Hard to tell what’s really going on here from this article. Although it seems like five vulnerabilities were fixed and one remains (and google is being unusually patient about the sixth issue)
One thing I’ve always struggled with is the strategy of these white hat teams. I’m sure Google Zero spends a lot of time on Apple because Apple is an enormous company, large partner, and competitor in some spaces.
So now I wonder: does the release of vulnerabilities ever get effected by business agenda?
I assume it has to, although I’m not sure of the agenda here. In this case, iMessage is in direct competition with a Google sms protocol (although googles hasn’t gained much traction). Maybe the vuln is less impressive than saying, “there’s one more”?
iMessage is better software now than it was before this disclosure. I don't think that logic really works. If Google wanted to be evil and damage Apple, they would have leaked the vulnerabilities to the press and not bothered to work with them for a fix. If they wanted to be really evil, they could have leaked them to black hats first and waited for a real zero day before talking to the press.
Instead, they worked together to fix the bugs. This is exactly what we want, there is no better resolution.
These guys are the best experts in the world and Apple is getting free work done. Who cares if Apple is angry, Google made their software slightly safer and probably put the iMessage dev team on their toes (as they should be).
Apple carefully controls its messaging to its customers. With Google able to disclose software security flaws, and Apple not able to keep up in fixing them (some non-trivial), it puts some control into the hands of Google.
Doesn't the article say that 5/6 were fixed? And that the 6th isn't disclosed yet, as the 90 day period isn't up yet? Seems like Apple is keeping up reasonably well, wrt disclosure windows.
That doesn’t mean they aren’t upset. Two years ago I spoke with someone on the CoreOS team at a conference and he expressed dissatisfaction at Project Zero. It forces them to halt other work they are doing to design fixes for these bugs, as they often get pressure from Google close to the 90-day window. One fix, he explained, related to process management and would affect all OS builds. Getting that fix integrated and tested into all recent macOS and iOS versions takes time, despite the 90-day window.
They now claim its secure again because they are encrypting internal traffic. It's such a high priority and centralized target with so much valuable intelligence that any such claims have to be taken with a grain of salt.
naturally its hard to keep track of all their cute code names, at the end of the day all the data ends up queryable by analysts with nothing resembling a warrant process
PRISM wasnt a vulnerability, Google (et al) was basically forced to build a system to automatically handle FISA warrants data requests. For example, a single warrant signed in a secret court would request all data for a person of interest plus one or more hops of every person they communicated with which got funnelled through the PRISM system to multiple tech companies in the US simultaneously which then got fed back into XKeyScore for agents to go through the data and do graph analysis.
Which is still really bad but not the same as these software vulnerabilities.
Project Zero, as evident from their bug tracker¹, is a Chrome security effort. It looks at everything in the browsing stack — Chrome, libraries, plugins, OS, processors, proxies — presumably because security can be broken anywhere in the chain.
One thing I’ve always struggled with is the strategy of these white hat teams. I’m sure Google Zero spends a lot of time on Apple because Apple is an enormous company, large partner, and competitor in some spaces.
So now I wonder: does the release of vulnerabilities ever get effected by business agenda?
I assume it has to, although I’m not sure of the agenda here. In this case, iMessage is in direct competition with a Google sms protocol (although googles hasn’t gained much traction). Maybe the vuln is less impressive than saying, “there’s one more”?