Apple issues statement refuting Google's 'false impression' of iOS security [u]

Posted:
in General Discussion edited September 2019
Apple has challenged some of Google's claims regarding iOS vulnerabilities, and stresses that its own 'end-to-end' security systems are 'unmatched' by its rivals.




In a rare public response, Apple has issued a press release specifically to address recent claims by Google concerning security vulnerabilities within iOS. Apple disagrees with Google's estimate of how long these vulnerabilities were open to attack, and how many websites were affected.

Apple also states that it addressed the issues promptly and accuses Google of deliberately causing concern for iPhone users.

"Google's post, issued six months after iOS patches were released," says the release, "creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case."

"The attach affected fewer than a dozen websites that focus on content related to the Uighur community."

Apple says that Google's claim that websites which exploited these vulnerabilities were able to attack users for two years is grossly inflated.

"All evidence indicates that these website attacks were only operational for a brief period, roughly two months," the statement continues.

"We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."

Apple's release concludes with a statement claiming that iOS has unmatched security, and in a criticism of Google, says that it is because "we take end-to-end responsibility."

The complete text of Apple's statement reads:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
Google later responded to Apple's press release in a statement to The Verge.

"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online," a Google spokesperson said.

Updated with statement from Google.
«134

Comments

  • Reply 1 of 61
    gatorguygatorguy Posts: 24,176member
    As they should.

    iOS is not insecure, nor should it be inferred it is when rare exploits are exposed. 
    bigtdschasmlostkiwirevenantjony0
  • Reply 2 of 61
    mjtomlinmjtomlin Posts: 2,673member
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    edited September 2019 albegarcapplesauce007StrangeDaysviclauyycmretondomagman1979lostkiwiuraharapscooter63berndog
  • Reply 3 of 61
    davgregdavgreg Posts: 1,036member
    gatorguy said:
    As they should.

    iOS is not insecure, nor should it be inferred it is when rare exploits are exposed. 
    Ask the NSA.

    Your iOS may not be insecure, but your iPhone most likely is.
    NIST and the NSA introduced backdoors in standards for the baseband radios, hacked the makers of SIM cards, etc.
    Police all over have Stingrays that spoof cell towers and sweep up the data of people without a warrant or probable cause.
    Then there are security issues related to the ISP/wireless ISPs and how they process and handle your data.

    After all that, then you get to weaknesses in the UNIX base, the open source technologies incorporated into iOS, Apple’s own proprietary software and protocols and then the apps running on iOS from 3rd party vendors.

    Finally do not forget that Apple runs some services on AWS and is therefore subject to the security concerns of that platform.

    So you might be right regarding iOS, but your iPhone- not so much.


    muthuk_vanalingamviclauyycorthorimbadmonkAppleExposedjony0
  • Reply 4 of 61
    tmaytmay Posts: 6,311member
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.

    https://www.forbes.com/sites/thomasbrewster/2019/09/01/iphone-hackers-caught-by-google-also-targeted-android-and-microsoft-windows-say-sources/#43e4c76b4adf
    edited September 2019 StrangeDaysmagman1979watto_cobra
  • Reply 5 of 61
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.
  • Reply 6 of 61
    cpsrocpsro Posts: 3,192member
    So, Google, when were the exploits fixed in Android and the gajillion devices that run it?
    All of my iOS devices were patched in February.
    edited September 2019 viclauyycmagman1979watto_cobraAppleExposed
  • Reply 7 of 61
    lkrupplkrupp Posts: 10,557member
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Go watch Rene Ritchie’s rebuttal on YouTube. Then read Tech Crunch’s take on Google’s Project Zero sins of omission. But the damage is done. It’s out there and every click hungry tech blogger has pounced on it. This was intentional, absolutely no doubt about it. It was a smear campaign pure and simple designed to put FUD in the minds of iOS users. Google itself may or may not have sanctioned the smear campaign but someone is behind it. Someone gave the go ahead to publish this purposely misleading article. It wasn’t sloppy reporting. It was intentional. I’m glad Apple responded but as I said the damage is done.
    tmayviclauyycmagman1979lostkiwipscooter63Rayz2016propodrandominternetpersonwatto_cobraAppleExposed
  • Reply 8 of 61
    Abalos65 said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.
    I read the last part as speculation on the part of Abalos65 based on based on a belief in the competence of Project Zero and disdain for the ‘suits’ (i.e. marketing) who usually craft the text that is released.
    watto_cobra
  • Reply 9 of 61
    Google is an iOS security breach.
    edited September 2019 doctwelveStrangeDayscrossladagilealtitudeMacPromagman1979lostkiwiuraharacornchipbadmonk
  • Reply 10 of 61
    mjtomlinmjtomlin Posts: 2,673member
    Abalos65 said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.

