

Curious, what do you know about security? Do you write code for either platform (for example)?

 

[Defthand]

YouTube tech vlogger, Gary Sims, summarized how the exploits compromised Safari and the system. His conclusion of how this news impacts users is the voice of reason...

 

[I7guy]

Blogger Rene Ritchie aka Apple shill? What does he know about computer security?

As pointed out don’t bother to refute the discussion, call the author names.

His discussion is more cogent than many here on macrumors.

 

[Rob_2811]

Glad they're taking this well.

 

[justperry]

I just don't see a problem Google found a problem and now it's fixed, your device is now more secure than it was and that's a good thing. If you think Google is worse go poke holes in it and report them to Google so they can be fixed safer devices are good for everyone.

I personally want everyone friends or competitor trying to poke holes in all the software I use so it can be fixed. When there are billions of devices and trillions to lose pride is stupid.

Right, the problem is Google forgot to say Android was attacked as well.
Sure it's good to find bugs, report them and get them fixed, but also include bugs of your own OS.

 

[macfacts]

Or that iOS suddenly became insecure overnight?

The night it became suddenly insecure was when iOS 12.4 was released. Yes, I believe apples practices are not secure. An exploit was fixed and suddenly it was reintroduced. Bunch of amateurs at apple.

 

[lowendlinux]

Right, the problem is Google forgot to say Android was attacked as well.
Sure it's good to find bugs, report them and get them fixed, but also include bugs of your own OS.

So go poke hole in Android and publish it..

Because it comes from Google doesn't mean it's bad nor inappropriate, personally I want them to make them public at the same time as they notify companies.

 

[realtuner]

The night it became suddenly insecure was when iOS 12.4 was released. Yes, I believe apples practices are not secure. An exploit was fixed and suddenly it was reintroduced. Bunch of amateurs at apple.

And your proof for this is? Oh right, you have none.
[doublepost=1567798305][/doublepost]I would like someone, anyone, who thinks Google did t do anything wrong to answer this simple question:

Why did Google wait until now to publish this exploit (almost 7 months late)? Especially when they typically publish shortly after the exploits is patched (or after the deadline passes).