Google's 'Project Zero' Hid A Major Vulnerability in Apple's OS and iOS Cores (thestack.com)

← Back to Stories (view on slashdot.org)

Google's 'Project Zero' Hid A Major Vulnerability in Apple's OS and iOS Cores (thestack.com)

Posted by EditorDavid on Saturday October 29, 2016 @09:34AM from the seek-and-go-hide dept.

In June Google's task-force against zero day exploits "identified a coding exploit in the underlying kernel of Apple's OSX and it's mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS," according to The Stack.

An anonymous reader writes that Google "initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug -- which has now been fixed in the latest updates to Mac OS and iOS." The fix was released Monday, the Stack reports: Since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorized programs to run with elevated privileges on a Mac system. Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.

88 comments

Min score:

Reason:

Sort:

Where exactly was the bug... by Anonymous Coward · 2016-10-29 09:36 · Score: 1

Was this a unix-linux level bug that would affect all systems built on top or was this an OS X/iOS-induced bug from layers that sit on top of the kernel? Was BSD-derived systems similarly affected, or Android systems?
Is there a counterpart in the wild in Linux-land?
1. Re:Where exactly was the bug... by Shimbo · 2016-10-29 09:51 · Score: 2
  
  It was a performance hack for a microkernel system, so no. Apple had to do some extensive reworking to fix it, so it seems sensible to me to cut them some slack in this case.
2. Re: Where exactly was the bug... by Anonymous Coward · 2016-10-29 10:59 · Score: 0
  
  You mean they had to pretend to fix it while at the same time punch and abfuscate one of comparable magnitude for the no search agency to use.
3. Re:Where exactly was the bug... by ls671 · 2016-10-29 12:48 · Score: 1
  
  OSX and iOS are based on NextSTEP:
  http://arstechnica.com/apple/2...
  https://en.wikipedia.org/wiki/...
  Back on topic; Project Zero went the ethical way.
  
  --
  Everything I write is lies, read between the lines.
4. Re: Where exactly was the bug... by Anonymous Coward · 2016-10-29 12:54 · Score: 1, Insightful
  
  You mean they had to pretend to fix it while at the same time punch and abfuscate one of comparable magnitude for the no search agency to use.
  FUCK OFF.
  AND DIE.
5. Re:Where exactly was the bug... by Anonymous Coward · 2016-10-29 12:59 · Score: 0
  
  OSX and iOS are based on NextSTEP:
  http://arstechnica.com/apple/2...
  https://en.wikipedia.org/wiki/...
  Back on topic; Project Zero went the ethical way.
  You mean only AFTER Apple BEGGED them, don't you?
6. Re:Where exactly was the bug... by ls671 · 2016-10-29 13:10 · Score: 1
  
  OSX and iOS are based on NextSTEP:
  http://arstechnica.com/apple/2...
  https://en.wikipedia.org/wiki/...
  Back on topic; Project Zero went the ethical way.
  You mean only AFTER Apple BEGGED them, don't you?
  Who knows what really went on behind the scene. But still; Project Zero went the ethical way whatever the reason.
  
  --
  Everything I write is lies, read between the lines.
7. Re:Where exactly was the bug... by Anonymous Coward · 2016-10-29 13:33 · Score: 0
  
  OSX and iOS are based on NextSTEP
  And NeXTSTEP is based on Mach and BSD.
8. Re:Where exactly was the bug... by ls671 · 2016-10-29 13:38 · Score: 1
  
  I am glad you looked at the link I provided. Congratulations!
  
  --
  Everything I write is lies, read between the lines.
9. Re:Where exactly was the bug... by thogard · 2016-10-29 13:56 · Score: 1
  
  Until older machines (like the millions of 32 bit intel and PPC macs) get fixed, the ethical solution didn't happen. Is Google big enough to force Apple to fix those? If you think the recent IoT bot net was bad, just wait for those million of older macs get p0wned. The unsupported old macs don't get thrown away, they get handed down and they are still out there on the net waiting to cause problems. The software update option appears to still work even on my old mac mini g4 that wants to update printer drivers every few months undoubtedly leading many people into a false sense of security.
  In most of the EU, some US states, and most of the Commonwealth countries, a manufacture is required to repair defects indefinitely that are likely to cause harm to others.
10. Re:Where exactly was the bug... by Anonymous Coward · 2016-10-29 15:13 · Score: 0
  
  It's specific to the OS X/iOS kernel. That kernel is just such a disgusting neglected mess now.
11. Re:Where exactly was the bug... by Anonymous Coward · 2016-10-29 15:56 · Score: 0
  
