Google Researchers Say Hackers Exploited Two Zero-Day Vulnerabilities Patched in Apple's iOS 12.1.4 Update

Do you feel they added too many new features in iOS 12?

 

Google, nice to point out the flaws, how about expose the hackers while your at it.

 

Presumption being they knew who the hacker were Are you familiar with what Project Zero does?

 

Simple answer yes. Suggesting the next step. I would speculate that a good majority of the hackers are rather easy to find, given the vast resources Google has. The very sophisticated well funded ones the challenge. Nice to deliver blows to low hanging fruit. Also points out the degree of ease the flaw has.

 

None of that makes any sense. Google's resources, like the resource of Microsoft, Apple, Facebook, etc. have no correlation to their ability to find hackers. Besides, I'm pretty sure the math says it makes more sense to mitigate the vulnerabilities instead of wasting resources chasing a person or group of people. Even with that being said, there are groups with resources dedicated to finding hackers. Both gov't and private.

Project Zero's mission of finding zero day exploits is beneficial enough.

 

My point, 90 days after the flaw found until public notified. Public and bad guys who know of the flaw are in most cases unaware the flaw has been found. A perfect time to set a trap. If Google cannot do it then turn over the flaw to not only the developer but to those hunting the hackers. Finding the flaw not enough. Need more aggressive actions on holding the hackers accountable. Hackers have this Robin-hood cult following. When they are just criminals.

 

Wouldn't the victory be if there was no "hole" to begin with? This whole "hey, software is buggy right?' but we fixed it" seems like the whole Windows (but you need anti-virus really to use it) non-sense Microsoft found themselves in.

 

I just love when people make suggestions in domains they know nothing about.

Zero Day means that it is an existing vulnerability in a live system. It doesn't mean that there are hackers already exploiting it.

It's like if your neighbor said "I noticed that your upstairs window has a loose piece of glass that could be pried out" and then someone on MR says, "why don't they give you the name of the burglars?" Or even better "why didn't your neighbor set a trap for the burglars?"

Just because a vulnerability exists, doesn't mean anyone has actually exploited it. And it's not Google's job to hunt down criminals.

 

Ambiguous headline. Exploited prior to the patch. Whew.

--- Post Merged, Feb 8, 2019 ---

No such thing as a modern, robust OS with no holes. You’re talking about pie in the sky and an unrealistic standard.

 

Apple got googled.

 

Contrary to popular believe, iOS is obviously more bug ridden than Android due to its closed proprietary nature.

Even 14 years old kid can discover one major zero day bug is a telltale sign.

 

This is why people should seriously consider upgrading to the newest iOS as long as performance is not severely impacted. Anyone on an iOS 12-compatible device should already be on it. Staying on an older iOS *just* for performance reasons is asking to be exploited - there are plenty of vulnerabilities that aren't even known or published.

 

Well the OP was implying we should be thankfull Apple gets round to fixing things. Your mentality seems to be modern OSs are inherently broken and therefore we should be thankful for what we've got (BTW heard of any day-1 Linux flaws lately?)

 

i don't get your point here.
iOS patched these two exploits and all iOS devices can receive the update now.
Android patched, but updates aren't available for all devices yet.

you're saying, it's fine if Google points out those iOS already-fixed exploits, but i can't point out Google's exploits?

you sound very hypocritical right now.

 

Someone needs to reboot their sarcasm detector.

 

They work with law enforcement when it is warranted but the project is not designed to "expose" hackers. They focus their time on finding flaws and working with companies on patching them.

 

Lately? No. Ever? Of course.

And you’ve got my mentality wrong. I’m just saying that it’s folly to expect macOS, or Windows, or Major Linux flavors for that matter, to be delivered with no security flaws at all, nor is it a bad sign for the dev entity that there are ever any.

 

So if Project Zero is good at what they do would imply that Apple software team QA have a lot of issue if they themselves cannot identify these problems

FaceTime cal bug should have have been easily found before it was rolled out !!

Apple is really dropping the ball more and more

 

I don't agree. Project Zero is good at what they do because it's all they do - search for zero day exploits in all OSes. That's not implication against Apple's software team QA. There hasn't ever, isn't now, nor will there ever be perfect software.

To say the FT bug should have been easily found suggests a naivete regarding software development. I agree Apple has deficiencies. So does every company. But to say Apple having a bug in it's software is an indicator of anything greater is kinda silly. There are far better examples of problems at Apple than software having a bug. Software is always going to have bugs.

 

You're thinking of NSO who developed spyware used by the Saudis.

 

Then stop with the iPhone is above the rest with security and privacy. Apple is just no better than others. Thinking otherwise just opens yourself up to complacency and false sense of security...which is sad to say applies proportionally far more iPhone users (than Android users)

 

I'm guessing you're speaking in general terms, because iPhone is above the rest is a phrase that I've never spoken in my life. It's also a sentiment I've never espoused. iOS vs Android is some fanboy nonsense I don't even acknowledge.

 

Right. Oh sorry, Android is a set of tool kits on top of Linux which is rock solid, zero defects. /s

Linux is nothing but a constant work-in-progress, often ten steps backwards, two steps forward, rehash, break, break, break--it's free, break, break, fix, new exploits, repeat and rinse.

Just one of hundreds of common security updates in the world of Linux.

https://www.debian.org/security/

 

There's what someone strives for and what goes into products/services and then there are bugs and issues--apples and oranges, as they say.

--- Post Merged, Feb 10, 2019 at 9:10 PM ---

Doesn't really seem like it works as sarcasm either.

 

Just to be clear, these are OS related security holes and not hardware security issues like the SEP being hacked or anything like that. OSs are never 100% secure so even though this is not good, it's not surprising. It's good we have these researches looking for vulnerabilities. No one is breaking SEP though.