Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years

[oldschool]

I understand what Project Zero does. But why do they take it upon themselves to talk to the press about a vulnerability in a competitor's product, six months after the fact? Mind you, this vuln was discovered in February, and patched a week after it was discovered. My answer: because their employer has suffered a double-whammy of bad press over the past few weeks, taking a second hit just a few days ago.

Is Google secretly, quietly hoping for that to happen by releasing these exploits publicly on the day the launch date of the iPhone 11 was confirmed? I suppose it’s possible, but it’s hard to argue that Google’s behavior has been anything other than a model here. Google’s Project Zero team, which identified the exploit chains, gave Apple six months’ advance notice about the vulnerabilities before releasing any information to the public, and then provided full, detailed descriptions of the vulnerabilities and malware. And Beer is very measured in his criticism in the announcement post on the Project Zero blog—he acknowledges that all devices are vulnerable without calling out Apple specifically. He writes:

Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. … All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

If anything, his goal seems to be merely leveling the playing field a little bit by pushing back on the public perception of iPhones as being far more secure than other mobile devices. And if Apple and Google decided to compete on security by trying to see which company could find the most serious vulnerabilities in the other’s mobile operating system, well, that would be a pretty great outcome for all of us.

What You Need to Know About the iPhone Malware News

So maybe it doesn’t actually cost $1 million to get into your iPhone—what do we do now?

slate.com

 

[ebocious]

Is Google secretly, quietly hoping for that to happen by releasing these exploits publicly on the day the launch date of the iPhone 11 was confirmed? I suppose it’s possible, but it’s hard to argue that Google’s behavior has been anything other than a model here. Google’s Project Zero team, which identified the exploit chains, gave Apple six months’ advance notice about the vulnerabilities before releasing any information to the public, and then provided full, detailed descriptions of the vulnerabilities and malware. And Beer is very measured in his criticism in the announcement post on the Project Zero blog—he acknowledges that all devices are vulnerable without calling out Apple specifically. He writes:

If anything, his goal seems to be merely leveling the playing field a little bit by pushing back on the public perception of iPhones as being far more secure than other mobile devices. And if Apple and Google decided to compete on security by trying to see which company could find the most serious vulnerabilities in the other’s mobile operating system, well, that would be a pretty great outcome for all of us.

What You Need to Know About the iPhone Malware News

So maybe it doesn’t actually cost $1 million to get into your iPhone—what do we do now?

slate.com

If you read my whole post, you would see that Apple released a patch within 7 days after being notified of the vulnerability. Your second point is exactly what I was getting at: his goal was to save face for Google by taking a shot at Apple, and pointing out a vulnerability that had long since been patched.

 

[upnorth]

 

[ebocious]

Project Zero notified Apple of the vulnerability on 2/1/19, and Apple patched it on 2/7/19 with iOS 12.1.4.

 

[oldschool]

If you read my whole post, you would see that Apple released a patch within 7 days after being notified of the vulnerability. Your second point is exactly what I was getting at: his goal was to save face for Google by taking a shot at Apple, and pointing out a vulnerability that had long since been patched.

This excerpt from the article (not its entirety) is the author's point of view and not necessarily mine. And I did read your entire post.

@ebocious Here's another excerpt, in case you didn't read the whole article:

The malware identified by Google targets every version of the iPhone’s operating system released in recent years from iOS 10 through iOS 12, up until the iOS 12.1.4 update released earlier this year, which patched the relevant vulnerabilities. Google alerted Apple to the five distinct exploit chains it had identified targeting iOS back at the beginning of February, prompting the update, which was issued a week later. The prompt patch in response to Google’s alert is to Apple’s credit,

 

[ebocious]

This excerpt from the article (not its entirety) is the author's point of view and not necessarily mine. And I did read your entire post.

Right. And so far, I've read articles in two different places that state the bugs were patched in February. Yet, if you look at Mikko's post, he's not telling that to anybody; he's making it sound like it was discovered last week, and has been a MULTI-YEAR campaign (I guess 2017-2019 can be considered multiple years, since two is technically plural). So, he's got bloggers telling everybody that Armageddon is coming, and they'd better scramble to download and install iOS 12.4.1, when the issue has nothing to do with 12.4.1. It was fixed six updates prior with 12.1.4.

 

[ebocious]

@ebocious Here's another excerpt, in case you didn't read the whole article:

The malware identified by Google targets every version of the iPhone’s operating system released in recent years from iOS 10 through iOS 12, up until the iOS 12.1.4 update released earlier this year, which patched the relevant vulnerabilities. Google alerted Apple to the five distinct exploit chains it had identified targeting iOS back at the beginning of February, prompting the update, which was issued a week later. The prompt patch in response to Google’s alert is to Apple’s credit,

My previous post addresses this.

 

[upnorth]

100% genuine guessing, quote : " imagine, thought " what Mikko Hypponen thinking! Seriously!? What a funny guy. Maybe just read what Mikko typed instead would help.

 

[codswollip]

These sites are dark-funded by Google?

 

[ebocious]

These sites are dark-funded by Google?

Who knows? They won't tell us anything about the sites.

100% genuine guessing, quote : " imagine, thought " what Mikko Hypponen thinking! Seriously!? What a funny guy. Maybe just read what Mikko typed instead would help.

I did. Did you?

Seriously, after I did all that research to unravel Google's web, you're going to accuse me of not reading? How about learning to read between the lines? I hate to tell you this, but people lie, and people hide things. They've been doing it since biblical times. And in all odds, they were doing it before that. Businessmen lie, politicians lie, private citizens lie, and even marines lie. Be skeptical of anything anyone tells you, even if it's your own mother.

If you're going to accuse me of not reading what Mikko posted, at least clarify what I should have been reading. Otherwise, I assume you are an Android user who was hurt by my comments, and nothing more. I'm sorry if I hurt your feelings. My goal is to get to the bottom of this. If I have to go back to Android and download AppGuard to feel safer, then I might do that. But whatever the situation is, I refuse to let bias cloud my judgment.

 

[Burrito]

Update --

Apple slams Google for causing havoc among iPhone users

Google’s Project Zero team recently discovered an iPhone hack that potentially harmed devices for at least two years.

www.hindustantimes.com

Hard to know who to believe.

In this case, my instinct tells me that Apple is being more truthful than Google.

But I dunno.

 

[Threadripper]

Apparently these websites could also infect Android phones and Windows PCs, if it's true then this is a pretty big detail that Google didn't reveal.