Apple Downplays iPhone Security Issue

Last week, Google security researchers said that they had discovered a two-year-long vulnerability in Apple’s iPhones. Today, Apple claimed that Google overstated the nature of the resulting attack and that it timed its revelations to undermine sales of the next iPhones.

According to researchers at Google’s Project Zero, who look for zero-day vulnerabilities, hackers exploited 14 different software flaws in iOS, 7 of which specifically targeted Safari, to install malware and access various iPhone features, including passwords, iMessage conversations, and GPS data. The vulnerabilities had been exploited for months, they said, and targeted a small number of websites.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

But as it turns out, Apple disagrees with many of these points. And it challenges both the content and the timing of the Google revelations.

“The sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse’ as described [by Google],” an Apple statement explains. “The attack affected fewer than a dozen websites that focus on content related to the Uighur community [only].”

Google’s blog post, Apple says, was issued six months after Apple released patches to fix the flaw. “[This] creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real-time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” Apple added.

“All evidence indicates that these website attacks were only operational for a brief period, roughly two months, not ‘two years’ as Google implies,” Apple continued. “We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.”

Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event. Did Google time this revelation purposefully to undermine the new iPhones? It’s a good question.

 

Share post

Please check our Community Guidelines before commenting

Conversation 47 comments

  • Ben Lee

    06 September, 2019 - 4:37 pm

    <p>It's an extremly arrogant and dissmissive response from Apple. Dismissing who it's targetting and what the targeting could of led too. The details were release around infosec security confrence season as the white hats who discovered the explots presented there findings to the community. The details also took months to research after being discovered. It was a professional and targeted attack, suspected by the PRC, on the <strong>Rohingya</strong> people or anyone trying to support and assist them. It does really show Apple's true colours in stark light though.</p>

    • Ben Lee

      06 September, 2019 - 5:00 pm

      <blockquote><em><a href="#461102">In reply to Ben Lee:</a></em></blockquote><p>Alex Stamos sums it up nicely in his re-written verson.</p><p><br></p><p>https://twitter.com/alexstamos/status/1170076262078939136</p><p><br></p><p><img src="https://pbs.twimg.com/media/EDzyKCfUEAAZ9LT?format=jpg&amp;name=small"><img src=""></p>

    • jwpear

      Premium Member
      06 September, 2019 - 6:34 pm

      <blockquote><em><a href="#461102">In reply to Ben Lee:</a></em></blockquote><p>Is it arrogant? Maybe. Maybe not. I have a hard time believing Google's motivation for this is purely to protect the innocent people of the world. They stand to gain from uncertainty about products that compete with them. The response authored by Alex Stamos is marketing fluff to me. It doesn't feel genuine. In fact, the tone, especially referring to Google as colleagues, feels more arrogant to me.</p>

      • Ben Lee

        07 September, 2019 - 9:13 am

        <blockquote><em><a href="#461258">In reply to jwpear:</a></em></blockquote><p>That's a miss understaing of the security industry, most you speak with feel anyone in the industry is a college rather than a competitor. I agree Stamos alternate is marketing fluff too, though I feel he was tryiong to represent Apple's language.</p>

    • jimchamplin

      Premium Member
      06 September, 2019 - 6:56 pm

      <blockquote><em><a href="#461102">In reply to Ben Lee:</a></em></blockquote><p>It's neither arrogant or dismissive.</p><p><br></p><p>Google acted in bad faith by "reporting" on an already-closed hole in such a hyped up way. Misrepresenting the time frame and turning the hyperbole up even one notch turns it into even more obvious theater. Apple has every right to slap back at Google for what they did.</p><p><br></p><p>Realize that you're defending Google turning security research and reporting literally into clickbait.</p>

