Google warns Apple: Missing bugs in your security bulletins are 'disincentive to patch'

Google's Project Zero has again called Apple out for silently patching flaws.
Written by Liam Tung, Contributing Writer

Apple has secretly patched a bunch of high-severity bugs reported to it by Google's Project Zero researchers.

The move has resulted in Google's Project Zero once again calling Apple out for fixing iOS and macOS security flaws without documenting them in public security advisories.

While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed.

This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years.

Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

"Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer.

"In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

In other instances, such as one macOS bug Beer reported, Apple did actually assign a CVE, but it still hasn't updated the relevant security bulletin to reflect the fix.

Apple similarly allocated CVE-2018-4337 to another high-severity iOS bug, which was fixed in iOS 12, but isn't currently acknowledged in the iOS 12 security bulletin.

In another case, Apple fixed a bug that affected iOS and macOS but didn't assign a CVE or mention it in the security bulletins.

Not only may it be a disincentive for end-users to patch iPhones and Macs, but Beer also points out in another bug report that the lack of public acknowledgement by Apple means he has no way of knowing whether the issue is a duplicate that another researcher may have already found.

As he notes in the blog, many of the bugs he has found in iOS are very similar or the same as bugs found by noted jailbreaking hackers Pangu Team.

Previous and previous coverage

Google: Apple, your sneaky iPhone patching is endangering users

If I can find these bugs using public tools, think what baddies can do with secret ones, says Project Zero expert.

Apple iOS 12 security update tackles Safari spoofing, data leaks, kernel memory flaws

The iPad and iPhone maker's iOS 12 launch is accompanied by a slew of security updates for various products.

Windows 10 security: Google Project Zero shreds Microsoft's unique Edge defense

Google Project Zero says Microsoft's Arbitrary Code Guard in Edge fails where Chrome's site isolation succeeds.

Apple improves security protections in macOS Mojave

macOS Mojave is the latest version of the Mac operating system, unveiled today during Apple's WWDC conference.

Google Project Zero: 'Here's the secret to flagging up bugs before hackers find them'

Google's Project Zero has issues with Samsung and HackerOne's security bug reporting processes.

Google's Project Zero exposes unpatched Windows 10 lockdown bypass

Google denies multiple requests by Microsoft for an extension to Project Zero's 90-day disclose-or-fix deadline.

Chinese spy chips: 3 potential fallouts for the business world TechRepublic

A Bloomberg report found that Chinese spies secretly added microchips on motherboards that went to Apple, Amazon, and the CIA.

Apple, Amazon deny report that Chinese spy chips infiltrated their hardware CNET

The tech giants dispute the suggestion of a mass surveillance campaign.

Editorial standards