  It proves that I can read, unlike you apparently.
  What is puzzling is why you thought that NeXTSTEP has anything to do with the OP's question. It's like you were just looking for anything to nitpick, only your nitpick was utterly worthless since NeXTSTEP is based on exactly the thing that OP mentioned.
12. Re:Where exactly was the bug... by TheRaven64 · 2016-10-29 22:10 · Score: 1
  
  It's a bug in the IOKit component of the kernel, which is part device driver framework and part userspace communication framework. IOKit is specific to XNU and is not found in any other OS (it replaced DeviceKit in NeXTSTEP / OPENSTEP, which used Objective-C in the kernel). The userspace process passes a Mach port to the kernel and the kernel assumes that this Mach port embodies the credentials that the userspace process has. Unfortunately, userspace processes often have Mach ports owned by more privileged processes, so they can persuade some bits of the kernel that they are more privileged than they actually are.
  
  --
  I am TheRaven on Soylent News
13. Re:Where exactly was the bug... by ls671 · 2016-10-29 23:24 · Score: 1
  
  Are you sure you can read?
  OP asked:
  "Was this a unix-linux level bug?"
  Can't you notice the "linux" in there?
  And... linux has got nothing to do with it. Linux is not BSD it is minix.
  https://en.wikipedia.org/wiki/...
  
  --
  Everything I write is lies, read between the lines.
14. Re:Where exactly was the bug... by Anonymous Coward · 2016-10-30 04:58 · Score: 0
  
  OP specifically mentioned BSD. You, oblivious to that fact (or simply illiterate), still felt compelled to "correct" him by saying "no no no it's NeXTSTEP" like a little child.
15. Re:Where exactly was the bug... by ls671 · 2016-10-30 07:27 · Score: 1
  
  skankhunt42, is that you? ;-)
  https://www.youtube.com/watch?...
  https://www.google.com/search?...
  
  --
  Everything I write is lies, read between the lines.
16. Re:Where exactly was the bug... by ls671 · 2016-10-30 21:05 · Score: 1
  
  I get your point.
  It all boils down to the right time to go full disclosure.
  Too early; systems don't get time to be patched. Too late; information eventually leaks and prices on the black market go down to "buy" the exploit so it becomes easier and more common to see it used.
  That's what I meant about ethical solution. Lately, we see more and more people publicly disclosing holes without even warning the developers. So yes, at least Project Zero seems to have made an effort regarding full disclosure time.
  As for:
  
  In most of the EU, some US states, and most of the Commonwealth countries, a manufacture is required to repair defects indefinitely that are likely to cause harm to others.
  It seems just like a matter of who is going to pay the bill for securing their systems. It's sounds political and I'd rather not get involved.
  Note that an interesting turn pushing your point although is the recent large scale DDOS that have occurred. Those non-repaired machines could turn into IOTs! Nevertheless, unpatched systems have been around for ever with some people still running Windows 97, etc. so it will be interesting to see.
  My crystal ball says chances are slims those unpacthed systems will turn into DDOS devices but who knows?
  
  --
  Everything I write is lies, read between the lines.
a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 09:37 · Score: 0

That's why they hid it for so long.
1. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 09:39 · Score: 0
  
  The acted correctly in this case. In other cases where they disclosed unpatched serious vulnerabilities, they should have been sued.
2. Re: a lot of Google personnel uses Macs by ArmoredDragon · 2016-10-29 10:05 · Score: 1
  
  Sued for what? There's no legal remedy for somebody making truthful statements. It just happens to be common industry practice to give some time for a patch to be made while making full public disclosure an ultimatum for somebody not releasing timely patches.
  A lot of armchair-lawyer-Microsoft-fanboys like to fault Google for disclosing a windows bug after such a notice just because Microsoft themselves complained about it, but Google didn't break any laws, let alone any industry norms at the time, so go put your head back in the Azure where it belongs.
3. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:05 · Score: 0
  
  Sued for what exactly?
4. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:21 · Score: 0
  
  Sued for what? There's no legal remedy for somebody making truthful statements.
  You are thinking of libel. Disclosing details of a vulnerability that can be used maliciously is a gray area. It's been covered by EFF and a blackhat presentation, and it's not as cut-and-dry as you asserted.
  
