How? Because they have appointed themselves as an authority over their competitors and decided to take it upon themselves to publicly expose their problems. That's being not only dirty, it's acting like a ********. I don't respect people that tell others "you fix what I found by the time I say or I'm going public with this." Who made Google the arbiter? Who made them the police of security? What makes them think that they are special enough to start exposing possibly unknown exploits in their competitors businesses? How is Google making themselves in charge of what gets exposed their perogative? Google is doing nothing more than making themselves look good. You can guarantee that if people started tearing apart Android looking for bugs they'd not speak of them (like they already do), they would never admit there were serious bugs in it (like they already don't), and you can bet your ass they'd go the first media outlet that wanted to talk to them and start saying how their competitors were trying to badmouth them, ruin their name and probably talk about legal action. Google is not doing this for the greater good, they are doing this to make their competitors look bad.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero
- Thread starter MacRumors
- Start date
- Sort by reaction score
How? Because they have appointed themselves as an authority over their competitors and decided to take it upon themselves to publicly expose their problems. That's being not only dirty, it's acting like a ********. I don't respect people that tell others "you fix what I found by the time I say or I'm going public with this." Who made Google the arbiter? Who made them the police of security? What makes them think that they are special enough to start exposing possibly unknown exploits in their competitors businesses? How is Google making themselves in charge of what gets exposed their perogative? Google is doing nothing more than making themselves look good. You can guarantee that if people started tearing apart Android looking for bugs they'd not speak of them (like they already do), they would never admit there were serious bugs in it (like they already don't), and you can bet your ass they'd go the first media outlet that wanted to talk to them and start saying how their competitors were trying to badmouth them, ruin their name and probably talk about legal action. Google is not doing this for the greater good, they are doing this to make their competitors look bad.
No need for Apple to do that when Samsung's already been at it for a long time now...
You guys realize that Google is a very large company, with many different teams and departments, right? Ever stopped to think that maybe one team is looking at ways to improve their own products, while other teams are simultaneously looking at ways to improve the industry at large (by looking at other companies' products)?
Some of the comments here seem to assume that Google can only do one thing at a time...
If apple fixed the security issue, then it wouldn't be a problem. They knew about it for 3 months and failed to close the hole.
If google publishes the security vulnerably and causes apple to fix it (like they seem too now), that's a good thing for us consumers.
While you may not like how google operates, one thing is for sure, its causing apple to move to close the hole (something that they didn't seem too anxious to in the first place.).
Why no anger towards apple who's attitude towards security seems a little too laid back.
LOL !
Divert the discussion to Google and others to take the spotlight off Apple.
As expected by non objective consumers.
Google had their 90 day policy and Microsoft had their "Patch Tuesday" policy, and both refused to budge. If Google starts making exceptions, it opens up the entire Project Zero to corruption. If Microsoft makes an exception and releases a patch on a day other than a Tuesday, the exploit gets patched quicker.
As for published vs. unpublished, it's fairly unlikely that Project Zero is the first team to find these vulnerabilities. Considering the high payout for these exploits on the black markets, there's plenty of motivated people working underground kicking every single tire they encounter. There are also very powerful governments working to find and make use of these vulnerabilities for their own gains.
Essentially: the people you should be worrying about aren't getting their ideas from CNET or the Project Zero blog.
It's not safe to assume they're actually previously undiscovered. As mentioned, there's plenty of powerful and motivated players out there doing the same thing the Project Zero team is doing, just with different motives.
It may not be currently possible to change an OS at the drop of a hat, but it needs to become that way. If there's ever an unpublished exploit serious enough that it easily renders mass amounts of OS X installations unusable, Apple better hope they can work quicker than 90 days to do something about it.
It is funny, no one has complained to CERT and they discloses the vulnerabilities after 45 days, no one has complained to IEFT and they discloses vulnerabilities after 30 days.
And a published unpatched issue is clearly much better than no disclosing it.
The only problem here is that the one disclosing the vulnerabilities are Google, not the fact of those vulnerabilities being disclosed
If one doesn't adhere to a hard and fast deadline then it becomes arbitrary and even more open to accusations of manipulating perception.
How many days beyond the 90 should they wait? Whatever your answer is to "n", there will be a scenario where a fix is in "n"+3 days and then the same issue arises all over again.
Apple knew they had 90 days. They certainly have the resources to address that security issue in that timeframe... including testing. You make it sound like Apple only had a few days to respond.
So, you're saying that CERT, IETF, Secunia and all the other security companies are ********s and act dirty?
In the security community, it is generally considered best practice to publicize vulnerabilities ASAP because it gets as many minds as possible involved in fixing them. As a private company that likes to protect its own reputation and codebase, Google is being generous in allowing 90 days and working with the effected companies before discussing publicly.