      • wright_is

        Premium Member
        07 September, 2019 - 3:51 am

        <blockquote><em><a href="#461293">In reply to jimchamplin:</a></em></blockquote><p>I agree that Google's actions are suspect and not in accordance with their own reporting guidelines.</p><p>But, on the other hand, it is also a poor show on Apple to say that it only affected a politically repressed minority and it isn't worth talking about.</p><p>A security hole is a security hole. Trying to push it under the carpet as not worth mentioning, because it only affected a few repressed people is disgusting.</p><p>If they had just said that it was a chain of serious bugs had been patched 6 months ago and as far as can be seen, it had only be used in a targeted, state sponsored attack and the general iPhone population were not targeted, that would be fine. </p><p>To try and quash the whole thing as not worth reporting at all is wrong and robs them of the justification of pointing out Google could have used it for political timing. They could have come out looking like they had been wronged by Google, but they managed to turn that around to look like a petulant child trying to cover up their own guilt.</p><p>Both parties are equally bad here.</p>

        • sandy

          07 September, 2019 - 5:27 am

          <blockquote><em><a href="#461539">In reply to wright_is:</a></em></blockquote><p>Just because Google only found a few sites exploiting these serious bugs doesn't mean there may not have been some others exploiting it in similarly targeted ways.</p><p><br></p><p>On the timing of Google's announcement; l<span style="background-color: rgb(255, 255, 255);">et's not assume malice when incompetence is equally possible.</span></p><p>Much as I dislike Google, Project Zero generally do excellent work which helps everyone on the Internet, so despite them not always sticking to their 90-day limit (e.g. bugs in Google products compared to a recent example with a Microsoft bug, and <span style="background-color: rgb(255, 255, 255);">6 months for Spectre/Meltdown</span>), I'll give them the benefit of the doubt as to whether it was deliberately timed shortly ahead of Apple's event vs they scheduled it for security conference season, or they didn't fully document everything before their (northern) summer holidays, or just forgot to announce details months ago.</p><p>As to the suggestion of Google exaggerating this, I didn't get that from the coverage I've seen &amp; heard; it seemed clear that Apple had fixed at least one exploit required in February so it wasn't a risk since then.</p><p>Apple shouldn't downplay this; they can't have it both ways by claiming to be the most secure yet have a tantrum when embarrassed like this. (And as others have said no software is perfect.)</p>

      • Ben Lee

        07 September, 2019 - 9:09 am

        <blockquote><em><a href="#461293">In reply to jimchamplin:</a></em></blockquote><p>Google did not turn this into clickbait. They released a highly technical description of the exploit chain. Have you read the blog post by Projext Zero? it is anything but clickbait.</p>

        • wright_is

          Premium Member
          08 September, 2019 - 2:21 am

          <blockquote><em><a href="#461660">In reply to Ben Lee:</a></em></blockquote><p>Yes, but you have to ask why they ignored their own guidelines and released this 6 months after they normally would have… In the past they have been all to happy to release the details after 90 days, even if the company working on the patches needs an extra couple of days or weeks to get the patch tested and released. Now, for some reason, they have ignored their own 90 day deadline and have waited ~180 days <em>after</em> the patch was released.</p>

  • RonV42

    Premium Member
    06 September, 2019 - 4:58 pm

    <p>Part of me thinks Google's project zero team does time things to embarrass their competition. </p>

    • ChristopherCollins

      Premium Member
      06 September, 2019 - 11:04 pm

      <blockquote><em><a href="#461122">In reply to RonV42:</a></em></blockquote><p>I agree. I wish Apple and MS would band together and just toss out Android and Chrome OS flaws. There are plenty of them. Someone needs to teach Google a bug lesson.</p>

      • wright_is

        Premium Member
        07 September, 2019 - 3:41 am

        <blockquote><em><a href="#461440">In reply to ChristopherCollins:</a></em></blockquote><p>Microsoft do, regularly, but they don't usually make such a big thing of it.</p>

  • Stooks

    06 September, 2019 - 4:58 pm

    <p>"<span style="color: rgb(0, 0, 0);">Worst of all, perhaps, Google Project Zero suddenly went public with information about the months-old flaws on the same day that Apple announced its September 10 iPhone event"</span></p><p><br></p><p>If they did this for the purpose of hurting Apple it was a really, really dumb move. Google IMHO is suffering from bad press caused by their privacy and bias stances. Trust in Google is going down and they are lumped in with Facebook when it comes to trust.</p><p><br></p><p>Apple should run an ad stating how many apps were pulled from the Google store because of Malware vs the iOS store. I do remember the news story about how Google said they removed over 700,000 apps from the play store in 2017 because of malware. That is simply insane and I wonder how anyone would consider Android even remotely secure???</p><p><br></p><p>Thankfully there are plenty of options when it comes to Google services, save for YouTube. </p>

