Google Warns Apple: Missing Bugs in Your Security Bulletins Are 'Disincentive To Patch' (zdnet.com) 43
Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.
Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."
Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."
Reality distortion field (Score:1)
Reality distortion field needs to be kept in tact. Security problems? What security problems? Apple devices are perfect!
Hard to argue it's much of a disincentive (Score:5, Interesting)
iOS12 despite being less than a month old, is on something like 50% of active devices now - who else achieves that kind of patch rate?
Most users will never even look at basic patch notes, much less security info. The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.
Maybe.
That said I totally agree they SHOULD say when a security bug is fixed so at least everyone has a better idea of what has improved without testing.
Re: Hard to argue it's much of a disincentive (Score:4, Insightful)
Re: (Score:1)
these professional settings need to know how to evaluate the importance of updates.
There is more than enough information in updates to evaluate installation - you can't evaluate something based on a negative, like "well it only fixes 5 of ten vulnerabilities so we are going to wait". No, you are going to fix the five you know about - and then later are happy if it fixes a few more.
This is also why I greatly prefer the Android patching model, where security patches are separated from "feature" updates.
Appl
Re: (Score:3)
BTW around 0.0000001% would be enough for the people who actually wrote the patch notes.
But Google on its Apps are not really clear what their fixes are.
My phone had a Google Chrome update here are the update notes:
Thanks for choosing Chrome! The new design that we launched previously is now visible to everyone. In addition, this version includes:
* Bug fixes and design polish for the redesign
* Updates to how Chrome launches other apps to improve reliability and security.
* Fixes to authentication issues caused by using out-of-date cookies. Let us know if you encounter any issues with signing in or out of websites.
There isn't really that much detail on what the problem is.
I updated anyways even without reading it. Security update is a security update. Unless I am researching a particular security glitch, I really don't know or care what it was just as long as it is more secure after the patch then it wa
Re:Hard to argue it's much of a disincentive (Score:4, Insightful)
"eh, this patch only fixes *four* four critical vulnerabilities, I think I can just ignore that, I'll hold out for AT LEAST six before I bother to update." - said no one, ever.
Even after ignoring the fact that almost no one reads the fine details on what got patched, by far the biggest "disincentives" to patching are (A) annoyingly over-frequent (can you say FLASH?), and (B) device reboots / downtime for the update. You want to improve and speed adoption of security updates? That's what you need to be focusing on, not more detailed release notes.
Figure is accurate (Score:2)
You might want to re-check that figure. Even if it's just *one* person out of the entire 7+ billion that exist on the entire planet, that's still a lot more, as a percentage
Incorrect, that percentage was scientifically calculated using Wolfram Alpha, by asking it how many people cared and to what degree did they actually care.
I should have presented the error though, it's a figure accurate to 0.0000000000000000000000000000000000000000000000000000000000000000000000%.
Re: (Score:2)
The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.
I told you at least 1000000000000000000000 times to stop exaggerating...
This is funny coming from Google (Score:4, Insightful)
Google didn't mention to anyone the issues they had with Google Plus. That said, Apple's devices have always been better updated than any Android device. Apple provides OS updates and patches for about 5 years on their phones whereas Android updates are very hit or miss except for Google's own phones. You're lucky if you get 2 years on major phones and less on cheap ones.
And when Apple does put out an update, every phone and tablet will nag you death to get it installed. Every day it will ask you to install it or remind you later. So, they never have to tell you what they're patching, or what they're changing - you update just to get rid of the daily annoying popup.
Re: (Score:1)
Project Zero also treats Google properties differently than non-Google entities. It’s as much a marketing arm of the company as it is a security group.
(I’ve given specific examples of this before - search my comment history back a few years, if you care)
Users should be in the habit of upgrading (Score:4, Interesting)
The reason that iOS has an upgrade rate that's 10x that of Android is because Apple has conditioned its users to constantly upgrade their OS. My wife upgrades her iPhone without knowing or caring what's in the update. It's always something that makes her phone better in her mind. The only people who care about CVEs are security researchers and extreme geeks like me.
