Google's 'Project Zero' Hid A Major Vulnerability in Apple's OS and iOS Cores

In June Google's task-force against zero day exploits "identified a coding exploit in the underlying kernel of Apple's OSX and it's mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS," according to The Stack.

An anonymous reader writes that Google "initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug -- which has now been fixed in the latest updates to Mac OS and iOS." The fix was released Monday, the Stack reports: Since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorized programs to run with elevated privileges on a Mac system. Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.

Where exactly was the bug...

[Anonymous Coward]

Was this a unix-linux level bug that would affect all systems built on top or was this an OS X/iOS-induced bug from layers that sit on top of the kernel? Was BSD-derived systems similarly affected, or Android systems?

Is there a counterpart in the wild in Linux-land?

Re:

[Shimbo]

It was a performance hack for a microkernel system, so no. Apple had to do some extensive reworking to fix it, so it seems sensible to me to cut them some slack in this case.

Re:

[Anonymous Coward]

You mean they had to pretend to fix it while at the same time punch and abfuscate one of comparable magnitude for the no search agency to use.

FUCK OFF.

AND DIE.

Re:

[ls671]

OSX and iOS are based on NextSTEP:

http://arstechnica.com/apple/2... [arstechnica.com]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Back on topic; Project Zero went the ethical way.

Re:

[ls671]

OSX and iOS are based on NextSTEP:

http://arstechnica.com/apple/2... [arstechnica.com]

https://en.wikipedia.org/wiki/... [wikipedia.org]

Back on topic; Project Zero went the ethical way.

You mean only AFTER Apple BEGGED them, don't you?

Who knows what really went on behind the scene. But still; Project Zero went the ethical way whatever the reason.

Re:

[thogard]

Until older machines (like the millions of 32 bit intel and PPC macs) get fixed, the ethical solution didn't happen. Is Google big enough to force Apple to fix those? If you think the recent IoT bot net was bad, just wait for those million of older macs get p0wned. The unsupported old macs don't get thrown away, they get handed down and they are still out there on the net waiting to cause problems. The software update option appears to still work even on my old mac mini g4 that wants to update printer dr

Re:

[ls671]

I get your point.

It all boils down to the right time to go full disclosure.

Too early; systems don't get time to be patched. Too late; information eventually leaks and prices on the black market go down to "buy" the exploit so it becomes easier and more common to see it used.

That's what I meant about ethical solution. Lately, we see more and more people publicly disclosing holes without even warning the developers. So yes, at least Project Zero seems to have made an effort regarding full disclosure time.

As f

Re:

[ls671]

I am glad you looked at the link I provided. Congratulations!

Re:

[ls671]

Are you sure you can read?

OP asked:
"Was this a unix-linux level bug?"

Can't you notice the "linux" in there?

And... linux has got nothing to do with it. Linux is not BSD it is minix.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[ls671]

skankhunt42, is that you? ;-)

https://www.youtube.com/watch?... [youtube.com]

https://www.google.com/search?... [google.com]

Re:

[TheRaven64]

It's a bug in the IOKit component of the kernel, which is part device driver framework and part userspace communication framework. IOKit is specific to XNU and is not found in any other OS (it replaced DeviceKit in NeXTSTEP / OPENSTEP, which used Objective-C in the kernel). The userspace process passes a Mach port to the kernel and the kernel assumes that this Mach port embodies the credentials that the userspace process has. Unfortunately, userspace processes often have Mach ports owned by more privileg

Re: a lot of Google personnel uses Macs

[ArmoredDragon]

Sued for what? There's no legal remedy for somebody making truthful statements. It just happens to be common industry practice to give some time for a patch to be made while making full public disclosure an ultimatum for somebody not releasing timely patches.

A lot of armchair-lawyer-Microsoft-fanboys like to fault Google for disclosing a windows bug after such a notice just because Microsoft themselves complained about it, but Google didn't break any laws, let alone any industry norms at the time, so go put

Re:

[PopeRatzo]

Nope it isn't. Mitigation is extremely simple 4 step operation:
1. Unlock iPhone
2. Start setting
3. Tap cellular
4. Uncheck cellular data. Done!