    • Thomas Parkison

      06 September, 2019 - 6:39 pm

      <p>&gt; That is simply insane and I wonder how anyone would consider Android even remotely secure???</p><p>I've been saying this for quite some time, how Google has not been able to get a handle on this issue is beyond me. They have the people to do this, yet this problem still exists and has been a problem since Android first came on the scene.</p><p><br></p><p>Combine this with the fact that if you don't have a Google branded device and a security patch comes out, you're pretty much SOL. Samsung? SOL. LG? SOL. OK, Nokia pushes out updates on a timely manner but they're probably the only third-party Android OEM that does security patching right.</p>

      • RobertJasiek

        07 September, 2019 - 2:05 am

        <blockquote><em><a href="#461260">In reply to trparky:</a></em></blockquote><p>No, because Nokia provides security updates for only three years.</p>

  • Lateef Alabi-Oki

    06 September, 2019 - 5:44 pm

    <p>Wow! This exposure by Google must have really hurt Apple for them to respond in the most irresponsible manner yet. They sound butthurt and tone deaf. This will only serve to motivate Project Zero to discredit the so-called "security and privacy" platitudes of Apple's software platform, which for those of us in the know, has mostly been marketing and PR BS.</p>

    • Thomas Parkison

      06 September, 2019 - 6:34 pm

      <blockquote><em><a href="#461177">In reply to mystilleef:</a></em></blockquote><p>When it comes to security, patches that is, Apple is way ahead of Google Android in the sense that the moment Apple releases a security patch all iPhones across the world get it. We can't say that about Android except for Google's own branded devices. Got a Samsung? You're SOL.</p>

      • Lateef Alabi-Oki

        06 September, 2019 - 7:47 pm

        <blockquote><em><a href="#461257">In reply to trparky:</a></em></blockquote><p><br></p><p>You're right. But you're also entertaining a false equivalence. Isn't it a bit disingenuous to blame Google for Samsung's irresponsibility?</p><p><br></p><p>If Google pushes out monthly security fixes to Android, and Samsung refuses to push those fixes to their users, is Google or Android at fault here? </p><p><br></p><p>The answer is obvious. Android is just as secure as iOS, some may argue more, if you buy from a vendor that cares about security.</p>

        • Jeffsters

          07 September, 2019 - 9:45 am

          <blockquote><em><a href="#461335">In reply to mystilleef:</a></em></blockquote><p>Google created the licensing for Android and had the power to require security updates as a condition of licensing. They didn’t and now users pay the price. I find it amusing to read the usual anti-Apple Cabal invent issues then make excuses for Google.</p>

  • F4IL

    06 September, 2019 - 6:25 pm

    <p>&gt; … stoking fear among all iPhone users …</p><p>Huh? As if the job of security researchers is to somehow make Apple users feel better?</p><p>&gt; Did Google time this revelation purposefully to undermine the new iPhones? It’s a good question.</p><p>Although it is a question, it is irrelevant. What matters is that as a result of the disclosures the secfixes were pushed out, making Apple customers safer. Feeling safe is not the same as being safe.</p><p>The paternalistic tone of Apple's response seems to clearly prioritize squashing anything that would hurt their corporate image, at the expense of hurting their customers.</p>

  • Chris_Kez

    Premium Member
    06 September, 2019 - 8:32 pm

    <p>I'd like to see Google partner with Microsoft, Apple and other big players and spin out the Project Zero team into a truly independent group. That would go a long way towards reducing both the likelihood and appearance of impropriety or playing favorites.</p>

    • wright_is

      Premium Member
      07 September, 2019 - 3:41 am

      <blockquote><em><a href="#461346">In reply to Chris_Kez:</a></em></blockquote><p>Google and Microsoft already both have their own teams.</p>