  A lot of armchair-lawyer-Microsoft-fanboys like to fault Google for disclosing a windows bug...
  Why the Ad hominem attack? It weakens your assertion by waving a giant flag that signals everyone to the fact that you may be speaking out of your depth. In a sense, it make you look like yet another armchair-lawyer.
  Besides why argue when Google clearly did the responsible thing and allow Apple to fix a vulnerability?
5. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:29 · Score: 0
  
  Providing material that allowed someone with malicious intent to cause harm to the plaintiff.
  Acting responsibly and working with the software developer to eliminate the vulnerability not only lessens the likelihood of a lawsuit, but also strengthens your defense if you felt compelled to disclose and faced a lawsuit.
  Sure you can disclose the vulnerability immediately on principle, but you will face possible criminal and civil liability that could make you spend time in court defending your action. You may feel confident that you will win, but can you really afford the costs?
6. Re: a lot of Google personnel uses Macs by Opportunist · 2016-10-29 10:33 · Score: 1
  
  That the plaintiff himself made possible by his very own neglect. That's like suing someone for sending pictures of you cheating on your wife to her and you want to get compensation for the divorce.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:37 · Score: 0
  
  The plaintiff would not necessarily be the software manufacturer. The plaintiff could be someone who was using the software.
8. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:52 · Score: 0
  
  As I recall, Microsoft also asked for the same extension a couple times and were denied. Why the favoritism?
9. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:52 · Score: 0
  
  So if you bought say a smartphone and discovered that under certain conditions it would burst into flames, you shouldn't be allowed to publish those findings?
  I'm sorry, but that's not how the law works. If you were to try suing someone over disclosure of a product flaw, you would find yourself getting laughed out of the courtroom and having to pay all court costs for yourself and the defendant.
10. Re: a lot of Google personnel uses Macs by LynnwoodRooster · 2016-10-29 10:52 · Score: 0
  
  Sued for what?
  Heresy against the Church of Apple. Burning at the stake, or drawing and quartering, are the only reasonable remedies in this case.
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
11. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:56 · Score: 0
  
  I'm the AC who posted comment 53176383. I don't like Windows and I'm not using it. That doesn't mean I condone what the irresponsible people at project zero are doing.
12. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 10:57 · Score: 0
  
  Nope it isn't. Mitigation is extremely simple 4 step operation:
  1. Unlock iPhone
  2. Start setting
  3. Tap cellular
  4. Uncheck cellular data. Done!
  It is similarly simple on a macOS device.
13. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 11:12 · Score: 0
  
  I'm sorry, but that's not how the law works. If you were to try suing someone over disclosure of a product flaw, you would find yourself getting laughed out of the courtroom and having to pay all court costs for yourself and the defendant.
  If you knew how the law really works then you would know that there are some expenses that need to be paid first before you are allowed to recoup. Defendents don't have the same options in payment that plaintiffs have especially in civil liability cases.
  Besides, you created a false equivalency. A dangerous cellphone is not the same as a user privilege escalation bug. The court could easily see that disclosing the fire hazard was done to protect the safety of the general public, but a software exploit... not even close. The plaintiff can make the argument that the disclosure of the vulnerability created opportunity for harm.
14. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 11:18 · Score: 0
  
  That would be something that should be answered by Google.
  It may have something to do with past experience and what was presented when the extension was requested. I doubt Apple just said "trust us."
15. Re: a lot of Google personnel uses Macs by PopeRatzo · 2016-10-29 11:26 · Score: 1
  
  Nope it isn't. Mitigation is extremely simple 4 step operation:
  1. Unlock iPhone
  2. Start setting
  3. Tap cellular
  4. Uncheck cellular data. Done!
  I can name that mitigation in a one-step operation.
  1. Throw you iPhone into a wood chipper. Done!
  
  --
  You are welcome on my lawn.
16. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 11:53 · Score: 0
  
  most of the armchair lawyer Microsoft fanboys had a point though, google were for a quite a bit of the time providing absolutely no notice prior to disclosure.
17. Re: a lot of Google personnel uses Macs by ArmoredDragon · 2016-10-29 12:05 · Score: 1
  
  You are thinking of libel. Disclosing details of a vulnerability that can be used maliciously is a gray area. It's been covered by EFF and a blackhat presentation, and it's not as cut-and-dry as you asserted.
  How is it a legal gray area? Who has been successfully prosecuted for it?
18. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 12:30 · Score: 0
  
  Disclosing details of a vulnerability that can be used maliciously is a gray area
  No it isn't. It is a truthful statement on a publicly available product.
19. Re: a lot of Google personnel uses Macs by AHuxley · 2016-10-29 12:42 · Score: 1
  
  AC if a big brand can find an issue, so can its staff. So can other nations security experts. So can cults, faith groups, criminals and ex gov/mil security experts.
  If data is released when found, the holes can be patched quickly and a world of really great security researchers can help comment on the issue and help.
  Why wait a longer time for an in house fix with even the slightest the risk of an issue been in use in the wild for the same time.
  Report on detection, get the community to fix. Days of waiting just becomes days of risk.
  The more experts that see interesting issues early and often, the better.
  
