Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero

[Renzatic]

Informing them of security hole is fine, this publicing exposing the flaw is the dirty part in my eyes.

That's actually common practice in the exploit discovery scene. It gives those warned a compelling reason to fix it ASAP, or else risk egg on their face.

The only weird thing about this scenario is that it's one of the Big Three doing it to the other two.

 

[macmuffin]

Yes, I understand perfectly well what that word means; 90 is just a number. Why not 100 days or even 80 days. Please get me the studies telling me how one number is better than the next. I'm going to bet you'll be digging a while. So, yes, arbitrarily set at 90 days, so bugs won't linger unfixed.

The ultimate goal of the number is security, not security at all cost. It is not a dogma were no situations can ever alter the number.

The simple matter is that this didn't increase security by releasing the technical details (not just the bug's existence), the stated goal, and Microsoft or Apple releasing a not fully vetted patch had a good chance to disrupt security and stability of existing system. A bigger failure. A failure mind you that Google would not have to bear at all.

So, Google had basically nothing to lose in doing what they did.

Considering the potential massive damage a not fully tested patch could inflict and the fact that the bug wasn't critical (like say the goto bug or the heartbleed bug), a few more days of delays would not have made a big difference.

That's how it works in the real world; not patch as you please, because we don't care what happens elsewhere, world.

If Apple or Microsoft were totally ignoring the fix, you'd possibly have a point, but as things stand, you do not.

Why do deadlines have to be based on studies? A company sets a deadline of their choosing. That's it. That simple.

Why do credit card companies require monthly payments? Are you on Visa's forum's bitching about their "arbitrary" deadlines? Do you ask them to provide studies saying monthly payment periods are the appropriate ones?

The person setting the deadline has the right to choose the expiry of the deadline. That's real life. If it was up to the other person to set the deadlines, it wouldn't be much of a deadline, now would it?

I think you're freaking out more about this more than Apple is. Apple probably doesn't even care at all. How did this affect them negatively? Give me some studies that show that it did (just kidding.)

It's become somewhat regular that someone exposes a bug/vulnerability with Apple's software, whether iOS or OSX, or any other company's software for that matter.

Why are you taking the fact that Google is the one that exposed this bug/vulnerability so personally? All your hypothetical doomsday "failures" are not necessary because they didn't happen. Time to live in the real world.

 

[Karma*Police]

I'm amazed at the amount of hate Google is getting. They are making software you use more secure by essentially forcing developers to fix their applications. How is this a bad thing? If anything, you should be thanking Google since those are less vulnerabilities hackers have access to.

I'm actually amazed there are so many Google supporters. It has more to do with their snobbishness and releasing the vulnerability to the public whether there's a fix in place or not. Companies have priorities and updating an OS is not always a trivial task. Who's Google to say these exploits should be fixed within 90 days considering how many security issues there are with their own products? No one likes people (or companies) that throw stones from glass houses.

 

[Tech198]

So, Apple should just sort it out themselves ?

I understand that, but its probably a double edged sword ? We all want fixes to be made available, but we also don't want to wait a long time either.

Seems like if Apple's not gonna walk to the front of the line, then someone else should. And that's Google.

 

[HKZ/MST3K]

So the problem is not disclosing the vulnerabilities, the problem is just the one doing it.

Funny, perhaps it is better to send the vulnerabilities to CERT, Apple and Microsoft would have half the time to fix them. Better for the users and some would not be so pissed off.

Absolutely. I have no issue with the problems being given the attention they are, I just have a problem with a direct competitor somehow giving themselves the authority to start disclosing them and damaging their competitor to their advantage. I have no issue with Apple, Microsoft or any other company called out on ignoring their security lapses, I just don't like Google thinking they should be the ones to call them out because it directly impacts their rivals in a business since. It doesn't matter if the shoe was on the other foot, companies disclosing others security lapses of their competitors like they have some authority to is scummy to me.

----------

Admittedly, it is a lot easier to just assume someone has ulterior motives.

What you call "basic logic" can also be described as unsubstantiated supposition, or more colloquially, opinion. po-TAY-to, po-TAH-to amirite?

So you're telling me that Google taking it upon themselves to lay demands on their competitors, to their detriment and Googles advantage doesn't impact, harm or in any way make them look bad while Google looks like the good guy? Google doesn't do anything that doesn't benefit them financially no matter how big or small. Saying otherwise is ignorant. Google doesn't care about the little guy, they care about being better than their competition and if it takes publicly exposing them to make them look good and the other guy look bad they'll do it. It doesn't matter which way it goes, companies giving themselves the authority to "call out" any one of their competitors for any reason, especially one that negatively impacts people where it might have not been known widely enough to hurt them yet is gross behavior. I'm all for exposing bugs and getting things fixed, I just don't like Google's holier than thou attitude about it.

