Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Warns Apple: Missing Bugs in Your Security Bulletins Are 'Disincentive To Patch' (zdnet.com)

Posted by msmash on from the acting-in-good-faith dept.

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

43 comments

  1. News at 11 - by Anonymous Coward · · Score: 0

    Google Says Bad Things About Competitor - The Shocking Story at 11!

    1. Re: News at 11 - by Anonymous Coward · · Score: 0

      Apple and google serve two different functions and markets you cuck.

  2. Reality distortion field by Anonymous Coward · · Score: 1

    Reality distortion field needs to be kept in tact. Security problems? What security problems? Apple devices are perfect!

    1. Re:Reality distortion field by Anonymous Coward · · Score: 0

      Huh? Apple's security patch patched security flaws.
      Google is just sore 'cos they want everyone to kiss their asses. Unfortunately for Google most sane people think they should go fuck themselves.

      Captcha: subtlety

    2. Re: Reality distortion field by Anonymous Coward · · Score: 0

      Nice straw man you got there. Would be terrible if it got knocked down by you.

    3. Re:Reality distortion field by Anonymous Coward · · Score: 0

      Exactly this. When has apple ever been honest about anything?

  3. Hard to argue it's much of a disincentive by SuperKendall · · Score: 4, Interesting

    iOS12 despite being less than a month old, is on something like 50% of active devices now - who else achieves that kind of patch rate?

    Most users will never even look at basic patch notes, much less security info. The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.

    Maybe.

    That said I totally agree they SHOULD say when a security bug is fixed so at least everyone has a better idea of what has improved without testing.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      This, the irony is hard to ignore. 89% of mobile Apple devices either have iOS 11 or 12 (latest) installed. iOS 11 is only a year old. For Android, only 48.5% have 7-8.1 installed... and 7.0 was released TWO years ago.

      The overall point is a fair one but I think the guys efforts would be better utilized in fixing the Android worlds issue with poor upgrade uptake rates

    2. Re:Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      Despite all the roadblocks Apple throws up to prevent it, their devices still get used in professional settings, and these professional settings need to know how to evaluate the importance of updates. You may opt to push critical security patches if the risk from the flaw is greater than the risk of everything breaking. Some security flaws may be mitigated via external firewalls or device settings. This is why it's important to list the exact details of the security flaws being patched - so people can make intelligent decisions about whether or not to install an update.

      This is also why I greatly prefer the Android patching model, where security patches are separated from "feature" updates. Apple gives you no choice - they break older apps all the time and then only provide security patches for the updates that break older software. This is another reason the exact details are so important - eventually a company will have to decide if the security holes are big enough that they just have to accept losing older iOS software.

    3. Re: Hard to argue it's much of a disincentive by alvinrod · · Score: 3, Insightful

      It's hard to make a fair comparison. How many of those Android users who haven't updated even had the option?

    4. Re:Hard to argue it's much of a disincentive by jellomizer · · Score: 2

      BTW around 0.0000001% would be enough for the people who actually wrote the patch notes.

      But Google on its Apps are not really clear what their fixes are.
      My phone had a Google Chrome update here are the update notes:

      Thanks for choosing Chrome! The new design that we launched previously is now visible to everyone. In addition, this version includes:
      * Bug fixes and design polish for the redesign
      * Updates to how Chrome launches other apps to improve reliability and security.
      * Fixes to authentication issues caused by using out-of-date cookies. Let us know if you encounter any issues with signing in or out of websites.

      There isn't really that much detail on what the problem is.
      I updated anyways even without reading it. Security update is a security update. Unless I am researching a particular security glitch, I really don't know or care what it was just as long as it is more secure after the patch then it was before.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      > 0.00000000000000000000000000000000000001% of the user base.

      You might want to re-check that figure. Even if it's just *one* person out of the entire 7+ billion that exist on the entire planet, that's still a lot more, as a percentage, than the figure your posted.

      But don't let *that* get in the way of the Apple fanbois, who try to defend it no matter how stupid it makes them look.

    6. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      It's also hard to make a fair comparison because on Android not using the latest version of the OS doesn't mean you're open to security holes. It just means you're missing the latest features.

      A lot of users don't want their phone's UI to change constantly. They want the same phone and the same apps to run throughout the lifespan of the phone. Since Android provides security updates that are separate from the OS upgrade treadmill, just because you're not using Android 9.0 doesn't mean your phone isn't patched. It just means you don't have the latest Android features.

