Last week, Google security researchers said that they had discovered a two-year-long vulnerability in Apple’s iPhones. Today, Apple claimed that Google overstated the nature of the resulting attack and that it timed its revelations to undermine sales of the next iPhones.
According to researchers at Google’s Project Zero, who look for zero-day vulnerabilities, hackers exploited 14 different software flaws in iOS, 7 of which specifically targeted Safari, to install malware and access various iPhone features, including passwords, iMessage conversations, and GPS data. The vulnerabilities had been exploited for months, they said, and targeted a small number of websites.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
But as it turns out, Apple disagrees with many of these points. And it challenges both the content and the timing of the Google revelations.
“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described [by Google],” an Apple statement explains. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community [only].”
Google’s blog post, Apple says, was issued six months after Apple released patches to fix the flaw. “[This] creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple added.
“All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple continued. “We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”
Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event. Did Google time this revelation purposefully to undermine the new iPhones? It’s a good question.
Stooks
<p>"<span style="color: rgb(0, 0, 0);">Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event"</span></p><p><br></p><p>If they did this for the purpose of hurting Apple it was a really, really dumb move. Google IMHO is suffering from bad press caused by their privacy and bias stances. Trust in Google is going down and they are lumped in with Facebook when it comes to trust.</p><p><br></p><p>Apple should run an ad stating how many apps were pulled from the Google store because of Malware vs the iOS store. I do remember the news story about how Google said they removed over 700,000 apps from the play store in 2017 because of malware. That is simply insane and I wonder how anyone would consider Android even remotely secure???</p><p><br></p><p>Thankfully there are plenty of options when it comes to Google services, save for YouTube. </p>
Lateef Alabi-Oki
<p>Wow! This exposure by Google must have really hurt Apple for them to respond in the most irresponsible manner yet. They sound butthurt and tone deaf. This will only serve to motivate Project Zero to discredit the so-called "security and privacy" platitudes of Apple's software platform, which for those of us in the know, has mostly been marketing and PR BS.</p>
Lateef Alabi-Oki
<blockquote><em><a href="#461257">In reply to trparky:</a></em></blockquote><p><br></p><p>You're right. But you're also entertaining a false equivalence. Isn't it a bit disingenuous to blame Google for Samsung's irresponsibility?</p><p><br></p><p>If Google pushes out monthly security fixes to Android, and Samsung refuses to push those fixes to their users, is Google or Android at fault here? </p><p><br></p><p>The answer is obvious. Android is just as secure as iOS, some may argue more, if you buy from a vendor that cares about security.</p>
wocowboy
Premium Member<p>Trying to create a stir on the day an event was announced for the launch of new devices while not following the usual protocol of giving a certain number of days for Apple to react and patch the flaws is shady conduct no matter how you look at it. The extremely narrow nature of the exploit and its deployment, plus the fact that these flaws were patched months ago within days of their disclosure, makes this very much a non-issue and a tempest in a teapot. Yes, these OS's have flaws, that's nothing new, and they are for sale everywhere and new ones are found every single day. There evidently is nothing that can be done about it other than being diligent in evaluating and patching them. It doesn't matter whether it's Google, Microsoft, or Apple. </p>
wocowboy
Premium Member<blockquote><em><a href="#461535">In reply to wright_is:</a></em></blockquote><blockquote><em>Right, these flaws were patched a long time ago. The normal procedure I was talking about is the one where when a security flaw is found, the party who finds the flaw informs the company with the flaw and they have something like 30 days to fix it before the discoverer can make it public. (I heard what this time frame is but do not remember the exact number of days is.) In this case, Google found the flaw way back earlier in the year, but only gave Apple a week or two before they threatened to make it public. And now Google came out with this new statement in September, many months after the flaw was originally found, and fixed. This was deliberately designed to cause the most embarrassment and stress for Apple instead of giving them the normal amount of time to fix the problem. This tactic has been used before, it's nothing new, but it does not excuse Google from using it. </em></blockquote><p><br></p>
dontbeevil
<p><span style="color: rgb(34, 34, 34);">but but apple security is the best … they were just lucky because of low market share, more market share for them, more security flaws for everybody, will be fun</span></p>
dontbeevil
<blockquote><em><a href="#461709">In reply to MikeGalos:</a></em></blockquote><p>ypu're totally right, but it's apple not ms</p>
dontbeevil
<blockquote><em><a href="#462109">In reply to MikeGalos:</a></em></blockquote><p>shhh you cannot say this things here, "s<em style="background-color: rgb(255, 255, 255);">ome pretentious tech blogger has to remind his tech-infatuated (and probably Apple-loving) readers" (using paul words) will not appreciate</em></p>
jedwards87
<p>From what I understand these exploits also affected Android and Windows yet Google (And Pauls article) failed to mention that. Has Google patched it yet ? What about MS ?</p>