      • Chris_Kez

        Premium Member
        07 September, 2019 - 7:58 am

        <blockquote><em><a href="#461537">In reply to wright_is:</a></em></blockquote><p>That makes three teams with potential conflicts of interest. My point was I'd rather see these people work together, and do so as an <em>independent</em> team with no direct corporate ties.</p>

        • Ben Lee

          07 September, 2019 - 9:16 am

          <blockquote><em><a href="#461632">In reply to Chris_Kez:</a></em></blockquote><p>I think you'll be surprised to learn how much security teams like these actually do communicate between each other. </p>

  • red.radar

    Premium Member
    06 September, 2019 - 9:54 pm

    <p><br></p><p>I think it’s time that the industry clamp down on these security exploit publications. </p><p><br></p><p>We we should have a more orderly and transparent governance process for communicating vulnerabilities. We need to remove the potential for companies to stock pile vulnerabilities and exploiting the information. </p><p><br></p><p>This shouldn’t be an issue or even a consideration. It’s time the industry forms a standards body that self polices and is neutral or we get the government to set policies. </p><p><br></p><p>This information should never be weaponized in this manner it Puts company welfare in front of people’s personal informational security. </p><p><br></p><p><br></p>

  • Awhispersecho

    Premium Member
    07 September, 2019 - 1:04 am

    <p>Why Google has been allowed to do this to MS and now Apple and whoever else they may choose boggles my mind. It's childish, it's dangerous. Hey let's announce security holes to the world so that everyone can have their devices hacked because we are petty little pricks. I am not an Apple fan and I don't really care about MS anymore but this is just dirty and pathetic and looks so immature every time they do this. I give Apple some credit for pushing back, all MS ever does it cower down, put their tales between their legs and beg for forgiveness while rushing out a fix. </p>

    • wright_is

      Premium Member
      07 September, 2019 - 3:40 am

      <blockquote><em><a href="#461504">In reply to Awhispersecho:</a></em></blockquote><p>See above, the holes were patched long ago, and Google usually announce what they found after 90 days or when the patches are released. Either they were caught napping or they waited until it could trump Apple's news cycle.</p><p>It is dirty of Google, unless it was an oversight (which seems unlikely), but not in the way you describe.</p>

  • wocowboy

    Premium Member
    07 September, 2019 - 2:08 am

    <p>Trying to create a stir on the day an event was announced for the launch of new devices while not following the usual protocol of giving a certain number of days for Apple to react and patch the flaws is shady conduct no matter how you look at it. The extremely narrow nature of the exploit and its deployment, plus the fact that these flaws were patched months ago within days of their disclosure, makes this very much a non-issue and a tempest in a teapot. Yes, these OS's have flaws, that's nothing new, and they are for sale everywhere and new ones are found every single day. There evidently is nothing that can be done about it other than being diligent in evaluating and patching them. It doesn't matter whether it's Google, Microsoft, or Apple. </p>

    • wright_is

      Premium Member
      07 September, 2019 - 3:38 am

      <blockquote><em><a href="#461517">In reply to wocowboy:</a></em></blockquote><p>Erm, the flaws were already patched… 6 months ago…</p><p>Usually Google announce the issue at the same time the manufacturer patches, or after 90 days if the manufacturer doesn't respond or is slow to bring out a patch. That is what is different here, they waited 6 months, instead of the usual 3, which is odd. They don't usually miss an opportunity to blow their own trumpet as soon as possible.</p><p>I think Apple is getting in a tizzey about nothing, but it certainly seems that Google broke their own 90 day rule for political reasons.</p><p>Although it did come just as the securtiy conferences wound down. Something like this should have been a headliner at DefCon, for example, not an afterthought.</p>