    What’s more troubling about your comment is that people seem to want to hold some schmucks comment on a message board to a higher standard than actual journalists or “informed” bloggers. All over the internet supposed reputable writers make claims without anyone asking for “evidence” and they blindly follow.

    There was nothing false in what the Project Zero engineers blogged about - which was the intricacies of the extremely complicated exploit; the hackers had to find and exploit more than a dozen different vulnerabilities to affect an iOS device. That exact exploit was in fact iOS only, but to believe or think that the hackers didn’t also target the other two major platforms is pure ignorance.

    Anyone in-the-know believed that as well, and I believe it was Forbes that uncovered the fact that both Windows and Android vulnerabilities were exploited and the “two year” figure actually applies to those exploits, not iOS. Apple has the ability to determine how long a specific vulnerability has existed due to the fact that they know when that code was released into the wild and they have stated it was only possible to exploit up to two months prior.

    The irony of this whole issue is that it was probably much, much easier for the hackers to “break” into Android and Windows, than it was to find a way into iOS.
    edited September 2019 StrangeDaysmagman1979lostkiwipscooter63orthorimFileMakerFellergilly33watto_cobrajony0
  • Reply 11 of 61
    gatorguygatorguy Posts: 24,176member
    lkrupp said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Go watch Rene Ritchie’s rebuttal on YouTube. Then read Tech Crunch’s take on Google’s Project Zero sins of omission. But the damage is done. It’s out there and every click hungry tech blogger has pounced on it. This was intentional, absolutely no doubt about it. It was a smear campaign pure and simple designed to put FUD in the minds of iOS users. Google itself may or may not have sanctioned the smear campaign but someone is behind it. Someone gave the go ahead to publish this purposely misleading article. It wasn’t sloppy reporting. It was intentional. I’m glad Apple responded but as I said the damage is done.
    Some things are constant, and sloppy reporting is one of them.
    Stagefright... Quadrooter... Millions at risk! No fix possible!!
    In truth zero real life danger, not one in the wild exploit, no harm to any users device, but sloppy reporting made sure the damage was done anyway. 

    These constant click-bait articles, inferences of danger not actually based in fact, and whip-it-out penile measurements between fans and even companies does not help consumers one iota. 
    edited September 2019 muthuk_vanalingamAbalos65matrix077
  • Reply 12 of 61
    "We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."

    It sounds like Apple is saying they were already closing these exploits and that they learned about them not from Google. 
    magman1979genovellecornchipgilly33watto_cobra
  • Reply 13 of 61
    tmaytmay Posts: 6,311member
    gatorguy said:
    lkrupp said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Go watch Rene Ritchie’s rebuttal on YouTube. Then read Tech Crunch’s take on Google’s Project Zero sins of omission. But the damage is done. It’s out there and every click hungry tech blogger has pounced on it. This was intentional, absolutely no doubt about it. It was a smear campaign pure and simple designed to put FUD in the minds of iOS users. Google itself may or may not have sanctioned the smear campaign but someone is behind it. Someone gave the go ahead to publish this purposely misleading article. It wasn’t sloppy reporting. It was intentional. I’m glad Apple responded but as I said the damage is done.
    Some things are constant, and sloppy reporting is one of them.
    Stagefright... Quadrooter... Millions at risk! No fix possible!!
    In truth zero real life danger, not one in the wild exploit, no harm to any users device, but sloppy reporting made sure the damage was done anyway. 

    These constant click-bait articles, inferences of danger not actually based in fact, and whip-it-out penile measurements between fans and even companies does not help consumers one iota. 
    Sounds like you are giving Google a pass on this...
    MacProwatto_cobra
  • Reply 14 of 61
    gatorguygatorguy Posts: 24,176member
    tmay said:
    gatorguy said:
    lkrupp said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Go watch Rene Ritchie’s rebuttal on YouTube. Then read Tech Crunch’s take on Google’s Project Zero sins of omission. But the damage is done. It’s out there and every click hungry tech blogger has pounced on it. This was intentional, absolutely no doubt about it. It was a smear campaign pure and simple designed to put FUD in the minds of iOS users. Google itself may or may not have sanctioned the smear campaign but someone is behind it. Someone gave the go ahead to publish this purposely misleading article. It wasn’t sloppy reporting. It was intentional. I’m glad Apple responded but as I said the damage is done.
    Some things are constant, and sloppy reporting is one of them.
    Stagefright... Quadrooter... Millions at risk! No fix possible!!
    In truth zero real life danger, not one in the wild exploit, no harm to any users device, but sloppy reporting made sure the damage was done anyway. 