  --
  Domestic spying is now "Benign Information Gathering"
20. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 13:05 · Score: 0
  
  Nope it isn't. Mitigation is extremely simple 4 step operation:
  1. Unlock iPhone
  2. Start setting
  3. Tap cellular
  4. Uncheck cellular data. Done!
  I can name that mitigation in a one-step operation.
  1. Throw you iPhone into a wood chipper. Done!
  ...And then get an Android phone, where'd you can enjoy a NEW exploit like this nearly EVERY SINGLE WEEK!
21. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 13:14 · Score: 0
  
  Sued for what?
  Heresy against the Church of Apple. Burning at the stake, or drawing and quartering, are the only reasonable remedies in this case.
  How in the FUCK do comments like the Parent get UPMODDED?'!?
  I swear, Slashdot is beginning to make the heydays of IRC look positively CIVIL and ERUDITE.
22. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 13:28 · Score: 0
  
  Defendants can file a counter suit and make you pay back everything that they had to pay and then some for wasting their time. The court can also fine you for filing frivolous lawsuits.
23. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 13:34 · Score: 0
  
  LOL chill out dude. He's at +1. He probably didn't get modded up. There's something called a karma bonus for logged in posters. As long as they have good karma they always start at +1.
24. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 13:56 · Score: 0
  
  What about the irresponsible and incompetent people at Microsoft for developing an OS that is so riddled with bugs that it's responsible for 99% of all the viruses, malware and ransomware out there? They're the ones that should be sued for the billions of dollars in damage they've done.
25. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 20:29 · Score: 0
  
  Yes they should. The two are not mutually exclusive.
  All I'm saying is that Google should have been sued on various occasions, for enabling criminals to have easy access to millions of machines. Users of these machines may have lost money or have fallen victims to identity theft or something even worse as a result. It's these users that should sue Google.
26. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 23:30 · Score: 0
  
  get a life
27. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-29 23:58 · Score: 0
  
  and of course the more criminals understand how to mount an attack, the worst for the users of that OS for the period between the project zero announcement and the day of the patch release. Ransomware, identity theft ... need I go on?
28. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-30 03:36 · Score: 0
  
  There's a lot of law in the courts supporting that.
29. Re: a lot of Google personnel uses Macs by Anonymous Coward · 2016-10-30 09:34 · Score: 0
  
  ...And then get an Android phone, where'd you can enjoy a NEW exploit like this nearly EVERY SINGLE WEEK!
  Except you can get one of the many that you can root and update the OS yourself to fix any bugs as soon as they are found, that's the beauty of open source. Apple might release some code but when you find bugs in that code you can't fix them for your Apple devices. As we have seen here you have to tell Apple about them and then you might have to wait months for them to do anything about it.
Title Editors Should Do Better by Anonymous Coward · 2016-10-29 09:41 · Score: 1

It is frustrating when you read the title for a thread and get one idea of what happened, but when you read the details it is very different. Simply saying that you hid something is ambiguous and can lead others to think it was nefarious. In this case it was a mutual understanding. Slashdot can do better than this.
be allowed by Anonymous Coward · 2016-10-29 09:44 · Score: 0

two blocks held in two hands, and then, wait hold for it, "scrape inseus"
How is this a problem, exactly? by 93+Escort+Wagon · 2016-10-29 09:45 · Score: 5, Insightful

Isn't the point of eventual disclosure to force coders/companies not to ignore bugs?
Yes, Google found a bug. But Apple didn't ignore it - their initial patch just wasn't effective. They were obviously actively working to solve the problem... so why should Google have released the exploit?

--
#DeleteChrome
1. Re:How is this a problem, exactly? by XparXnoiaX · 2016-10-29 11:27 · Score: 1, Interesting
  
  Counterargument. Essentially, there is no way to know that this exploit wasn't being actively exploited (and let's be honest: five months to fix the bug means they aren't taking security seriously).
  
  --
  Irresponsible disclosure is responsible
2. Re:How is this a problem, exactly? by Actually,+I+do+RTFA · 2016-10-29 21:56 · Score: 1
  
  Google has a history of just releasing the exploit with regard to companies where Brin/Page aren't majorly invested (e.g. Microsoft), when they need extra time to finalize the fixes. One of them (I forget whcih) was on the apple board until the Android release made them competitors.
  
  --
  Your ad here. Ask me how!
3. Re:How is this a problem, exactly? by Anonymous Coward · 2016-10-30 08:41 · Score: 0
  
  Probably because they have a standard release time. They didn't follow that timeline, instead they agreed to give more time and then more time again for a total of 5 months. They do this arbitrarily - look up some of the times they have denied such extensions to other industry players. Either keep a standard timeline, or publish that extensions are available but don't play favorites.
About time by CODiNE · 2016-10-29 09:45 · Score: 1

It's been a long time waiting on a jailbreak since they got so valuable. I'd do the same thing "Hmmmm... release this as a jailbreak, or sell it for a million bucks..."
This looks easy enough to get working and is current up to 10.0.2 or whatever the latest was.

