Google calls on Apple: Stop secretly modifying user security recommendations

Figure 1: Google AMP pages displayed in Google Search on Safari on iOS.

Recently, Google created its own Project Zero team to improve Internet security, including Google and third-party products. The team is even called the super hacker team within Google and the "lone hero" of the Internet world. Therefore, the fact that researchers from the team found a vulnerability in Apple's Safari browser does not seem particularly surprising. According to VentureBeat, on Thursday, Project Zero published a new blog that mainly talks about how Apple fixes the vulnerability. The blog also describes an interesting discovery: Apple quietly changed its security recommendations after the incident. Project Zero called this "misleading" and potentially dangerous to macOS users.

Much of the new blog discusses how Google used a publicly available tool to find exploitable vulnerabilities in Safari. Project Zero explains that it found 17 vulnerabilities using the same tool a year ago and nine more this year, all of which Apple fixed after being notified and before the blog was published.

Unfortunately, the researchers said that most of the newly discovered bugs are in Apple's WebKit code base and have been around for about six months to a year, and without Google's reports, these bugs (and previously discovered bugs) may have survived longer. This provides a significant attack window for cyber attackers. Project Zero suggests that if Apple had used public bug testing tools, these vulnerabilities may have been discovered before being announced, rather than leaving users more vulnerable to attacks.

Bugs aside, Project Zero is concerned about the way Apple has addressed user issues. To Apple's credit, the company fixed the nine vulnerabilities on September 17, 2018, and released a security advisory at the same time. Three months after the vulnerabilities were exposed, Apple updated iOS 12, Safari, and tvOS 12. But Apple's security advisory did not initially mention these fixes, and in fact, Apple quietly changed its original security advisory a week after the issues were announced.

Project Zero speculates that Apple may have a reason for doing this, perhaps Apple is reluctant to disclose unpatched vulnerabilities in macOS, but at the same time Project Zero stated in a blog post:

"This practice is misleading because users who are interested in Apple's security advisories are likely to read them only once, and when the advisory is first released, users get the impression that the product updates fix fewer and less severe flaws and vulnerabilities. In fact, the number of vulnerabilities fixed by the updates is much larger and more severe.

Additionally, Apple did not release fixes for both mobile and desktop operating systems at the same time, which could have put desktop users at unnecessary risk because attackers could reverse engineer patches in mobile updates to attack desktop users.”

Some might think Google's comments are sour grapes from a competitor, since Apple has also challenged its competitors on user trust and privacy issues. But Project Zero's point is fair. Apple has been plagued by security issues, from compromised operating system versions to a series of browser issues. It's not hard to find vulnerabilities in Apple's code base, and there are some strange problems that reappear in "fixed" versions. Better pre-release debugging mechanisms and more transparency may help Apple solve the problems that have plagued the company over the past year.