    These constant click-bait articles, inferences of danger not actually based in fact, and whip-it-out penile measurements between fans and even companies does not help consumers one iota. 
    Sounds like you are giving Google a pass on this...
    Nope not at all. Did you read what I've said in the thread? In fact yesterday I posted in the original story that Google has let a zero-day of their own languish unpatched for six months now. Glass houses. 

    Don't know who's to blame for the tone or timing of the article, but to infer that iOS is "insecure" with it is 100% wrong. 
    revenantMplsPgilly33
  • Reply 15 of 61
    mjtomlin said:
    Abalos65 said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.

    What’s more troubling about your comment is that people seem to want to hold some schmucks comment on a message board to a higher standard than actual journalists or “informed” bloggers. All over the internet supposed reputable writers make claims without anyone asking for “evidence” and they blindly follow.

    There was nothing false in what the Project Zero engineers blogged about - which was the intricacies of the extremely complicated exploit; the hackers had to find and exploit more than a dozen different vulnerabilities to affect an iOS device. That exact exploit was in fact iOS only, but to believe or think that the hackers didn’t also target the other two major platforms is pure ignorance.

    Anyone in-the-know believed that as well, and I believe it was Forbes that uncovered the fact that both Windows and Android vulnerabilities were exploited and the “two year” figure actually applies to those exploits, not iOS. Apple has the ability to determine how long a specific vulnerability has existed due to the fact that they know when that code was released into the wild and they have stated it was only possible to exploit up to two months prior.

    The irony of this whole issue is that it was probably much, much easier for the hackers to “break” into Android and Windows, than it was to find a way into iOS.
    You are moaning about the way journalist are behaving, but are not self willing to set the standard any higher? 

    Found the article on Forbes. I cannot find any of your claims about the two year figure only being based on the Windows and Android exploits. The same can be said for the for the claim about Apple's knowledge of the duration of the exploit. Where are you getting this from? Just the short press release of Apple? There is no mention made about how they determined the two months in that press release.

    And the last part is, again, a statement without a shred of evidence. Based on the information about this particular incident related to the Uighur community you cannot make such a claim. It is reductive, and just makes it a fanboy war. 

    And for the record, I think that Project Zero should have mentioned the broader targeting of the 
    Uighur community on Android and Windows if they had any knowledge about it.
    muthuk_vanalingamctt_zh
  • Reply 16 of 61
    gatorguygatorguy Posts: 24,176member
    Abalos65 said:
    mjtomlin said:
    Abalos65 said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.

    What’s more troubling about your comment is that people seem to want to hold some schmucks comment on a message board to a higher standard than actual journalists or “informed” bloggers. All over the internet supposed reputable writers make claims without anyone asking for “evidence” and they blindly follow.

    There was nothing false in what the Project Zero engineers blogged about - which was the intricacies of the extremely complicated exploit; the hackers had to find and exploit more than a dozen different vulnerabilities to affect an iOS device. That exact exploit was in fact iOS only, but to believe or think that the hackers didn’t also target the other two major platforms is pure ignorance.

    Anyone in-the-know believed that as well, and I believe it was Forbes that uncovered the fact that both Windows and Android vulnerabilities were exploited and the “two year” figure actually applies to those exploits, not iOS. Apple has the ability to determine how long a specific vulnerability has existed due to the fact that they know when that code was released into the wild and they have stated it was only possible to exploit up to two months prior.

    The irony of this whole issue is that it was probably much, much easier for the hackers to “break” into Android and Windows, than it was to find a way into iOS.


    And for the record, I think that Project Zero should have mentioned the broader targeting of the Uighur community on Android and Windows if they had any knowledge about it.
    I thought I remembered someone connected to Project Zero said they have no knowledge of either Android or MS being targeted by the same exploits. I'd have to look again but I don't believe anyone other than Forbes is reporting "sources say".  