--
Cwm, fjord-bank glyphs vext quiz
Because it took five months to fix? by aliquis · 2016-10-29 09:51 · Score: 0

"Apple products are much more secure!" .. except that they want to be able to take their time and not fix security issues as soon as they are found.
Security by obscurity and irrelevance ;D
If Google had told about it immediately the world would had known about the issue five months earlier and could had sorted with it one way or the other and Apple would likely had been forced to fix it quicker.
1. Re:Because it took five months to fix? by Bill_the_Engineer · 2016-10-29 10:04 · Score: 1
  
  .. except that they want to be able to take their time and not fix security issues as soon as they are found.
  Did you read the summary? Apple's initial fix didn't work well, so Google responsibily allowed Apple more time to fix the vulnerability.
  
  If Google had told about it immediately the world would had known about the issue five months earlier and could had sorted with it one way or the other and Apple would likely had been forced to fix it quicker.
  That is speculation. Apple was actively working on it and I rather the fix not cause more vulnerabilities simply because someone was impatient.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
2. Re: Because it took five months to fix? by Anonymous Coward · 2016-10-29 10:24 · Score: 0
  
  Security by obscurity is when the actual plan is just to keep the code or interfaces secert and hope nobody bumps into it.
  What the article says Google and Apple did is NOT that. This stuff doesn't happen instantly. Even if Apple had a fix the next day, they need to test it on a variety of systems to ensure that it doesn't break anything. Another fix might be involved.
  Maybe 5 months is a long time but just telling the world right away wouldn't make Apple customers safer.
  Put your ;D back in your mouth
3. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-29 10:31 · Score: 0
  
  Apple is an evil, shitty company bent on a vertical monopoly. However, they still have to identify the root cause, correct it, and do regression testing to ensure that they actually fixed it.
4. Re:Because it took five months to fix? by aliquis · 2016-10-29 10:35 · Score: 1
  
  Did you read the summary? Apple's initial fix didn't work well, so Google responsibily allowed Apple more time to fix the vulnerability.
  Yes I did. And it was about allowing them 60 days which since the fix didn't even solved the problem completely become 5 months.
  It likely didn't have to take 60 days or 5 months if that wasn't the time they had available to them but since it was that's how long it took. It's like there in Sweden where what the municipality get for each refugee "child" is $77 000 / year and hence that's what their solutions end up costing (or more since so many arrived), if they had only been offered $20 000 / year then they would have had to go with cheaper solutions.
  Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.
  
  That is speculation. Apple was actively working on it and I rather the fix not cause more vulnerabilities simply because someone was impatient.
  True. But it being speculation doesn't make it incorrect. With more vulnerabilities do you mean the implementation of the fix or by just being known? Being known doesn't create a new vulnerability but it may jeopardize more units and users but as said at-least then they can be aware of it whereas not making them aware with of it and taking your time to fix it may also do that and no-one very few know about the risk you're putting them through.
5. Re:Because it took five months to fix? by Bill_the_Engineer · 2016-10-29 10:53 · Score: 1
  
  Yes I did. And it was about allowing them 60 days which since the fix didn't even solved the problem completely become 5 months.
  Yet the vulnerability was fixed and it allowed Apple to push out an update.
  
  Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.
  Or the more likely scenario would be that the same number of engineers will still work on the vulnerability, except now an exploit was disclosed putting people at risk.
  
  With more vulnerabilities do you mean the implementation of the fix or by just being known?
  Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
  
  --
  These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
6. Re: Because it took five months to fix? by Anonymous Coward · 2016-10-29 11:05 · Score: 0
  
  It would make everyone safe. It would teach people that a phone is a phone and having an internet connected computer in it 24/7 isn't a necessity
7. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-29 11:07 · Score: 2, Insightful
  
  It likely didn't have to take 60 days or 5 months if that wasn't the time they had available to them but since it was that's how long it took.
  Ah yes, the old "you can speed up anything by throwing more people at it," argument.
  Have you ever worked in any professional engineering role? I suspect not, since you seem completely unaware of the need to understand the issue, develop a reasonable solution, implement that solution, test the solution, and then roll it out to the world. All of these take a commodity that's known as "time" to do, and honestly, for a major security bug that requires extensive rework, 2-5 months is completely understandable and reasonable.
  
  Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.
  Right, and 9 women could pool their efforts to have a baby, and deliver a single baby in 1 month, if they'd just work smarter. And Elon Musk could totally come up with a faster way to get people to Mars if the public demanded it. There are no irreducible constraints that can't be fixed by the public demanding it. It's the reason we all have free healthcare, incredible political candidates, and peace in the Middle East!
  
  Being known doesn't create a new vulnerability but it may jeopardize more units and users but as said at-least then they can be aware of it whereas not making them aware with of it and taking your time to fix it may also do that and no-one very few know about the risk you're putting them through
  You sound like a retard. Have you bumped your head recently? Perhaps you should get an MRI to make sure you haven't had a stroke.
8. Re:Because it took five months to fix? by XparXnoiaX · 2016-10-29 11:30 · Score: 1
  
  Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
  Whenever you have a vulnerability as serious as this one, you better make sure that those regression tests go quickly.....faster than five months.
  
  Not that I care, iOS should be liberated from its walled garden, and privilege escalation exploits are the way to do that.
  
  --
  Irresponsible disclosure is responsible
9. Re: Because it took five months to fix? by aliquis · 2016-10-29 11:33 · Score: 0
  
  Security by obscurity is when the actual plan is just to keep the code or interfaces secert and hope nobody bumps into it.
  It is security by obscurity in that they rely on not telling others about the flaw in their design to keep systems safe rather than actually fixing the design (for the period which went past until it was fixed.)
  The whole security solution in this case from it was known about until it was patched was to keep the information obscure.
  Both Microsoft AFAIK and Apple do this nowadays where they don't even try to bring out patches as soon as possible and they of course prefer if people don't know about the issues until that happens because they still want their customers to remain secure. Having proprietary code is also one way of obscuring any security flaws which may have been easier to find if the source code was available. "Irrelevance" was a small attack / trying to ridicule the OS X user base and market share on desktops where Microsoft Windows has been larger and hence possibly a more attractive target, of course the smartphone era has changed this quite a bit.
  
  Maybe 5 months is a long time but just telling the world right away wouldn't make Apple customers safer.
  Well for those where it's serious enough it may have done because they could just had stopped using their Apple devices altogether until there was a fix. Also if the vulnerability was public knowledge both Microsoft and Apple would likely feel the burn and have to work faster with a solution because taking five months to come up with a solution then wouldn't really be acceptable and much too risky.
10. Re:Because it took five months to fix? by aliquis · 2016-10-29 11:37 · Score: 2
  
  Or the more likely scenario would be that the same number of engineers will still work on the vulnerability, except now an exploit was disclosed putting people at risk.
  Has there been a case where that have actually happened? In that a known full access exploit in Microsoft or Apple products has been allowed to take five months to fix? How much negative publicity wouldn't Apple had gotten if it really took them five months to fix it with lots of exploited Apple devices all over the world? Samsung Note 7 would quickly had moved back to device issue #2?
  
  Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
  I know nothing about the vulnerability and where it existed so I can't comment on that.
11. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-29 11:46 · Score: 0
  
  Yes I did. And it was about allowing them 60 days which since the fix didn't even solved the problem completely become 5 months.
  Yet the vulnerability was fixed and it allowed Apple to push out an update.
  You mean "Eventually the vulnerability was fixed". Because even after 60 days, which was a much more generous offer granted to Apple than is routinely granted to Microsoft from Google, they still hadn't managed it. And as "allowed Apple to push out an update"? Nothing was stopping Apple from pushing out an update in two days except they were unwilling to devote the resources to do it. Hell, Apple could well have found the vulnerability themselves if doing sufficient auditing instead of it falling on Google finding.
  
  Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.
  Or the more likely scenario would be that the same number of engineers will still work on the vulnerability, except now an exploit was disclosed putting people at risk.
  So then people get exploited and blame Apple because they're unwilling to devote the resources to fix vulnerabilities quickly. Then Apple has to decided if "business as usual" is okay or if they'll actually take security seriously. BTW, if Google can find this exploit, so can others. So "putting people at risk" was already there from the day the bug was released in the wild. That Google disclosing would make people, both victims and criminals, more aware of it only changes the magnitude of the point.
  