      The same cannot be said of Apple. Don't want to move to the latest iOS upgrade because it'll slow your phone down and offers no new features of any value? Fine, then deal with multiple unpatched security vulnerabilities. Want a secure phone? You MUST get the newer, slower, version of iOS.

    7. Re:Hard to argue it's much of a disincentive by v1 · · Score: 3, Insightful

      "eh, this patch only fixes *four* four critical vulnerabilities, I think I can just ignore that, I'll hold out for AT LEAST six before I bother to update." - said no one, ever.

      Even after ignoring the fact that almost no one reads the fine details on what got patched, by far the biggest "disincentives" to patching are (A) annoyingly over-frequent (can you say FLASH?), and (B) device reboots / downtime for the update. You want to improve and speed adoption of security updates? That's what you need to be focusing on, not more detailed release notes.

      --
      I work for the Department of Redundancy Department.
    8. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      Not announcing is dick to the security researcher.

      Itâ(TM)s hard enough going to an interview and saying âoeI broke iOSâ. They ask âoedid Apple Pay you?â âoeNoâ, âoedid they acknowledge itâ âoenoâ.

    9. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      I've never received a security update for my android devices. Ever.

    10. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      My $80 Moto E4 running 7.7.1 just got another security patch a week ago. It was an unexpected but nice surprise.

    11. Re:Hard to argue it's much of a disincentive by ChatHuant · · Score: 1

      The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.

      I told you at least 1000000000000000000000 times to stop exaggerating...

    12. Re: Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      Android, for this reason, is entirely shit. Dependency hell, on a phone. That is locked. So you cannot truly update it, unless the vendor you originally bought it from wants it to be updated. Which they might not, since why not just say "sorry, your 2 years are up, buy the new phone if you don't want your shit owned".

    13. Re:Hard to argue it's much of a disincentive by SuperKendall · · Score: 1

      these professional settings need to know how to evaluate the importance of updates.

      There is more than enough information in updates to evaluate installation - you can't evaluate something based on a negative, like "well it only fixes 5 of ten vulnerabilities so we are going to wait". No, you are going to fix the five you know about - and then later are happy if it fixes a few more.

      This is also why I greatly prefer the Android patching model, where security patches are separated from "feature" updates.

      Apple does that as well for important security updates.

      The thing is, how is the Android model better when for most hardware you'll not be able to install the security update? The Android model is utter crap because it's generally filtered through device manufacturers.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    14. Re:Hard to argue it's much of a disincentive by Anonymous Coward · · Score: 0

      There is more than enough information in updates to evaluate installation - you can't evaluate something based on a negative, like "well it only fixes 5 of ten vulnerabilities so we are going to wait".

      Did you read the goddamned summary?!

      Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them.

      Apple is flat-out not mentioning security fixes.

      Do you not work in IT? Please tell me you don't work in IT.

      You don't just install a security patch because it's a security patch. You have to evaluate the risks. Is the security hole critical? Can it be remotely exploited? Can you completely mitigate the risk via settings or firewall rules external to the device? It's entirely possible that, given all the details of a security flaw, you might opt not to patch. You might be able to completely mitigate the flaw and the patch might break existing software. (Most of the time, the severity of the flaw determines the amount of testing you get to do. The more the risk of being hacked, the less time you spend testing before pushing the patch.)

      Apple makes deciding to just live with a hole even more likely by tying security patches to OS updates. Don't want to upgrade to the latest version of iOS but want to patch the remote root flaw? Well, tough. Hope the new iOS doesn't break anything. But Apple doesn't test for backwards compatibility, so it probably will.

      And now we know that Apple isn't even giving us complete information, so who knows what holes might remain in iOS. Should you immediately patch to iOS 12.0.1? Who knows! Probably!

  4. For end user products... by Anonymous Coward · · Score: 0

    For end user products the incentive to patch should just be that a new version exists. End users won't know what to make of CVE # or other technical information anyway. Just plainly mentioning that it fixes security issues should be enough.

  5. Is Apple yet to assign CVEs or is it CVE? by Anonymous Coward · · Score: 0

    Last I heard CVE was being terribly mismanaged, with numbers taking weeks to get assigned (even though they're just sequential numbers and any idiot could hack that together). Does Google know that Apple hasn't assigned the CVEs, or is CVE just not bothering to assign them numbers because they can't figure out how to handle N+1?

