Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero
- Thread starter MacRumors
- Start date
- Sort by reaction score
What exactly is Google's job description? Is Apple their employer? Perhaps, you are?
Another user summed it up nicely:
If Project Zero gives into the demands of one company, they'd have to give in to the demands of all companies. The 90 day policy gives companies plenty of time to dedicate resources to tightening up their code, yet prevents companies ignoring vulnerabilities like the one Apple left in iTunes for 3 years which allowed FinFisher to be marketed and sold in public view.
I'd argue that Google shouldn't be doing this and that a government agency should be the one publicly holding a fire underneath tech companies to improve the security of their code. Regardless, you either mistrust Google for possible marketing motives or you mistrust the government for possible privacy invasion.
Agreed, but the reality is that the government isn't doing anything proactive, so Google has taken the initiative...they're probably one of the few who have the resources and ability to do so.
And it's not like they're targeting Apple...they just report what they find after 90 days, regardless of the brand name.
This is only your assumption, I had no issue with Google when they disclosed the OpenSSL issue or SecureTransport, both which were patched before they were disclosed.
----------
What a ridiculous comment, they are not CERT let's put it that way.
They're getting hate because it seems that they're more interested in gotcha announcements than actually improving security.
Microsoft had a fix ready to release on their regularly scheduled Patch Tuesday and asked Google to wait the 2 more days before announcing. Google said no. Why?
Similar situation here. Apple has a fix that is currently being tested. But Google can't wait to release the vulnerability? Why??
How does that help to "reduce the number of people harmed by targeted attacks" (their stated goal)?
I'd much prefer companies doing it (whether for altruistic or selfish motives) than rely on the competency and integrity of the government (who has a vested interest in keeping some security holes available).
Last edited:
I find it interesting that both Microsoft and Apple had their respective fixes just slightly outside the 90 day window. I can't help but think it was planned to redirect attention to Google and their immovable 90 day window and away from the security flaws that were being addressed.
No need for Apple to do that when Samsung's already been at it for a long time now...
Exactly
Except for the fact that the US government stockpiles these zero day vulnerabilities for their own use (i.e. Stuxnet).
Even worse, they have a list (searchable) or bugs on competing platforms but you have no way to know from them what bugs they have on all their various releases. I'm betting that list would be very very very long. Some of their open bugs are easy root access too? Not things like this that take some work to exploit.
Why make excuses for Apple.
They had 90 days to implement, test & deploy a patch but they failed!
The deadline is arbitrary, especially since MS had a fix 2 days out and I'm sure Google knew that.
So, by that logic I'm guessing you're for mandatory sentences because looking at context is the root of all evil... (sic).
To get companies to move on it. Apple wasn't doing anything about it, until it was made public.
MS had a fix already, they just wanted to wait until Patch Tuesday instead of immediately pushing it out.
Context is important and Google seemingly was more interested in the PR than actual security. MS has to release patches in a way that system's admin will actually implement. They have their own processes internally.
Google acted like a spoiled child, plain and simple.
To teach little sanctimonious Google, from now on, someone should just publish full codes for Botnets on Android platforms with easy install instructions (maybe even hint at compiled versions) for all the script kiddies to amuse themselves.
Lets see Google, the "masters" of security respond to that. Some of those serious holes (many of them root exploits that work all by themselves (don't need other exploits)) have existed for years.
What part of standard procedure for other companies don't you understand? Why so much fixation with Google when I have not talked about Google but what other securities do?
And you can report the ****ing vulnerabilities to Google, they will pay you for that. Of if your hate is so great like it seems, you can report the vulnerabilities to CERT and they will disclose them in 45 days, half the time the Google's timeline.
But the hate is strong it seems
Android had years (in some case 3 years)) to fix their crap and they failed. Not only failed, they declared that wouldn't fix bugs in something they released a bit more than 18 months ago!! If Apple did this there would be a revolution, simple as that.
Both MS and Apple were days away from releasing the fix and Google knew it. So, what security was to be gained from this?
90, 45, 15 or whatever are totally arbitrary numbers. There is no studies that define that everything should be released within 90 days, or even 15 days. You release is as soon as you can humanly do it while not breaking everything else and not introducing new vulnerabilities Slacking on fixing bug is not acceptable, but there is no proof that this was the case here.
BTW, this is not an easily exploitable bug, like the heartbleed bug (in the OpenSsl lib), which Apple patched within days (even patched IOS 6 which was not even supported). This bug was much less likely to occur in the wild in user systems.
Google has now set itself up from some heavy derision considering the abysmal state of security on their own systems.
I've been involved in the software/systems industry for 30+ years, so I don't think I'll take lessons from some neophyte.
The key is making things more secure; that's the goal.
By blindly following rules, drone/Google failed this goal. That's it.
As for the "hate", I am taking things to task because Google puts out crap software, abandons it and their users with their piles of issues; then it says that it follows some "rules"... Rules don't apply to itself, only others.
If Apple pulls the same thing, I don't mince punches : still miffed about their IOS 4 that broke down my phone. Eventually this was sort of fixed it, but it was very slow for quite a long time.
My desktop is an Windows 8.1 machine and I'm pretty pissed off when I see 100+ security updates in one year! You think none of those were exploitable before they got patched... Don't think so. I'm a sitting duck most of the year because of MS's lax security (especially in its services).