Apple Disputes Google's Report On Serious iOS Security Exploits

In Newsroom article today, Apple responded to a report by Google's Project Zero that was published last week in which claims that they found multiple severe iOS vulnerabilities that permitted malicious websites to access a victim's device, and were able to obtain private data like messages, photos, etc. Although they have now been resolved, some of the security flaws have been abused for several years.

According to Apple, the attack was rather "narrow-focused" than a broad-based exploit of iPhone as outlined. Apple also accuses that Google has created a false impression of mass exploitation, causing fear among users. Furthermore, malicious websites were only operational for two months, not two years. Plus, the vulnerabilities were already fixed 10 days after Apple learned about it, even before Google approached them.

Below is the full letter from Apple:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We've heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google's post, issued six months after iOS patches were released, creates the false impression of "mass exploitation" to "monitor the private activities of entire populations in real time," stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. We fixed the vulnerabilities in question in February -- working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they're found. We will never stop our tireless work to keep our users safe.
Google in response said: "Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online." (Via The Verge)

Post a Comment

Previous Post Next Post