  6. This is funny coming from Google by qzzpjs · · Score: 3, Insightful

    Google didn't mention to anyone the issues they had with Google Plus. That said, Apple's devices have always been better updated than any Android device. Apple provides OS updates and patches for about 5 years on their phones whereas Android updates are very hit or miss except for Google's own phones. You're lucky if you get 2 years on major phones and less on cheap ones.

    And when Apple does put out an update, every phone and tablet will nag you death to get it installed. Every day it will ask you to install it or remind you later. So, they never have to tell you what they're patching, or what they're changing - you update just to get rid of the daily annoying popup.

    1. Re:This is funny coming from Google by 93+Escort+Wagon · · Score: 0

      Project Zero also treats Google properties differently than non-Google entities. It’s as much a marketing arm of the company as it is a security group.

      (I’ve given specific examples of this before - search my comment history back a few years, if you care)

      --
      #DeleteChrome
    2. Re: This is funny coming from Google by Anonymous Coward · · Score: 0

      Itâ(TM)s Googleâ(TM)s terrorist arm. Seriously, they basically serve to extort competition or destroy them by releasing exploits.

  7. Users should be in the habit of upgrading by Arkham · · Score: 3, Interesting

    The reason that iOS has an upgrade rate that's 10x that of Android is because Apple has conditioned its users to constantly upgrade their OS. My wife upgrades her iPhone without knowing or caring what's in the update. It's always something that makes her phone better in her mind. The only people who care about CVEs are security researchers and extreme geeks like me.

    If you say "iOS 11.4.1 fixed CVE-2018-4293 which allowed cookies to persist unexpectedly in CFNetwork calls" to 99.99% of Apple's customers, the only word in that sentence that the might understand is cookies, and their take is "cookies are bad". Putting this in the patch notes doesn't mean anything to regular humans, and it shouldn't.

    People should be able to trust that their device manufacturer will keep their phone safe. Apple is the only phone manufacturer (except maybe Google) that does this, and they're the only one people trust to do so.

    --
    - Vincit qui patitur.
    1. Re:Users should be in the habit of upgrading by phayes · · Score: 1

      People should be able to trust that their device manufacturer will keep their phone safe. Apple is the only phone manufacturer (except maybe Google) that does this

      Google helps people trust that their phone is safe? LOL!

      Google's publishing "This minor security patch plugs bug X" means that blackhats can easily know that every Android version up to the unpatched version is vulnerable and we all know that Android's update model is a dogs breakfast, so broken that few phones will ever be updated to receive the patch. After a month what has been the average percentage of Android devices with up to date security patches? 2% 5%? A whopping 7%?

      Google is working on improving the way patched percolate down to everyone's phones, but until the percentage of Android devices with up to date security patches start rivaling Apple's, Google ISN'T helping people trust that their phone is safe.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    2. Re:Users should be in the habit of upgrading by antdude · · Score: 1

      I don't like softwares that add new features with fixes. I just want fixes, and not new features. I don't want my hardwares and softwares to become slower!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    3. Re:Users should be in the habit of upgrading by ayesnymous · · Score: 2

      Possibly because an upgrade popup appears suddenly out of nowhere while you're using the device, and it's very easily to accidentally press on "Install Now" instead of the "Remind Me Later" option.

    4. Re:Users should be in the habit of upgrading by nasch · · Score: 1

      The reason that iOS has an upgrade rate that's 10x that of Android is because Apple has conditioned its users to constantly upgrade their OS.

      I think it's more because (most) Android users are at the mercy of their manufacturer and carrier putting out an update. They're not really that interested in doing it, so most users get maybe one major version upgrade, and then some security patches, and then that's it. Whereas Apple upgrades all devices if it's compatible with the new OS version.

  8. I call bull by zarmanto · · Score: 2

    ... The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. ...

    I would argue that the details about exactly what bugs -- or even how many bugs, for that matter -- are entirely immaterial to whether or not the vast majority of iOS users are going to install any given security patch. It's pretty simple, actually: release a patch, and tell users that it's related to security. That's it; no further details are necessary. Frankly, most people either don't understand or don't care about the details; their behavior isn't going to be changed in the least by those few extra words that they aren't going to bother reading anyway. And the people who would actually read (and understand) those details fall into two basic categories: those who will patch immediately, regardless of the details, (because, security!!) and those who will delay patching for as long as they reasonably can, regardless of the details. (An obvious example of the latter could be IT types, who are required to manage large numbers of end-user devices.)