      • wocowboy

        Premium Member
        08 September, 2019 - 3:46 am

        <blockquote><em><a href="#461535">In reply to wright_is:</a></em></blockquote><blockquote><em>Right, these flaws were patched a long time ago. The normal procedure I was talking about is the one where when a security flaw is found, the party who finds the flaw informs the company with the flaw and they have something like 30 days to fix it before the discoverer can make it public. (I heard what this time frame is but do not remember the exact number of days is.) In this case, Google found the flaw way back earlier in the year, but only gave Apple a week or two before they threatened to make it public. And now Google came out with this new statement in September, many months after the flaw was originally found, and fixed. This was deliberately designed to cause the most embarrassment and stress for Apple instead of giving them the normal amount of time to fix the problem. This tactic has been used before, it's nothing new, but it does not excuse Google from using it. </em></blockquote><p><br></p>

        • wright_is

          Premium Member
          09 September, 2019 - 5:44 am

          <blockquote><em><a href="#462184">In reply to wocowboy:</a></em></blockquote><p>Normally it is 90 days. If the company releases the patches sooner, Google Zero Day will usually announce their findings early. If the company is late, GZD will still, usually, release the information after 90 days.</p><p>They have waited something approaching 180 since Apple released the patches, as I said above. That certainly looks dodgy.</p><p>But Apple playing hurt and trying to say it was only a vulnerable community that was targeted doesn't help their case either.</p>

  • dontbeevil

    07 September, 2019 - 5:37 am

    <p><span style="color: rgb(34, 34, 34);">but but apple security is the best … they were just lucky because of low market share, more market share for them, more security flaws for everybody, will be fun</span></p>

  • arthemis

    07 September, 2019 - 7:57 am

    <p>Well, i can belive that about Google. The 90-ish Microsoft resurrected in our time. Is there something that company do that doesnt smell of dickiness?</p>

    • Tony Barrett

      07 September, 2019 - 8:08 am

      <blockquote><em><a href="#461631">In reply to arthemis:</a></em></blockquote><p>Actually Google's Project Zero do a good job, and give a company a number of months before making a public announcement. Apple may downplay the exploits, but for them, brand image is everything, and they don't want to risk tarnishing that brand at all. In truth, iOS has been exploited a number of times – it's nothing new, despite how Apple spin it.</p><p>Yes, Google's timing could have been better in relation to Apple's keynote, but then I think all we're going to get is more of the same and announcements 95% the same as the last 5 years!</p>

  • Jeffsters

    07 September, 2019 - 9:48 am

    <p> Usually have no issue with Project Zero but this announcement was just weird, and looking back, outside the norm. But, hey, wasn’t this the same day, or week, we found out, yet again, that 2 million Google App Store users had downloaded applications with hidden spyware or something? Humm…</p>

  • joinncc.online

    07 September, 2019 - 10:04 am

    <p><span style="color: rgb(0, 0, 0);">You're Right. But you're also entertaining a false equivalence. Isn't it a bit disingenuous to blame Google for Samsung's </span><a href="https://www.joinncc.online/2019/09/air-force-rank-in-india.html&quot; target="_blank" style="color: rgb(0, 0, 0);">irresponsibility</a><span style="color: rgb(0, 0, 0);">?</span></p><p><br></p>

  • MikeGalos

    07 September, 2019 - 10:21 am

    <p>Honestly, a plague on both their houses. </p><p>Google uses "Project Zero" as a marketing attack tool.</p><p>Apple should have been able to fix this serious flaw quickly since it was accidentally turning off old code and if it was months old and they fixed it within 10 days then what was the patch they issued last week in response to the Google press release?</p><p>Neither one takes security seriously.</p><p><br></p><p>To me, though, the interesting part of this story is that the known exploit, at least according to Apple, was targeting the Uighur community and was sophisticated. I assume the "sophisticated" part was the payload itself since exploiting the bug was trivial. </p><p><br></p><p>A sophisticated exploit targeting the Uighur people is almost certainly written by the Chinese People's Liberation Army who has been known to use cyberwar tools against people the Chinese government is targeting.</p><p><br></p><p>Now, there being open discrepancy of the facts published by the two largest phone OS vendors about a Chinese government attack at a time when both are trying to curry favor with the Chinese government about their sales in China is a sign we'll likely never see the real answers.</p><p><br></p>

    • dontbeevil

      07 September, 2019 - 3:55 pm

      <blockquote><em><a href="#461709">In reply to MikeGalos:</a></em></blockquote><p>ypu're totally right, but it's apple not ms</p>