  With more vulnerabilities do you mean the implementation of the fix or by just being known?
  Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.
  You also need to make sure you actual fix the vulnerability, which they apparently fucked up. Seriously, MS routinely has software that has known active exploits. Linux does too. Yet somehow regression testing doesn't normally take 5 months. Or even one month. The only thing having more known or even active exploits of Apple software does is show that Apple has worms* too. There's already so much fuel to the "actively exploited" the argument against releasing information about exploits early and often makes less and less sense every day. The only general exception are things like internet connected pace makers or the like.**
  *I know, more a bad pun.
  **And if those exist, the people responsible should be held responsible for negligent homicide if someone ends up dying. The rest (ie, non-networked exploitable medical devices)? Knowledge that a pace maker can be exploited and cause death is vital information for investigators to determine if murder occurred. So, again, release information about exploits early and often. You don't try to hide that a gun can kill to facilitate murderers any more than you try to hide that pace makers can be made to malfunction. Or that a gun might go off on its own any more than a pace maker is a walking time bomb. "On the internet" with anything not-directly-life-threatening is a financial risk and should be accorded the same sort of expectation of duty that everything else is, which is basically none.
12. Re:Because it took five months to fix? by Karlt1 · 2016-10-29 15:21 · Score: 2
  
  Yes because if this had happen with Android, Google would have quickly issued a patch for all phones introduced since 2012 and all of the affected Android devices could have downloaded the patch immediately without having to wait on the OEMs and the carriers....
  Now back to the real world....
13. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-29 16:29 · Score: 0
  
  So, faster than the 9 year linux kernel bug?
14. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-29 16:43 · Score: 0
  
  Yes because if this had happen with Android, Google would have quickly issued a patch for all phones introduced since 2012...
  Yep, exactly. Oh, right, we all acknowledge the situation with Android security and Google is shit and that Google has and still is fucking up the situation. Part of that is the legacy of trying to be an open, can-be-used-by-anyone system. Part of that is not clamping down after a point with Google Playstore as a basis to push OEMs and carriers to accepting security updates on phones regardless of whether they want to personally support them or not. However...
  
  and all of the affected Android devices could have downloaded the patch immediately without having to wait on the OEMs and the carriers....
  Apple is in a radically different situation precisely because they DO have the power to push OEMs and carriers to use their security patches. They've released plenty of patches, in fact, to reenforce their walled garden and basically need the power to ensure their revenue stream, not to mention maintain their supposed edge on security. Get rid of that and what reason do you have to use an Apple product? You push the high end of Android phones/tablets and they're in the same spec/cost range. The only major thing going for Apple is support of a (mostly) malware free system. If they want to lower themselves to Android's level...
  
  Now back to the real world....
  Where Apple has full of holes and new walled garden exploits are found regularly. Just like the 3DS--although the 3DS took a lot longer to get to the point of readily exploitable, to the point of being repeatedly hacked, and currently is leaning towards being successfully captured again in the latest of updates.
  PS - The real absurdity of all of this is people who do argue that they couldn't rush through a fix that ended up being an incomplete fix or whatever. They've done that repeatedly, obviously, or we'd not see jailbreaking be such a common thing. Clearly they don't write good enough software. I mean, if they did, that'd at least possibly justify the cost. But if they really want to have their cake and eat it too, well double fuck them. This just confirms what I (and no doubt others) have felt about Apple being 99% show. To hear anyone try to justify their behavior (or Google's, for that matter) is bullshit.
15. Re:Because it took five months to fix? by tlhIngan · 2016-10-29 20:00 · Score: 2
  
  Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.
  Or would it?
  This is a kernel level bug. Kernel bugs are extremely tricky and from the looks of it, it's a core kernel issue. This level of code is at the core - make a mistake here and the kernel stops working.
  Hell, at this level of code, few people actually even know how it works. So you can't even throw more bodies at it, because those bodies just don't exist, and it will take a month to bring them up to speed. (Same thing in Linux - at this low level few people, including Linux, actually know how it works).
  Oh yeah, you also have to test it thoroughly because a change at this level can break userspace very easily. And trigger a bunch of follow on bugs because things have changed. Which will usually exhibit themselves as oddball hangs, stutters, or crashes.
16. Re:Because it took five months to fix? by TheRaven64 · 2016-10-29 22:16 · Score: 2
  
  It's not just a kernel bug, it's a bug in an interface between the kernel and userspace programs that have intimate knowledge of the kernel. Fixing it in such a way that you don't break existing non-malicious applications is probably much harder than fixing a bug that is entirely in the kernel.
  
