Google's 'Project Zero' Hid A Major Vulnerability in Apple's OS and iOS Cores

In June Google's task-force against zero day exploits "identified a coding exploit in the underlying kernel of Apple's OSX and it's mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS," according to The Stack.

An anonymous reader writes that Google "initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug -- which has now been fixed in the latest updates to Mac OS and iOS." The fix was released Monday, the Stack reports: Since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorized programs to run with elevated privileges on a Mac system. Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.

How is this a problem, exactly?

[93+Escort+Wagon]

Isn't the point of eventual disclosure to force coders/companies not to ignore bugs?

Yes, Google found a bug. But Apple didn't ignore it - their initial patch just wasn't effective. They were obviously actively working to solve the problem... so why should Google have released the exploit?

Re:Because it took five months to fix?

It likely didn't have to take 60 days or 5 months if that wasn't the time they had available to them but since it was that's how long it took.

Ah yes, the old "you can speed up anything by throwing more people at it," argument.

Have you ever worked in any professional engineering role? I suspect not, since you seem completely unaware of the need to understand the issue, develop a reasonable solution, implement that solution, test the solution, and then roll it out to the world. All of these take a commodity that's known as "time" to do, and honestly, for a major security bug that requires extensive rework, 2-5 months is completely understandable and reasonable.

Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.

Right, and 9 women could pool their efforts to have a baby, and deliver a single baby in 1 month, if they'd just work smarter. And Elon Musk could totally come up with a faster way to get people to Mars if the public demanded it. There are no irreducible constraints that can't be fixed by the public demanding it. It's the reason we all have free healthcare, incredible political candidates, and peace in the Middle East!

Being known doesn't create a new vulnerability but it may jeopardize more units and users but as said at-least then they can be aware of it whereas not making them aware with of it and taking your time to fix it may also do that and no-one very few know about the risk you're putting them through

You sound like a retard. Have you bumped your head recently? Perhaps you should get an MRI to make sure you haven't had a stroke.

Re: Where exactly was the bug...

You mean they had to pretend to fix it while at the same time punch and abfuscate one of comparable magnitude for the no search agency to use.

FUCK OFF.

AND DIE.