      • MikeGalos

        07 September, 2019 - 9:26 pm

        <blockquote><em><a href="#461942">In reply to dontbeevil:</a></em></blockquote><p>You think Microsoft is sucking up to the Chinese government to help sell their phones?</p>

        • dontbeevil

          08 September, 2019 - 4:46 am

          <blockquote><em><a href="#462109">In reply to MikeGalos:</a></em></blockquote><p>shhh you cannot say this things here, "s<em style="background-color: rgb(255, 255, 255);">ome pretentious tech blogger has to remind his tech-infatuated (and probably Apple-loving) readers" (using paul words) will not appreciate</em></p>

        • nbplopes

          09 September, 2019 - 8:47 pm

          <blockquote><em><a href="#462109">In reply to MikeGalos:</a></em></blockquote><p><br></p><p>So Google states that will comply with the huawei embargo imposed for security and market malpractice reasons, says the Gov, MS states that it will not. Who is currying favours to whom really?</p><p><br></p><p>PS: regardless of what I think about US Gov vs Huawei situation.</p>

  • SvenJ

    07 September, 2019 - 12:35 pm

    <p>I have read in various places, the affected websites, did not only attack exploits in Safari/Apple/iOS, but Chrome/Android and Windows as well. * If that is indeed the case, Project Zero's failure to note that, and target Apple, and the timing, supports the assertion that this was 'business' not altruistic. </p><p><br></p><p>*"<span style="color: rgb(34, 34, 34); background-color: rgb(255, 255, 255);">and it turns out neither was the fact that Android and Windows were also affected."</span></p><p>https://www.redmondpie.com/apple-addresses-google-project-zero-report-on-ios-security-calls-it-misleading/</p&gt;

  • jedwards87

    07 September, 2019 - 11:20 pm

    <p>From what I understand these exploits also affected Android and Windows yet Google (And Pauls article) failed to mention that. Has Google patched it yet ? What about MS ?</p>

    • MikeGalos

      08 September, 2019 - 10:26 am

      <blockquote><em><a href="#462132">In reply to jedwards87:</a></em></blockquote><p>You understand wrong. The bug that opened the security hole was code in iOS that was accidently disabled in an update. This was a simple coding error and not some subtle conceptual error that affected all OSs. </p><p><br></p><p>It was mentioned in the article on the bug when it was reported here as how jailbreaking was enabled again in an article by Mehedi on August 19th and again in Mehedi's article on Apple's emergency patch fixing the bug on August 26th.</p><p><br></p>

  • AnOldAmigaUser

    Premium Member
    08 September, 2019 - 11:18 am

    <p>Is Google being a corporate jerk? Based on the fact that these flaws were disclosed so long after being patched, and so close to an Apple announcement, and becaue, well Google…yeah, most definitely.</p><p>Is Apple overreacting to this because they market iPhones as being secure? Yeah.</p><p>Does any of this matter to the Uighers who are now in "re-education" camps because they were the target of this state sponsored hack? Unfortunately not.</p>

  • waethorn

    08 September, 2019 - 12:07 pm

    <p>Apple likes to dance around their words carefully for fear that they would lose their profit-maximizing slave labour in China by upsetting The Party.</p>

  • nbplopes

    09 September, 2019 - 8:30 pm

    <p>So this was an attack done months ago, for which in January there was a patch to fix it by Apple, and now there is a blog post made by Google security researchers just telling all the story 6 months after the fact, it just happens to be<span style="color: rgb(0, 0, 0);"> a week before the iPhone is launched</span>, claiming the discovery of the bug.</p><p><br></p><p>Have I understood this well or missed something?</p><p><br></p><p>Is this the way Google takes security seriously, including their customers?</p><p><br></p><p>By the way. I believe that companies making software that act has data processors should be required by law to disclose any security breach to data of their customer within a determined time. At least in Europe they are, 60 days or so … I see a law suit coming towards Apple in Europe as they seam to have failed to do so 🙂 </p><p><br></p><p>EDIT: Ops, that is just for data in the Clouds, not data stored locally :)</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC