On the 28th of August, Google's Project Zero division which finds and reports security vulnerabilities, issued a very detailed blog post entitled "A very deep dive into iOS Exploit chains found in the wild", but Apple has struck back with a pointed message.
UPDATE: Google has issued a statement to The Verge, responding to Apple's statement. Google's statement is at the end of this article.
First, some background. Google noted its "Threat Analysis Group" or TAG team had "discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day".
Ian Beer of Project Zero continued, stating: "There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
"I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple's software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we'll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users."
The rest of the analysis from Beer and Project Zero can be found here, which is definitely worth reading, but what did Apple have to say in response?
Well, a week later, Apple has issued a response entitled "A message about iOS security".
Apple's statement is reprinted in full, below:
"Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
"First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
"Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
"Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
"Security is a never-ending journey and our customers can be confident we are working for them. iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. Our product security teams around the world are constantly iterating to introduce new protections and patch vulnerabilities as soon as they’re found. We will never stop our tireless work to keep our users safe."
So, Apple has responded at long last, and suggests things were nowhere near as dire as Google suggested, even though Apple did admit the website attacks were operational for roughly two months.
Let us hope that Apple, Google, Microsoft and others have quadrupled their efforts to proactively find these vulnerabilities and squash them as quickly and as definitively as possible.
These vulnerabilities are extremely serious and threaten the security and privacy of all users, especially when of the "zero day" variety where the Apples, Googles, Microsofts and others of the world can't protect their users from.
Of course, Google's Android is not immune to hackers by any means, nor is Microsoft, or Facebook and others, so the old adage about throwing stones in glass houses is apt for all players.
As former US President Ronald Reagan said, freedom is not passed down through the bloodline to every new generation, but must be fought for and preserved.
Ultimately, no device can be guaranteed to be completely 100% secure, ever, so it is a reminder of the fragility of security and privacy for us all, and how we must be the ones to pass freedom, security and privacy on to future generations - lest we be the ones to tell our grandchildren what it was once like to live in a world where freedom, security and privacy were taken for granted – but aren't any more.
We don't live in that particular future yet. Let us hope that we never do.
Update: Google issued a statement to The Verge:
"Project Zero posts technical research that is designed to advance the understanding of security vulnerabilities, which leads to better defensive strategies. We stand by our in-depth research which was written to focus on the technical aspects of these vulnerabilities. We will continue to work with Apple and other leading companies to help keep people safe online."