 

[skinned66]

I think Project Zero does good work and I'm grateful for it; I'm just not sure that 90 day limit to fix should be so with no exception. Maybe this wasn't the time to give one but that doesn't mean there never will be a time.

 

[C DM]

Absolutely. I have no issue with the problems being given the attention they are, I just have a problem with a direct competitor somehow giving themselves the authority to start disclosing them and damaging their competitor to their advantage. I have no issue with Apple, Microsoft or any other company called out on ignoring their security lapses, I just don't like Google thinking they should be the ones to call them out because it directly impacts their rivals in a business since. It doesn't matter if the shoe was on the other foot, companies disclosing others security lapses of their competitors like they have some authority to is scummy to me.

----------



So you're telling me that Google taking it upon themselves to lay demands on their competitors, to their detriment and Googles advantage doesn't impact, harm or in any way make them look bad while Google looks like the good guy? Google doesn't do anything that doesn't benefit them financially no matter how big or small. Saying otherwise is ignorant. Google doesn't care about the little guy, they care about being better than their competition and if it takes publicly exposing them to make them look good and the other guy look bad they'll do it. It doesn't matter which way it goes, companies giving themselves the authority to "call out" any one of their competitors for any reason, especially one that negatively impacts people where it might have not been known widely enough to hurt them yet is gross behavior. I'm all for exposing bugs and getting things fixed, I just don't like Google's holier than thou attitude about it.

Perhaps there isn't an attitude to it or really anything more than just the facts, and it's people just reading their own biases into it all (as often happens with anything). When it comes to things of this nature what should be looked at is the issue and its fix, not really who found the issue or who is fixing it or any of that extraneous "politics" which really are irrelevant in an objective view. But of course people being people will pointlessly bring subjectivity into it focusing on the irrelevant pieces of it all.

 

[BillyTrimble]

Google is playing dirty.

You really need to explain that. Your logic escapes me.

 

[5232152]

Apple needs to start taking secuirty seriously. Windows have been forced to do so for years. And it seems like Apple never felt the need. Wake the hell up, Apple!

 

[BillyTrimble]

Great. Please release it tonight Timmy.

Why. It's not ready for release.

----------

No. That was Cook when he fired Forstall.

Isn't that off topic?

 

[subsonix]

Perhaps there isn't an attitude to it or really anything more than just the facts, and it's people just reading their own biases into it all (as often happens with anything). When it comes to things of this nature what should be looked at is the issue and its fix, not really who found the issue or who is fixing it or any of that extraneous "politics" which really are irrelevant in an objective view. But of course people being people will pointlessly bring subjectivity into it focusing on the irrelevant pieces of it all.

So you can't even spot a potential conflict of interest here. Amazing.

 

[Keirasplace]

Apple needs to start taking secuirty seriously. Windows have been forced to do so for years. And it seems like Apple never felt the need. Wake the hell up, Apple!

I guess that's why MS has a 200 to 1 number of security patches compared to Apple... Because they take security seriously... So, I guess a car maker that issues 10 recalls makes better cars than one that has 1 recall by that measure... Makes total absolute.. Non-sense.

 

[alex0002]

It isn't so much a question of demands as working together to find a pragmatic solution to the problem.

I think it would be unreasonable to allow this period to extend forever, but if we are talking about weeks or days, I don't see what Google would lose, and even less how it would corrupt the entire project.

Unfixed issues exist on Google's products as well, why don't they apply their 90 day limit there?

http://www.engadget.com/2015/01/14/google-security-bug-billion-android-phones/

If they make an exception for Apple, then they would need to make an exception for Microsoft, Oracle, VMware and every open source project that isn't getting patched in time.

The question about Google's products is already answered in the link you provided. The fix is in Android 4.4 and 5.0 (just like some OS X fixes are only available in Mountain Lion and above) and the responsibility for updating those operating systems is with the OEMs.

Many Apple customers are also Google customers. I don't want someone to hack into my Google account and have Google tell me that the hack was via OS X and they knew about the problem for the last three years.

 

[C DM]

So you can't even spot a potential conflict of interest here. Amazing.

I can spot a lot of things in a lot of things, as many people can and do. The difference is paying attention to what's actually important rather than extraneous irrelevant pieces.

 

[subsonix]

I can spot a lot of things in a lot of things, as many people can and do. The difference is paying attention to what's actually important rather than extraneous irrelevant pieces.