    No; I think Fratric and Beer are both missing the forest for the trees, and I think there's a pretty obvious reason: all they really care about is their fifteen seconds of fame... that little bit of acknowledgement from Apple, that they done good. Unfortunately for them, Apple happens to know their target audience pretty well, so it's not particularly likely that Beer's latest bit of whining is going to elicit even so much as an annoyed snort from them.

  9. Apple have been doing this for years by Anonymous Coward · · Score: 0

    Why do they not update the Python 2.7.10 in their systems? Because there's a needed security hole.
    Why do they wait for 10 months to patch security holes in critical components even when all the work is done and handed to them? Because there's a needed security hole.
    Why do they routinely ignore security researchers reports on security issues in iOS and macOS? Because they are lying assholes.

    If you think your Apple device is secure, then you're just lying to yourself.

    1. Re: Apple have been doing this for years by Anonymous Coward · · Score: 0

      Never seen an Android manufacturer taken to court by the FBI because they could not break into their phones.

  10. I wish I could say I'm surprised by hyades1 · · Score: 3, Insightful

    So some prick in marketing decided it looks bad if Apple actually admits there were some security problems with its OS, even though they were dealt with promptly and competently after Project Zero found them. Having been in that kind of meeting before, I could probably write a near-verbatim transcript of the little bastard's remarks even without having been in the room to hear them.

    Said prick should be fired on the spot "pour encourager les autres", because the Project Zero people are 100% right about how users look at updates. If they know there's a security issue, they'll probably install it in a timely manner, or at least be especially alert for problems. If there isn't a warning, basic user experience, no matter what operating system they use, has proved time and again it's sensible to wait for a while after an update is rolled out to see whether problems emerge in a week or two that weren't immediately obvious.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  11. uhh, what about ISIS? by Anonymous Coward · · Score: 0

    They aren't reporting they've fixed all the ISIS exploits? ISIS had 100s of exploits all infecting terrorist bugs 24/7 basically Obama's whole second term. Can we get an list of THAT? Started around 2013 when John Brennan became CIA director, and ended around 2017 when Trump took over and replaced Brennan with Pompeo.

    1. Re: uhh, what about ISIS? by Anonymous Coward · · Score: 0

      Obama defeated isis and killed their leader you cuck. Something your boy ol W couldn't do for 7 years. Pansy.

  12. Figure is accurate by SuperKendall · · Score: 1

    You might want to re-check that figure. Even if it's just *one* person out of the entire 7+ billion that exist on the entire planet, that's still a lot more, as a percentage

    Incorrect, that percentage was scientifically calculated using Wolfram Alpha, by asking it how many people cared and to what degree did they actually care.

    I should have presented the error though, it's a figure accurate to 0.0000000000000000000000000000000000000000000000000000000000000000000000%.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re: Figure is accurate by Anonymous Coward · · Score: 0

      Super fag doll keeps putting himself at risk. Keep it up you cuck

  13. Insecure locked down devices... by Vapula · · Score: 1

    Google should just stop caring about iOS bugs and let Apple learn about them the hard way...

    When many fAnboys will have been biten again and again by bugs, Apple's image will be way less the image of a "secure device which never has critical bugs".

    Also, IT departments should be able to make serious decisions about the security (or unsecurity) of a device before allowing it on the enterprise network... which means having correct bug disclosure...

  14. Cucumbers by Anonymous Coward · · Score: 0

    Apple's security bulletins also neglect to mention the presence of cucumbers in its software.

  15. Apple lovers defend anything by zedaroca · · Score: 1

    They are now defending that it's ok for Apple to hide from the user that the devices had security problems.
    Update notes should include what changed, specially security changes. It doesn't matter that most people would update anyway. The people not updating might read the notes and understand that it is just to slow their phones down so that they buy a new one (a very common complain on iphone users) when in reality there as a legit reason to update.

    1. Re:Apple lovers defend anything by Anonymous Coward · · Score: 0

      I'm having a hard time deciding which is worse, Apple providing updates but not being clear about what is in them (while fixing the security issues) or Android providing updates but not to all phones, and not to all at similar timelines, but yet being clear about the bugs that are now fixed (and often not yet fixed due to lack of availability.) Actually this isn't a hard thing to determine at all. As the owner of an early Moto E that basically got NO security updates this discussion is ludicrous.