Also, as far as exposing their own flaws, the actual most recent post on Project Zero's blog is about a Chrome for Android vulnerability. It isn't so much that they aren't interesting in dealing with Android errors, it's that it is an open source project that has a huge quantity of contributors and it doesn't take them more than 90 days to fix things more often than not. Given that Google operates like a series of small companies rather than one, centrally-directed unit, chances are the Project Zero team and the Android team hardly know each other.
Also, as far as exposing their own flaws, the actual most recent post on Project Zero's blog is about a Chrome for Android vulnerability. It isn't so much that they aren't interesting in dealing with Android errors, it's that it is an open source project that has a huge quantity of contributors and it doesn't take them more than 90 days to fix things more often than not. Given that Google operates like a series of small companies rather than one, centrally-directed unit, chances are the Project Zero team and the Android team hardly know each other.
Its dirty in the sense of releasing the information before it is fixed, it doesnt matter when that is. Who are they to command a company, whether its Microsoft or Apple, to set priorities and resources for them to address an issue? The respective companies are now aware of the issue and will address it based on their own priority and resource allocations.
I love this by Google.
I'll always take security over feature, and Google's tactics are a win for this. While it can be time consuming and resourceful to fix some some bugs because it isn't clear what line(s) of code are triggering it and what the affects of fixing the bug are on everything else, if Google didn't impose a time limit, then companies wouldn't be pressed to fix exploitable security issues in a timely manner.
3 months is a long time for an exploitable security bug to be unfixed given how much information we keep (and we're encouraged to these days) on our computers, but if we are to continue to have the trust to do so, software companies need to improve their development/testing and this'll make them do it. It's not like the major software companies have a lack of funds for more resources, or having in house hackathons with big bonuses to entice those to do it.
This might mean a change in the way they do things. It might mean it takes longer to get new features out or improvements, but security is so crucial these days.
I'll always take security over feature, and Google's tactics are a win for this. While it can be time consuming and resourceful to fix some some bugs because it isn't clear what line(s) of code are triggering it and what the affects of fixing the bug are on everything else, if Google didn't impose a time limit, then companies wouldn't be pressed to fix exploitable security issues in a timely manner.
3 months is a long time for an exploitable security bug to be unfixed given how much information we keep (and we're encouraged to these days) on our computers, but if we are to continue to have the trust to do so, software companies need to improve their development/testing and this'll make them do it. It's not like the major software companies have a lack of funds for more resources, or having in house hackathons with big bonuses to entice those to do it.
This might mean a change in the way they do things. It might mean it takes longer to get new features out or improvements, but security is so crucial these days.
A zero day vulnerability is a vulnerability know the same day it is exploited. Those disclosed are not 0-day vulnerabilities
Why would it open up the entire project to corruption? That seems like hyperbole.
And if Google (whose stake in this is zero) made an exception the issue could be patched before it's made public.
No doubt, but then again that assumes that the black markets have found 100% of all vulnerabilities, which is highly unlikely, I don't see why it's not legitimate to worry about both.
I'm amazed at the amount of hate Google is getting. They are making software you use more secure by essentially forcing developers to fix their applications. How is this a bad thing? If anything, you should be thanking Google since those are less vulnerabilities hackers have access to.
I would question that, if the vendor didn't get a patch out in time. Also as an aside it's more in line with CERT and IEFT's job description.
This is a straw man, no one is suggesting that it shouldn't be disclosed at all, as in never.
Why do you think this is the problem?
Because nobody has questioned the OS disclosures until Project Zero from Google. CERT has been disclosed unpatched vulnerabilities for all kind of software for years (45 days, not 90 like Google), Secunia has done that for years.
it's zero day until a patch is released. Wikipedia:
"Once a patch is available, it is no longer a "zero-day exploit""
From your own link:
Developers have had 90 days to patch and there is no known attack so no, they are not zero-day vulnerabilities
you can't change the baseline of an operating system, complete beta testing program, and get the update out and keep a reliable stable product. As to how many days? I think when you see the fixes are in active beta test and you know the release is imminent you can adapt. We don't have to be robots about it.
Because it paints Apple in an unflattering light.
Rather than stop Google from doing what they're doing (as many here would prefer), I want Apple and Microsoft to join in and bring to light security issues in their competitors' operating systems.
I'm more interested in protecting my computing devices than protecting a company's reputation.
Really, no one has questioned the practice of disclosing before a patch is ready.
Ains, I didn't remember who was talking to. Time to leave to do something more productive.
----------
Where do you get that it is the baseline of the OS?