The way in which recent iOS vulnerabilities discovered by Google’s Project Zero were used was “unprecedented,” according to a security expert. Thomas Reed, Director of Mac & Mobile at Malwarebytes, also criticized Apple for a “lackluster” statement on the issue.
iOS Vulnerabilities ‘a Big Deal’
Google researchers revealed that a series of malicious websites took advantage of iOS zero day exploits. Mr. Reed told TMO that they “aren’t a big deal because they exist, but because of the way they were being used.” He explained:
We’re used to iOS vulnerabilities being carefully guarded and used for very targeted attacks, so this incident where China was using them to infect visitors of a number of websites is unprecedented.
However, Mr. Reed noted that some recent reporting suggested the attacks may have been more targeted than was originally thought. For example, reports indicated that the Chinese state used the vulnerabilities to spy on Uighur muslims.
He also reiterated the importance of users keeping their operating system up-to-date. He noted that while “most of the vulnerabilities involved had already been patched, they “were still being used because people often don’t update iOS in a timely fashion.”
Apple’s ‘Lackluster’ Response
As to where fault for the issue lies, Mr. Reed pointed the finger, in part, at Apple. He said:
As for whose fault it is, I suppose that in a way it’s Apple’s fault — after all, it’s their system, and it had vulnerabilities. But all software has vulnerabilities, and it’s important to understand that and not attack a vendor simply because their software was vulnerable.
He explained that while “Apple did fix the zero-days very quickly, once they were discovered” its “statement was very lackluster, essentially downplaying the attack and pointing fingers at Google, rather than owning the issue.” Mr. Reed further criticized the fact that “both [Apple] and Google Project Zero sat on this news for six months (for unknown reasons).”
Google is also fault for not publishing a list of affected domains, leaving the security community guessing as to who was affected. I feel Apple has a legitimate gripe about that aspect of the Project Zero report, which caused more fear than was warranted.