I can name that mitigation in a one-step operation.

1. Throw you iPhone into a wood chipper. Done!

Re:

[ArmoredDragon]

You are thinking of libel. Disclosing details of a vulnerability that can be used maliciously is a gray area. It's been covered by EFF and a blackhat presentation, and it's not as cut-and-dry as you asserted.

How is it a legal gray area? Who has been successfully prosecuted for it?

Re:

[LynnwoodRooster]

Sued for what?

Heresy against the Church of Apple. Burning at the stake, or drawing and quartering, are the only reasonable remedies in this case.

Re:

[Opportunist]

That the plaintiff himself made possible by his very own neglect. That's like suing someone for sending pictures of you cheating on your wife to her and you want to get compensation for the divorce.

Re:

[AHuxley]

AC if a big brand can find an issue, so can its staff. So can other nations security experts. So can cults, faith groups, criminals and ex gov/mil security experts.
If data is released when found, the holes can be patched quickly and a world of really great security researchers can help comment on the issue and help.
Why wait a longer time for an in house fix with even the slightest the risk of an issue been in use in the wild for the same time.
Report on detection, get the community to fix. Days of wai

Title Editors Should Do Better

[Anonymous Coward]

It is frustrating when you read the title for a thread and get one idea of what happened, but when you read the details it is very different. Simply saying that you hid something is ambiguous and can lead others to think it was nefarious. In this case it was a mutual understanding. Slashdot can do better than this.

oh you fool, there are no editors

[frovingslosh]

Yea sure, Slashdot has editors and our elections are not rigged. But if there were really editors, how could you make sense of a September 21st for disclosure and a claim that Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence? This would only be explained if editors couldn't do simple math or if they didn't know how long a week and a month is.

How is this a problem, exactly?

[93 Escort Wagon]

Isn't the point of eventual disclosure to force coders/companies not to ignore bugs?

Yes, Google found a bug. But Apple didn't ignore it - their initial patch just wasn't effective. They were obviously actively working to solve the problem... so why should Google have released the exploit?

Re:

[Bill_the_Engineer]

.. except that they want to be able to take their time and not fix security issues as soon as they are found.

Did you read the summary? Apple's initial fix didn't work well, so Google responsibily allowed Apple more time to fix the vulnerability.

If Google had told about it immediately the world would had known about the issue five months earlier and could had sorted with it one way or the other and Apple would likely had been forced to fix it quicker.

That is speculation. Apple was actively working on it a

Re:

[aliquis]

Did you read the summary? Apple's initial fix didn't work well, so Google responsibily allowed Apple more time to fix the vulnerability.

Yes I did. And it was about allowing them 60 days which since the fix didn't even solved the problem completely become 5 months.

It likely didn't have to take 60 days or 5 months if that wasn't the time they had available to them but since it was that's how long it took. It's like there in Sweden where what the municipality get for each refugee "child" is $77 000 / year and hence that's what their solutions end up costing (or more since so many arrived), if they had only been offered $20 000 / year then they

Re:

[Bill_the_Engineer]

Yes I did. And it was about allowing them 60 days which since the fix didn't even solved the problem completely become 5 months.

Yet the vulnerability was fixed and it allowed Apple to push out an update.

Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.

Or the more likely scenario would be that the same number of engineers will still work on the vulnerability, except now an exploit was disclosed putting people

Re:

[XparXnoiaX]

Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.

Whenever you have a vulnerability as serious as this one, you better make sure that those regression tests go quickly.....faster than five months.

Not that I care, iOS should be liberated from its walled garden, and privilege escalation exploits are the way to do that.

Re:

[aliquis]

Or the more likely scenario would be that the same number of engineers will still work on the vulnerability, except now an exploit was disclosed putting people at risk.

Has there been a case where that have actually happened? In that a known full access exploit in Microsoft or Apple products has been allowed to take five months to fix? How much negative publicity wouldn't Apple had gotten if it really took them five months to fix it with lots of exploited Apple devices all over the world? Samsung Note 7 would quickly had moved back to device issue #2?