    EDIT: It is Microsoft claiming no knowledge of the sites exploiting iPhones also targeting Windows, nor have any researchers reported similar exploits to them so far. In addition "other sources" familiar with the  hacks claimed Google had only seen iOS exploits being served from the sites. 
    edited September 2019 ctt_zhpscooter63FileMakerFeller
  • Reply 17 of 61
    tmaytmay Posts: 6,311member
    gatorguy said:
    Abalos65 said:
    mjtomlin said:
    Abalos65 said:
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Can you give a link to the supposed vulnerabilities being exploited in Windows and Android which Project Zero brushed under the rug?

    The last part of your comment I find troubling, as it is a statement without a shred of evidence.

    What’s more troubling about your comment is that people seem to want to hold some schmucks comment on a message board to a higher standard than actual journalists or “informed” bloggers. All over the internet supposed reputable writers make claims without anyone asking for “evidence” and they blindly follow.

    There was nothing false in what the Project Zero engineers blogged about - which was the intricacies of the extremely complicated exploit; the hackers had to find and exploit more than a dozen different vulnerabilities to affect an iOS device. That exact exploit was in fact iOS only, but to believe or think that the hackers didn’t also target the other two major platforms is pure ignorance.

    Anyone in-the-know believed that as well, and I believe it was Forbes that uncovered the fact that both Windows and Android vulnerabilities were exploited and the “two year” figure actually applies to those exploits, not iOS. Apple has the ability to determine how long a specific vulnerability has existed due to the fact that they know when that code was released into the wild and they have stated it was only possible to exploit up to two months prior.

    The irony of this whole issue is that it was probably much, much easier for the hackers to “break” into Android and Windows, than it was to find a way into iOS.


    And for the record, I think that Project Zero should have mentioned the broader targeting of the Uighur community on Android and Windows if they had any knowledge about it.
    I thought I remembered someone connected to Project Zero said they have no knowledge of either Android or MS being targeted by the same exploits. I'd have to look again but I don't believe anyone other than Forbes is reporting "sources say".  

    EDIT: It is Microsoft claiming no knowledge of the sites exploiting iPhones also targeting Windows, nor have any researchers reported similar exploits to them so far. In addition "other sources" familiar with the  hacks claimed Google had only seen iOS exploits being served from the sites. 
    https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

    What's lost in this, is that this is the Chinese Government behind the hacks. 
    StrangeDaysgilly33watto_cobra
  • Reply 18 of 61
    gatorguygatorguy Posts: 24,176member
    "We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs."

    It sounds like Apple is saying they were already closing these exploits and that they learned about them not from Google. 
    There were actually two groups within Google who had each advised Apple of the exploit sites: The Threat Analysis Group (TAG) first discovered the watering-hole sites, reporting it to both Apple and Google's Project Zero. Sometime presumably shortly thereafter Google's Project Zero Team identified the flawed code that allowed exploits to work and on February 1st reporting the specifics to Apple. Apple had fixes in place within 7 days of that, an indication they may have already started their own investigation and probably had after being advised by Google TAG three days earlier (assuming Apple's mention of "10 days later" is accurate). 

    https://support.apple.com/en-us/HT209520

    So yes both could be correct. A Google group discovered it and reported it to Apple, but by the time the second Google group (Project Zero) gave them specifics they were already working on it. In fact I think the Project Zero blog post alludes to that being the case.  Project Zero didn't discover it, that would have been TAG, but they did figure out how it worked. 

    No one actually lying but both could be a bit more transparent?
    edited September 2019 muthuk_vanalingamMplsPFileMakerFeller
  • Reply 19 of 61
    mjtomlin said:
    Good for Apple.

    The importance of Google’s Project Zero cannot be overstated, but the handling of this issue was sloppy and irresponsible. It’s now obvious this was little more than a smear campaign against Apple as the issue was not only fixed in a timely manner 6 months ago, but singling out iOS as the only target was disingenuous when vulnerabilities in Windows and Android were exploited as well.

    There is no way the Project Zero team did not know ALL the facts of this “attack” and it’s apparent that Google marketing must’ve stepped in and decided to publicly disclose only certain aspects to disparage iOS.
    Yeah! Google really blew there credibility by not mentioning that Android had the same exploit.
    watto_cobra
  • Reply 20 of 61
    lkrupplkrupp Posts: 10,557member
    Google just responded to Apple’s rebuttal with “We stand behind our report.” So someone is lying. Who? 
    watto_cobra
Sign In or Register to comment.