Google Warns Apple: Missing Bugs in Your Security Bulletins Are 'Disincentive To Patch'

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

Re: Hard to argue it's much of a disincentive

[alvinrod]

It's hard to make a fair comparison. How many of those Android users who haven't updated even had the option?

This is funny coming from Google

[qzzpjs]

Google didn't mention to anyone the issues they had with Google Plus. That said, Apple's devices have always been better updated than any Android device. Apple provides OS updates and patches for about 5 years on their phones whereas Android updates are very hit or miss except for Google's own phones. You're lucky if you get 2 years on major phones and less on cheap ones.

And when Apple does put out an update, every phone and tablet will nag you death to get it installed. Every day it will ask you to install it or remind you later. So, they never have to tell you what they're patching, or what they're changing - you update just to get rid of the daily annoying popup.

I wish I could say I'm surprised

[hyades1]

So some prick in marketing decided it looks bad if Apple actually admits there were some security problems with its OS, even though they were dealt with promptly and competently after Project Zero found them. Having been in that kind of meeting before, I could probably write a near-verbatim transcript of the little bastard's remarks even without having been in the room to hear them.

Said prick should be fired on the spot "pour encourager les autres", because the Project Zero people are 100% right about how users look at updates. If they know there's a security issue, they'll probably install it in a timely manner, or at least be especially alert for problems. If there isn't a warning, basic user experience, no matter what operating system they use, has proved time and again it's sensible to wait for a while after an update is rolled out to see whether problems emerge in a week or two that weren't immediately obvious.

Re:Hard to argue it's much of a disincentive

[v1]

"eh, this patch only fixes *four* four critical vulnerabilities, I think I can just ignore that, I'll hold out for AT LEAST six before I bother to update." - said no one, ever.

Even after ignoring the fact that almost no one reads the fine details on what got patched, by far the biggest "disincentives" to patching are (A) annoyingly over-frequent (can you say FLASH?), and (B) device reboots / downtime for the update. You want to improve and speed adoption of security updates? That's what you need to be focusing on, not more detailed release notes.