Alex Stamos schools Apple after they whine about Google revealing a whack of Ios zero-days

Originally published at: https://boingboing.net/2019/09/10/dear-apple-employees.html

2 Likes

I saw Apple’s initial response to the exploit being exposed, and I thought “this…misses the point.”

7 Likes

I really wish sick burns actually spurred corporate entities to take action, though.

3 Likes

For all we know, there were literal sick burns, too.

1 Like

The problem here is that google implied that only iOS devices were affected when android and windows were also targeted by the same websites. They also neglected to provide context of the extent of possible affected users. Every news article was about how personal data was being lifted from iOS devices simply by visiting nefarious websites. A week later, after attention waned, a few articles popped up clarifying that android and windows were also affected and it was a state sponsored attack against a relatively small population. Any statistics on how may Uighurs use iOS vs. android or windows? From the start the story should have been about the Chinese government’s oppression of Uighurs instead of silly corporate fanboyism.

2 Likes

Apparently I can’t just post “los” as a reply so:
los

I think the reason why Apple’s response has gone over pretty coldly is that it, at least implicitly and pretty close to openly, it veered into focusing on semantic quibbling and whinging about unfairness rather than responding to the frankly alarming(and uncontested) substance of the security claims.

It is true that the TAG/Project Zero work was focused on iOS exploits(I’ve not seen anything on whether the Windows and Android exploitation wasn’t mentioned because they weren’t using zero days for it and so it fell outside the scope of Project Zero’s remit or because it was deliberately elided; though it’s unclear why Google would want to cover for Microsoft).

However, even if the selective focus was 100% a mendacious scheme of Google PR, it was unfortunately true about the scope and severity of then iOS zero days found in analyzing just one set of watering holes. Website visit to root exploit chains for at least two years of iOS; and apparently not being treated as valuable enough to protect by using more subtle payloads(things like unencrypted exfiltration and hitting the C&C servers for new orders every 60 seconds are absurdly crude if you care about keeping your attack quiet and maintaining its cover).

In that context a response to the effect of “it wasn’t two years because at least some of the sites hosting the attack were active for much less time; and it wasn’t indescriminant because it only targeted every visitor to some specific sites” isn’t reassuring. Even if the specific attack sites detected were open only for a limited time nothing assures us that they were the only ones with knowledge of the attacks, or that nobody was making more careful use of them; and it’s a matter of fact that the attacks were good against 2ish years of iOS, which is how vulnerability windows are usually computed.

Neither Google not Apple really covered themselves in glory in terms of studiously not mentioning China. TAG probably knows a thing or two about inferring who a watering hope attack is aimed at and at least the front operation running it(and it’s not like there’s a long list of ‘or one of the other nation states that really dislikes Uighurs and has a known technical surveillance effort against them’ to choose from) and they didn’t say it; but once it came out via 3rd parties Apple’s ‘meh, niche relevance, just some obscure people who aren’t you’ response was both cowardly and breathtakingly tasteless(and also ignored the possibility that the attack chains weren’t known and used elsewhere, with this just being the case they discovered).

As a final touch, the ‘we were already fixing them when Google told us’ bit(while true) quietly elided the ‘because it was serious enough that the FBI also told us…’ half of that story.

Given the severity of the issues, for a platform that enjoys a generally very favorable reputation on security grounds, I can see why Apple was pissed enough to lash out; but their response wasn’t a good look; nor did it refute any of the most worrisome technical claims. As it happens the Chinese were busy with the Uighur question; but the same exploit chains could have been dropped into a malicious ad and run far and wide for a pittance; so ‘but don’t worry, they weren’t interested in you today’ doesn’t help much.

(There’s also the problem, for Apple, that making an equivalence argument “but they were attacking Windows and Android too” is still pretty much a loss: everyone says mean things about Android security, especially random Chinese cheapie handsets, and Apple has been making hay with Windows for years, so iOS users are unlikely to be comforted by the notion that they merely don’t have it worse than the malware riddled peasants.)

1 Like

Cory, you reduce clarity and also make yourself less credible by intentionally mis-spelling a brand name. I understand that it’s a protest, but my feeling is that you are actually harming your ability to make a cogent argument by including that protest in every post you make about Apple. Just my $0.02

This topic was automatically closed after 5 days. New replies are no longer allowed.