If you say "iOS 11.4.1 fixed CVE-2018-4293 which allowed cookies to persist unexpectedly in CFNetwork calls" to 99.99% of Apple's customers, the only word in that sentence that the might understand is cookies, and their take is "cookies are bad". Putting this in the patch notes doesn't mean anything to regular humans, and it shouldn't.
People should be able to trust that their device manufacturer will keep their phone safe. Apple is the only phone manufacturer (except maybe Google) that does this, and they're the only one people trust to do so.
Re: (Score:2)
People should be able to trust that their device manufacturer will keep their phone safe. Apple is the only phone manufacturer (except maybe Google) that does this
Google helps people trust that their phone is safe? LOL!
Google's publishing "This minor security patch plugs bug X" means that blackhats can easily know that every Android version up to the unpatched version is vulnerable and we all know that Android's update model is a dogs breakfast, so broken that few phones will ever be updated to receive the patch. After a month what has been the average percentage of Android devices with up to date security patches? 2% 5%? A whopping 7%?
Google is working on improving
Re: (Score:2)
I don't like softwares that add new features with fixes. I just want fixes, and not new features. I don't want my hardwares and softwares to become slower!
Re: (Score:3)
Re: (Score:2)
The reason that iOS has an upgrade rate that's 10x that of Android is because Apple has conditioned its users to constantly upgrade their OS.
I think it's more because (most) Android users are at the mercy of their manufacturer and carrier putting out an update. They're not really that interested in doing it, so most users get maybe one major version upgrade, and then some security patches, and then that's it. Whereas Apple upgrades all devices if it's compatible with the new OS version.
I call bull (Score:3)
... The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. ...
I would argue that the details about exactly what bugs -- or even how many bugs, for that matter -- are entirely immaterial to whether or not the vast majority of iOS users are going to install any given security patch. It's pretty simple, actually: release a patch, and tell users that it's related to security. That's it; no further details are necessary. Frankly, most people either don't understand or don't care about the details; their behavior isn't going to be changed in the least by those few extra words that they aren't going to bother reading anyway. And the people who would actually read (and understand) those details fall into two basic categories: those who will patch immediately, regardless of the details, (because, security!!) and those who will delay patching for as long as they reasonably can, regardless of the details. (An obvious example of the latter could be IT types, who are required to manage large numbers of end-user devices.)
No; I think Fratric and Beer are both missing the forest for the trees, and I think there's a pretty obvious reason: all they really care about is their fifteen seconds of fame... that little bit of acknowledgement from Apple, that they done good. Unfortunately for them, Apple happens to know their target audience pretty well, so it's not particularly likely that Beer's latest bit of whining is going to elicit even so much as an annoyed snort from them.
I wish I could say I'm surprised (Score:4, Insightful)
So some prick in marketing decided it looks bad if Apple actually admits there were some security problems with its OS, even though they were dealt with promptly and competently after Project Zero found them. Having been in that kind of meeting before, I could probably write a near-verbatim transcript of the little bastard's remarks even without having been in the room to hear them.
Said prick should be fired on the spot "pour encourager les autres", because the Project Zero people are 100% right about how users look at updates. If they know there's a security issue, they'll probably install it in a timely manner, or at least be especially alert for problems. If there isn't a warning, basic user experience, no matter what operating system they use, has proved time and again it's sensible to wait for a while after an update is rolled out to see whether problems emerge in a week or two that weren't immediately obvious.
Insecure locked down devices... (Score:2)
Google should just stop caring about iOS bugs and let Apple learn about them the hard way...
When many fAnboys will have been biten again and again by bugs, Apple's image will be way less the image of a "secure device which never has critical bugs".
Also, IT departments should be able to make serious decisions about the security (or unsecurity) of a device before allowing it on the enterprise network... which means having correct bug disclosure...
Apple lovers defend anything (Score:2)
They are now defending that it's ok for Apple to hide from the user that the devices had security problems.
Update notes should include what changed, specially security changes. It doesn't matter that most people would update anyway. The people not updating might read the notes and understand that it is just to slow their phones down so that they buy a new one (a very common complain on iphone users) when in reality there as a legit reason to update.