When Google posted the Project Zero articles, that did not impact my view of Apple in any way.
Google claimed an exploit was being actively used for two+ years (with no evidence beyond a variety of versions being exploited, which could also simply be the targeting of different versions). They also added editorial narrative like "we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users." They then obviously sideband released the group that was targeted, making it a big news story. Unstated was that the same sites had Android and Windows exploits on them.
Project Zero is hugely valuable, but this was the first time it seemed like it became a marketing tool, using classic media release patterns for the biggest bang. Android is by far the most popular OS, with many serious exploits over its history (a 0-day privilege elevation just released by third-parties) -- does anyone remember Project Zero doing such an analysis of Android bugs?
> "we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users."
This really ground my gears as well. You've just published lengthy posts on how to exploit these complicated vulnerabilities and chain them together, it's unlikely testing could have caught all of them.
And testing for security is entirely different from QA.
Do tell me Google, how is Stagefright going? Did you try QA'ing it?
If it was so trivial, why didn't anyone find it before? The source is open. PZ only found it after finding these sites exploiting it. Unused code is not uncommon.
The point is, all software has bugs; but there's no way Google can know what "QA" iOS goes through, and to pretend it's nothing is ridiculous. There's plenty of examples out there of code being reviewed by several super clever people, and yet they miss something. Trying to work backwards from a bug without the context of actually working in the team that wrote the code never works.
> Unused code is not uncommon. The point is, all software has bugs; but there's no way Google can no what QA iOS goes through, and to pretend it's nothing is ridiculous.
It isn't uncommon, but it is clear that the code was not QA'd, for the reasons given in the article: trying to call this method would instantly panic the kernel (which is easy to triage–you don't even have to have much knowledge of the iOS QA process to guess that).
> No; as the first sentence states, Project Zero found this independently:
Oops, my bad, I had in my head the opening of the first post talking about how they had come across the sites using these exploits.
I think we agree that this piece of code was not well tested. Where I think I set my expectations of Apple lower is that this code was never used, essentially forgotten about and that I've literally done this myself. And I simply don't believe you can tell simply from a bug whether "QA" happened or not.
Why I give the benefit of doubt to Apple here is that it's not in something that is called everyday in normal devices. It's not in part of the OS that sees constant use. If this error occurred (and yes I'm aware that the end result is the same) in say the network stack or media stack, then I'd start having my doubts, since they regularly process untrusted data, and Apple should have proactively checked, just like Android now does with Stagefright. But this was in an essentially undeclared api that was never even used by Apple themselves. I think this was more a fuck up rather than not doing their jobs.
As a side note, whilst I do have an iPhone, my 2015 MacBook runs Linux and i generally don't consider myself an "apple fanboy".
I was lazy in saying 0-day because details of them are not out (though coincidentally a privilege elevation 0-day was just revealed for Android). However reports are that any Android version was being used to report a comprehensive list of information about the device, and that there were Windows exploits as well. Which of course there was as presumably they'd comprise the vast majority of the targeted group.
Which fallacy is it when you dismiss something cogent and pertinent by misappropriating a fallacy? Remarkably it's probably the most common fallacy of all.
"Whataboutism" is entirely off base because that isn't what I did whatsoever.
We're talking about the motives of literal Google employees. Finding and reporting bugs is hugely important for everyone, but they sure are making a lot of noise, and adding a lot of narrative and PR tactics, for a long patched iOS bug.
Or maybe it's just that Android bugs are expected, so they don't get much attention any more?
"handful of deep-dives into issues with Google software"
First one I went into -- third party reported, widely known problem in external graphics library. Project Zero did not find it, did not report it, and this is just tourism after the fact that points the finger outwards.
Second one -- Linux kernel. Pointing the finger outwards.
Third one -- Clear fault in Chrome, but conclusion is that it's actually the fault of ASLR and that the OS isn't memory-bounding Chrome. Pointing the finger outwards.
Fourth one -- Tiny post that says it found a "couple" of bugs that are probably not exploitable. Bug minimization.
They have another that attacks Samsung software. Pointing the finger outwards.
This isn't a hugely compelling example of their intentions. Show me one where they make the extraordinary claim that it was long exploited without any evidence whatsoever (elsewhere you claimed that Google knew because they "crawl", but in actuality this Project Zero claim was made purely based upon the span of versions the bug targeted), or make editorial comments about QA or source control processes. Instead it looks an awful lot like hand-washing.
> elsewhere you claimed that Google knew because they "crawl"
I most certainly did not.
> PFirst one I went into -- third party reported, widely known problem in external graphics library. Project Zero did not find it, did not report it, and this is just tourism after the fact that points the finger outwards.
You specifically asked if Project Zero did such a public analysis of a bug, which that post is exactly. If you wanted Project Zero discovered issues there's a whole boatload of them on their issue tracker.
> Or maybe it's just that Android bugs are expected, so they don't get much attention any more?
More whataboutism. And also wrong.
> This isn't a hugely compelling example of their intentions. Show me one where they make the extraordinary claim that it was long exploited without any evidence whatsoever (elsewhere you claimed that Google knew because they "crawl", but in actuality this Project Zero claim was made purely based upon the span of versions the bug targeted), or make editorial comments about QA or source control processes. Instead it looks an awful lot like hand-washing.
Show me one where they do that about iOS. You are reading things that aren't there. Google did not make any extraordinary claims. Kinda like how you accused me of claiming "Google knew because they "crawl"".
The "editorial comments" on code review/QA are covered in the follow-up posts. Notably task_swap_mach_voucher when called with a valid voucher would kernel panic. There is no charitable explanation for kernel calls that are reachable by any application and never work. The "editorial comments" that are you objecting to are, if anything, too soft in their phrasing.
"You specifically asked if Project Zero did such a public analysis of a bug, which that post is exactly."
What I "specifically asked" is if they've done anything like this regarding an Android bug. Not if they've ever reported in a passing sense, and in a blame-everyone-else-way about an Android bug.
"More whataboutism"
You keep using that word. I do not think it means what you think it means.
Ergo, again we're talking about a huge reporting cycle based upon a Project Zero release. If you think it's whataboutism you're digging really deep to try to prove your rightness (in a very Trumpian sense -- Alabama Alabama Alabama).
"I most certainly did not."
Yeah, you did. You claimed that Apple couldn't know how long it was exploited, yet Google -- because of their crawling -- could. The only possible basis for your argument was what I said (because obviously a widely targeted version base is because there are users out there with that version base, in the same way that a 0-day today for Android 8 doesn't suddenly mean it was invented two years ago, which would be a monumentally stupid claim that would be instantly discredited by anyone who put even a modicum of thought into it).
Google claimed an exploit was being actively used for two+ years (with no evidence beyond a variety of versions being exploited, which could also simply be the targeting of different versions). They also added editorial narrative like "we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users." They then obviously sideband released the group that was targeted, making it a big news story. Unstated was that the same sites had Android and Windows exploits on them.
Project Zero is hugely valuable, but this was the first time it seemed like it became a marketing tool, using classic media release patterns for the biggest bang. Android is by far the most popular OS, with many serious exploits over its history (a 0-day privilege elevation just released by third-parties) -- does anyone remember Project Zero doing such an analysis of Android bugs?