Whenever a change is made to the software, especially something as complicated as an OS, you need to allow time for regression testing to make sure the modification doesn't introduce a different vulnerability elsewhere.

I know nothing about the vulnerability and where it existed so I can't comment on that.

Re:

[Karlt1]

Yes because if this had happen with Android, Google would have quickly issued a patch for all phones introduced since 2012 and all of the affected Android devices could have downloaded the patch immediately without having to wait on the OEMs and the carriers....

Now back to the real world....

Re:

[Karlt1]

How many non-tethered jsilbreaks have been available for the iPhone recently? The reason that the jailbreak be "non tethered" is important is because a tethered jailbreak implies physical access to the phone and the ability to unlock it.

A tethered jailbreak isn't a major security risk.

Re:

[Anonymous Coward]

It likely didn't have to take 60 days or 5 months if that wasn't the time they had available to them but since it was that's how long it took.

Ah yes, the old "you can speed up anything by throwing more people at it," argument.

Have you ever worked in any professional engineering role? I suspect not, since you seem completely unaware of the need to understand the issue, develop a reasonable solution, implement that solution, test the solution, and then roll it out to the world. All of these take a commodity

Re:

[GrabbaTheButt]

Ah where are my mod points when I really want them?

Re:

[tlhIngan]

Of course it could be fixed faster than within 5 months and Apple likely would have had to do it very quickly if the exploit was known in the public.

Or would it?

This is a kernel level bug. Kernel bugs are extremely tricky and from the looks of it, it's a core kernel issue. This level of code is at the core - make a mistake here and the kernel stops working.

Hell, at this level of code, few people actually even know how it works. So you can't even throw more bodies at it, because those bodies just don't exist

Re:

[TheRaven64]

It's not just a kernel bug, it's a bug in an interface between the kernel and userspace programs that have intimate knowledge of the kernel. Fixing it in such a way that you don't break existing non-malicious applications is probably much harder than fixing a bug that is entirely in the kernel.

Re:

[XparXnoiaX]

Counterargument [medium.com]. Essentially, there is no way to know that this exploit wasn't being actively exploited (and let's be honest: five months to fix the bug means they aren't taking security seriously).

Re:

[Actually, I do RTFA]

Google has a history of just releasing the exploit with regard to companies where Brin/Page aren't majorly invested (e.g. Microsoft), when they need extra time to finalize the fixes. One of them (I forget whcih) was on the apple board until the Android release made them competitors.

About time

[CODiNE]

It's been a long time waiting on a jailbreak since they got so valuable. I'd do the same thing "Hmmmm... release this as a jailbreak, or sell it for a million bucks..."

This looks easy enough to get working and is current up to 10.0.2 or whatever the latest was.

Phrasing! Click bait headline.

[Anonymous Coward]

Using the words "hid a major vulnerability" is misleading. It implies Google infiltrated Apple source code to implant an exploit. Google didn't hide shit. They found the exploit, informed Apple, and kept quiet about it for the safety of the users.

Re:

[BigBuckHunter]

Using the words "hid a major vulnerability" is misleading. It implies Google infiltrated Apple source code to implant an exploit. Google didn't hide shit. They found the exploit, informed Apple, and kept quiet about it for the safety of the users.

I wish you had posted this before I blew all of my mod points.

Re:

[wbr1]

100% this. The threat to release an exploit is to get the vendor moving towards a fix. When apple did actually work on a fix, Google did the right thing and kept it mum. If it had been caught in the wild as a 0-day then it would have been responsible to release, but not before.

Fixed in 10.10.5, 10.11.6, 10.12 -- NOT just 10.12

[boarder8925]

Because the summary and both articles are ambiguous, I was confused what was meant by "latest system updates." For anyone else wondering, this vulnerability was patched in Yosemite, El Capitan, and Sierra -- not just Sierra. See under "System Boot" heading here: https://support.apple.com/en-us/HT207275 [apple.com].

safe

[slazzy]

My iPhone is too old to support the vulnerability, I'm good!

double standards

[sad_]

that pretty much sucks to keep it hidden for 5 months.
all the while releasing a windows vulnerability before a patch is out.
sounds like double standards to me.