قالب وردپرس درنا توس
Home https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Technology https://server7.kproxy.com/servlet/redirect.srv/sruj/smyrwpoii/p2/ Apple is trying to challenge the iOS security bomb downloaded by Google

Apple is trying to challenge the iOS security bomb downloaded by Google



  Apple is arguing for a rebuttal to the iOS security bomb dropped by Google

Apple has been seeking to dispute some small details of last week's bombing report that for at least two years customers' iOS devices have been vulnerable to stinging of geranium exploits, at least some of which are actively exploited to install malware that has stolen location data, passwords, encryption keys, and a host of other highly sensitive data.

Google Project Zero said the attacks were indiscriminately conducted by a small collection of websites that "received thousands of visitors a week." One of the five exploitation chains analyzed by Project Zero's researchers showed that "they were probably written at the same time as the supported their iOS versions. " Researcher's conclusion: "This group has had the capability of fully decapitated iPhone for at least two years."

Earlier this week, researchers at security firm Volexity announced that they were launching 1

1 websites serving the interests of Uighur Muslims, which researchers believe are linked to the attacks identified by Project Zero. The Volexity post is based in part on a TechCrunch report citing unnamed people familiar with the attacks who say they are the work of a nation – possibly China – designed to target the Uighur community in Xinjiang.

Breaking the Silence [19659004] For a week, Apple said nothing about any of the reports. Then on Friday, she came out with a statement that critics described as tone deaf because of a lack of sensitivity to human rights and an exaggeration of insignificant points. Apple employees wrote:

Last week, Google published a blog about the vulnerabilities Apple eliminated for iOS users in February. We have heard from clients who have been affected by some of the allegations, and we want to make sure that all of our clients have facts.

First, the sophisticated attack was a narrowly focused, rather than widely used, "mass" operation of iPhones, as described. The attack affected less than a dozen websites that focused on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

A Google post issued six months after the release of iOS patches creates the false impression of "mass exploitation" to "monitor the private activity of the entire population in real time", inflaming all iPhone users that their devices have been compromised. This has never been the case.

Second, all the evidence indicates that these website attacks were only active for a short period, approximately two months, and not "two years," as Google suggested. We resolved the vulnerabilities in question in February – we worked extremely quickly to resolve the problem just 10 days after we learned about it. When Google approached us, we were already in the process of correcting the bugs exploited.

Security is a continuous journey and our customers can be assured that we are working for them. IOS security is incomparable because we take end-to-end responsibility for the security of our hardware and software. Our product safety teams around the world are constantly repeating to introduce new protections and vulnerabilities as soon as they are found. We will never stop our tireless work to keep our users safe.

One of the things that is most deserving of criticism is the lack of sensitivity that the statement shows to the Uighur population, which has faced hacking campaigns, internment camps and other forms of persecution by the Chinese government in the last decade or more. Instead of condemning a fearsome campaign carried out on a vulnerable group of iOS users, Apple appears to be using a hacker spy to reassure the masses that they have not been targeted. Clearly missing from the statement is the mention of China.

Nicholas Weaver, a researcher at the UC Berkeley International Institute of Computer Science, summarized much of this criticism from Tweet : "What worries me most about Apple these days is that they come entirely from Chinese market and as such they refuse to say anything like "Government intent on ethnic cleansing of the minority population has carried out a massive hacking attack on our users".

The statement also seems to take advantage of the fact that" less than a dozen "sites are campaigning as another mitigating fact or. Project Zero was clear all along that the number of sites was "small" and had only a few thousand visitors each month. More importantly, the size of the campaign has to do with the decisions taken by the attackers and little or nothing to do with the security of the iPhones.

Two months or two years?

One of the few factual allegations made by Apple in the statement is that the websites probably only functioned for about two months. A careful analysis of the Project Zero report shows that researchers have never stated how long sites have been actively and indiscriminately exploited by iPhone users. Rather, according to the report, a study of the five attack chains, made up of 14 separate exploits, suggests that they have given hackers the opportunity to infect a fully current iPhone for at least two years.

These points prompted satirical tweets much like the one from Juan Andres Guerrero-Saade, a Chronicle-owned researcher at Alphabet: "'It didn't happen the way they said they did has happened but it has happened but it is not bad and it is just Uighurs so you should not worry though. There is no advice to give here. Just move around. ""

Satire aside , Apple claims that the evidence suggests that sites Google indiscriminately used iOS vulnerabilities have only functioned for two months, and, according to ZDNet, a security researcher at RiskIQ claims that revealed evidence that websites do not indiscriminately attack iOS users but rather only visitors from certain countries and communities.

of these points are true, then it is worth noting, since almost all media reports (including and the one from Ars) claim that the sites have been indiscriminately doing so for at least two years. Apple had the opportunity to clarify this issue and say exactly what it knew about the active use of the five iPhone operating circuits found by Project Zero. But Friday's statement did not say anything about it, and Apple representatives did not respond to a request for comment. A Google spokesman said it did not know exactly how long the small collection of websites listed in the report had been operating. He said he would try to understand, but did not respond further.

In a statement, Google officials wrote: "Project Zero publishes technical studies that are designed to improve understanding of security vulnerabilities, leading to better protection strategies. We stand by our in-depth study, which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online. "

A Missing Opportunity

Former NSA hacker and Rendition Infosec founder Jake Williams told Ars that ultimately, the time for operating sites was insignificant. "I don't know that those other 22 months matter," he explained. "Their statement appears to be more of a straw man to stray from human rights abuses."

Also missing from Apple's statement is any response to the blistering criticism of the Project Zero report, made by Apple's development process, which the report claims missed vulnerabilities that in many cases should be easily captured by standard quality assurance processes.

"I will explore what I consider to be the root causes of vulnerabilities and discuss some of the insights we can gain from Apple's lifecycle software development," Zero Project researcher Ian Beer wrote in a review of last week's report. "The main reasons I point out here are not new and often overlooked: we will see instances of code that seems to have never worked, code that may have missed a QA or may have had a little testing or review before being sent to users. "[19659006] Another key criticism is that Apple's statement has the potential to alienate Project Zero, which, according to a Google spokesman, has so far reported privately more than 200 Apple vulnerabilities. It's easy to imagine that it wasn't easy for Apple to read last week's deep-dive report, which documents what is the worst iOS security event in its 12-year history. But publicly disputing a key ally for such small details without new evidence does not create the best optics for Apple.

Apple was able to apologize to the victims, thank you to the researchers who revealed the systemic failures that caused the failure, and explain how it is planned to do better in the future. Don't do any of these things. Now the company is distancing itself from the security community when it is most in need.


Source link