Two things can be noteworthy at the same time, I hope you realize this.

 

[Keirasplace]

If they make an exception for Apple, then they would need to make an exception for Microsoft, Oracle, VMware and every open source project that isn't getting patched in time.

The question about Google's products is already answered in the link you provided. The fix is in Android 4.4 and 5.0 (just like some OS X fixes are only available in Mountain Lion and above) and the responsibility for updating those operating systems is with the OEMs.

Many Apple customers are also Google customers. I don't want someone to hack into my Google account and have Google tell me that the hack was via OS X and they knew about the problem for the last three years.

The good old OEM's fault defense.. Guess those unpatched people should be grateful Google cares so much about them to let a messed up upgrade process be created in the first place... Let the no margin OEM make the work, take the blame, while we collect the profits from Android.

Even now with the supposedly better update process, there are still parts of Android that can't be upgraded without the OEM's intervention. No wonder Samsung wants to get out from Android; what's in it for them?

Maybe that's why many asian makers just dumped the App store and all Google apps. Why give money to someone who doesn't care about you?

PS: Apple ended Support for Snow Leopard 4.5 years after its release (dec 2013) so I doubt there's any recent OS-X version not getting a security update. They were still selling Lion (released in 2011) in 2013. In fact it seems that about 4 (sometimes 5) years is the standard support for OSX.

 

[C DM]

Two things can be noteworthy at the same time, I hope you realize this.

They can be, but they don't have to be, and often enough aren't (sometimes it really is just people reading something into something else even if it's not actually there).

 

[ChrisA]

90 days is about the right mount of time. Today all grades are pushed out over the new. It looks like this will force Apple to a 90 day upgrade cycle.

 

[alex0002]

The good old OEM's fault defense.. Guess those unpatched people should be grateful Google cares so much about them to let a messed up upgrade process be created in the first place... Let the no margin OEM make the work, take the blame, while we collect the profits from Android.

Even now with the supposedly better update process, there are still parts of Android that can't be upgraded without the OEM's intervention. No wonder Samsung wants to get out from Android; what's in it for them?

Maybe that's why many asian makers just dumped the App store and all Google apps. Why give money to someone who doesn't care about you?

PS: Apple ended Support for Snow Leopard 4.5 years after its release (dec 2013) so I doubt there's any recent OS-X version not getting a security update. They were still selling Lion (released in 2011) in 2013. In fact it seems that about 4 (sometimes 5) years is the standard support for OSX.

The life cycle requirements for desktops and laptops are longer than a phone. Lion got the bash update in September last year, but didn't get Security Update 2014-005 or the NTP update, so security updates for Lion effectively ended October 2014.

Meanwhile the open source Debian 6.0 (released 2011-02-06) still gets security updates for ia32 and x86-64 until 2016 (Ubuntu LTS has similar long term support).

 

[doelcm82]

They should first expose the holes in Android that they refuse to patch or can't.

They should do that 90 days after notifying Google's development team of the vulnerabilities, just as they do with Apple or Microsoft. Are you saying they don't?

 

[the-msa]

So many desperate people here. Google is capable of finding vulnerabilities in other systems and making the developer of that system six it, and everybody goes crazy about maybe you should than them. What exactly does this has to do with android having bugs as well?

I think most people here are ******** because a bug in osx has been found in the first place, but everyone knows that osx is perfect because apple says so, right?

 

[Dranix]

I'm amazed at the amount of hate Google is getting. They are making software you use more secure by essentially forcing developers to fix their applications. How is this a bad thing? If anything, you should be thanking Google since those are less vulnerabilities hackers have access to.

Forcing people to do what you want is always WRONG. It's called extortion...

But with extortion being the standard way of politics in the us no wonder few see problems with Google behaving as it does.

 

[Oletros]

No wonder Samsung wants to get out from Android; what's in it for them?

In what world do you say that Samsung wants to get out from Android?

Maybe that's why many asian makers just dumped the App store and all Google apps. Why give money to someone who doesn't care about you?

Dumped? When?

----------

Forcing people to do what you want is always WRONG. It's called extortion...

Are you saying that the security industry is formed by extortionists?

 

[Hurda]

How?
They could expose the issue without the 90 day grace period if they wanted to be dirty.

Maybe it would be better if they let CERT handle the full disclosure. They only grant 45 days, though.

 

[Keirasplace]

In what world do you say that Samsung wants to get out from Android?



Dumped? When?

----------



Are you saying that the security industry is formed by extortionists?

They're not using the play store or anything Google, inform yourself, I'm not going to do the browsing for you. A bit of this is that China doesn't work at all with Google.