FBI Gave First Security Disclosure Under 'Vulnerability Equities Process' to Apple on April 14

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,394
8,478



On April 14, the FBI informed Apple of a security flaw in older versions of iOS and OS X, its first vulnerability disclosure to Apple under the Vulnerability Equities Process, reports Reuters, citing information obtained directly from the Cupertino company.

The Vulnerability Equities Process allows federal agencies to determine whether critical security flaws should be kept private for law enforcement use or disclosed to companies to allow them to patch major vulnerabilities.

The security flaw the FBI shared with Apple pertained to older versions of the iPhone and Mac and it was fixed with the release of iOS 9 and OS X El Capitan. It was not the vulnerability that was exploited to break into the iPhone 5c used by San Bernardino shooter Syed Farook, which remains under wraps.

Apple says 80 percent of iPhones run a safe version of iOS and are not vulnerable to the security flaw shared by the FBI. Apple told Reuters it does not have plans to issue a patch for the older, vulnerable software.

According to Reuters, the FBI was motivated to provide Apple with information on an older vulnerability following a report suggesting it would not use the Vulnerability Equities Process to provide Apple with the method used to hack the San Bernardino iPhone.
The day after that report, the FBI offered information about the older vulnerabilities to Apple. The move may have been an effort to show that it can and does use the White House process and disclose hacking methods when it can.

The flaw the FBI disclosed to Apple this month did nothing to change the company's perception that the White House process is less effective than has been claimed, said an Apple executive who declined to be named.
Earlier today, a report from The Wall Street Journal suggested the FBI has decided not to disclose the vulnerability used to access the San Bernardino iPhone. FBI Director James Comey has insinuated the FBI cannot provide details on the hacking method used on the iPhone because the security flaw exploited is owned by a private company.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Article Link: FBI Gave First Security Disclosure Under 'Vulnerability Equities Process' to Apple on April 14
 

garirry

macrumors 68000
Apr 27, 2013
1,545
3,803
Canada is my city
What kind of stupid game are they playing? Why would they need to tell Apple this? It just increases the chances for a fix to happen!
 

btrach144

macrumors 68000
Aug 28, 2015
1,628
3,581
I personally update myself and my wife electronics day 1 but I'm more relaxed with my parents. Time to get serious about them as well.
 

peterh988

macrumors 6502a
Jun 5, 2011
591
977
FBI "Hey Apple, did you know Darth Vader is Lukes father?"

Apple "Erm, OK, thanks, FBI"

(Apologies if that's a spoiler for anyone! :) )
 

Robert.Walter

macrumors 68000
Jul 10, 2012
1,538
1,616
>offering a tip that benefits less than 10% of Apple's installed base, a flaw that Apple itself has declined to bother patching.

>>nothing of value was provided.

>>>only political cover was sought.

I can imagine the conversation that led to this: "we're taking a shellacking in the court of public opinion for our All Writs Act exploit. Maybe we should offer up the most useless vulnerability we know of to show our disclosure "process" is real." Much LoL-Ing in the FBI conference room then ensued.
 
  • Like
Reactions: nt5672