  --
  I am TheRaven on Soylent News
17. Re:Because it took five months to fix? by GrabbaTheButt · 2016-10-30 03:25 · Score: 1
  
  Ah where are my mod points when I really want them?
18. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-30 08:19 · Score: 0
  
  Read The Mythical Man Month and you'll learn that you're a big mouthed twat.
19. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-30 09:48 · Score: 0
  
  Apple was actively working on it
  That is speculation.
20. Re:Because it took five months to fix? by Karlt1 · 2016-10-30 13:36 · Score: 1
  
  How many non-tethered jsilbreaks have been available for the iPhone recently? The reason that the jailbreak be "non tethered" is important is because a tethered jailbreak implies physical access to the phone and the ability to unlock it.
  A tethered jailbreak isn't a major security risk.
21. Re:Because it took five months to fix? by Anonymous Coward · 2016-10-30 18:24 · Score: 0
  
  How to Jailbreak iPhone or iPad on iOS 9.3.3 Without a Computer
  Seriously, though, the "it's a major security risk" seems a rather pointless qualifier. If Apple wants to maintain its safe walled garden, local privilege escalation is a big problem. It's the same reason Nintendo has had* to repeatedly pull games out of its eshop.
  *Obviously didn't really "[have]" to but it definitely conflicts with their motive to maintain control to consistently get their cut of sales.
oh you fool, there are no editors by frovingslosh · 2016-10-29 09:57 · Score: 1

Yea sure, Slashdot has editors and our elections are not rigged. But if there were really editors, how could you make sense of a September 21st for disclosure and a claim that Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence? This would only be explained if editors couldn't do simple math or if they didn't know how long a week and a month is.

--
I'm an American. I love this country and the freedoms that we used to have.
1. Re: oh you fool, there are no editors by Anonymous Coward · 2016-10-29 11:03 · Score: 0
  
  Because the bug was found back in June? It's not that complicated.
  Project Zero's normal policy is 90 days' grace to fix the bug before disclosure. The vendor can request another 14 days if the bug is tricky to fix. Apple asked for an additional 60 days, due to the difficulty in reworking the relevant code. Google refused at first, eventually settled on a September 21st date, then gave them a further 5 weeks.
Phrasing! Click bait headline. by Anonymous Coward · 2016-10-29 10:12 · Score: 5, Informative

Using the words "hid a major vulnerability" is misleading. It implies Google infiltrated Apple source code to implant an exploit. Google didn't hide shit. They found the exploit, informed Apple, and kept quiet about it for the safety of the users.
Fixed in 10.10.5, 10.11.6, 10.12 -- NOT just 10.12 by boarder8925 · 2016-10-29 10:54 · Score: 4, Informative

Because the summary and both articles are ambiguous, I was confused what was meant by "latest system updates." For anyone else wondering, this vulnerability was patched in Yosemite, El Capitan, and Sierra -- not just Sierra. See under "System Boot" heading here: https://support.apple.com/en-us/HT207275.

--
Keep your eyes to the sky.
Re:Phrasing! Click bait headline. by BigBuckHunter · 2016-10-29 11:10 · Score: 1

Using the words "hid a major vulnerability" is misleading. It implies Google infiltrated Apple source code to implant an exploit. Google didn't hide shit. They found the exploit, informed Apple, and kept quiet about it for the safety of the users.
I wish you had posted this before I blew all of my mod points.
Re:Phrasing! Click bait headline. by wbr1 · 2016-10-29 12:25 · Score: 2

100% this. The threat to release an exploit is to get the vendor moving towards a fix. When apple did actually work on a fix, Google did the right thing and kept it mum. If it had been caught in the wild as a 0-day then it would have been responsible to release, but not before.

--
Silence is a state of mime.
Re:Phrasing! Click bait headline. by Anonymous Coward · 2016-10-29 12:30 · Score: 0

Agreed! They didn't hide anything other than the exploit. Good for Google for doing the responsible thing and waiting 5 months on it (far longer than they really needed to). 30 days would have been sufficient in my opinion. According to me, they gave them 5x longer than necessary. If anything Google should be commended for responsible disclosure.
safe by slazzy · 2016-10-30 02:55 · Score: 2, Funny

My iPhone is too old to support the vulnerability, I'm good!

--
Website Just Down For Me? Find out
1. Re:safe by Anonymous Coward · 2016-11-05 12:12 · Score: 0
  
  slazy.com: Fatal error: Call to a member function prepare() on a non-object in /home4/direct00/public_html/slazy.com/results.php on line 213
Extension due to class of exploit folks by Anonymous Coward · 2016-10-30 18:34 · Score: 0

PZ didn't find just a severe bug, they found a whole new class (for OSX) of bug. This touched a ton of code throughout the whole OS, not just any one package or library. It's like telling Redhat to fix everything in RHEL at once, or Microsoft to fix all their software products at once. That's real, hard work.
That said, PZ will need to be clear now that standalone bugs get no extensions, while new class level bugs might get an extension, at least that would be transparent. I suppose PZ never expect to run into a whole new class of bugs...
double standards by sad_ · 2016-11-01 23:55 · Score: 1

that pretty much sucks to keep it hidden for 5 months.
all the while releasing a windows vulnerability before a patch is out.
sounds like double standards to me.

--
On a long enough timeline, the survival rate for everyone drops to zero.