Google's Project Zero reveals Apple jailbreak exploit Ian Beer of Google's Project Zero has followed up on a “coming soon” Twitter teaser with a jailbreakable iOS and Mac OS vulnerability. Beer went public after Apple worked out a fix for the kernel memory corruption bug. He even launched a Twitter account for the occasion: If you're interested in bootstrapping iOS 11 kernel …
Who was it who did the research to find the bug again?
Perhaps if Google spent a bit less time finding bugs in other peoples' software and gloating about it, and more time finding bugs in their own, and then fucking fixing them for the actual users - then people might be a bit less cynical about them.
Perhaps if Google spent a bit less time finding bugs in other peoples' software and gloating about it, and more time finding bugs in their own, and then fucking fixing them for the actual users - then people might be a bit less cynical about them.
I really need more upvotes..
Perhaps if Google spent a bit less time finding bugs in other peoples' software and gloating about it
I don't remember a single Google Zero report that seemed the slightest big smug. The project is in Google's own interest: lots of employees own and use Apple devices. Its own record on security isn't bad in terms of how quickly it handles and fixes known bugs. We'll have to see how good Treble is at solving the manufacturer and carrier problem.
But Project Zero also serves as PR for Google's other services and for developers. Personally, I'd prefer to work at a company that is prepared to take an active role in security.
Personally, I'd prefer to work at a company that is prepared to take an active role in security.
That's the problem right there! Google stick their noses into / take an active role in, other companies' security.
But when it comes to fixing bugs in Android, suddenly it's somebody else's problem.
Oh Boo Hoo it's the vendors' fault. We can't do anything about it. Oh poor us!
No! You designed the fucking software! You make it work! I can accept that they bought in the design, and hadn't predicted the problem in advance. But they've had a decade to get cracking on sorting this out now. And they've done pretty close to bugger all!
The manufacturers don't want to spend any money on updating their software. But I'll tell you what they want to do even less, and that's write their own phone OS themselves! And seeing as they can't, and even MS couldn't overcome the lack of app support in what was a pretty decent OS - Google have the power to solve this problem relatively easily. Either by fixing the Android update model - or by forcing manufacturers to choose between Google Play Services or not offering updates.
But when it comes to fixing bugs in Android, suddenly it's somebody else's problem.
The state of deploying patches to Android devices is deplorable. But this is not entirely Google's fault. If consumer groups and regulators put enough pressure on manufacturers then patches might miraculously be delivered faster. As far as I know there is something like this working through the Dutch courts.
By providing the updates to AOSP and licencess as it does Google absolves itself of all liability. You can shout all you like but that's the legal situation.
There is perhaps some reputational risk, though I think we'd all acknowledge that most people neither know nor care about security updates going either for the cheapest or shiniest. We'll probably know in a year or two whether Project Treble is an improvement on this.
Personally, I'm not prepared to wait and have been running CyanogenMod or LineageOS* on my phones for years and the ability to do this is one of my criteria when choosing a phone. Yes, I know this isn't for everyone but caveat emptor.
By providing the updates to AOSP and licencess as it does Google absolves itself of all liability. You can shout all you like but that's the legal situation.
Charlie Clark,
True. I'm fully aware that this is the legal situation. But Google are still wankers for this way of behaving, and I'll point it out every time I feel it appropriate. Part of my role in damaging their reputation in the way they deserve.
it's a small effect now, but there's been a change even in El Reg over the last few years. 4 years ago, being rude about Google when they deserved it got you mostly downvotes. But their reputation is slowly getting worse, over their tax policies, updating of Android, abandoning working IoT gear out of greed, creepy data snooping etc. They've still done some great stuff, and I still use some of Google's services - but they don't have the universally sparkly reputation they had 5-10 years ago.
To me they look like late 90s Microsoft. Greedy, arrogant and seemingly all-powerful. But then "Melissa" and "I love You" hit, and MS are still seen by non-techy people as a security disaster-zone. Despite a decade of hard work, heavy spending and some considerable success in cleaning up their act. They're also still seen as a big, evil monopolist - despite having cleaned up their act in that area somewhat too.
Their only win over Google is that I don't think the general public see their tax affairs in the same way as Google's...
Google are one security disaster away from Android being seen as the same insecure mess as XP (last month a million people downloaded the fake WhatsApp from the offical Play store because Google were too cheapskate to do their checks properly) - so how long will that take? Maybe never of course. But I suspect it'll happen. And then will the public blame the vendors, or Google? And Google will take all that shit and be unable to fix the issues, as they'll have to get the vendors to push those patches - and it'll take ages.
Oh and I'm not sure I'd buy a Google Pixel, to avoid the whole Android update shit-show. Because Google are also pisspoor at customer service for physical product. Which was fine when buying el-cheapo Nexus devices, but they want top-money for Pixel. But not to give top-service. That may well come back to bite them too.
But Google are still wankers for this way of behaving, and I'll point it out every time I feel it appropriate.
In the context of Project Zero this will just make you sound like a bitter fanboi. More important will be to see how Google handles similar reports and whether it's only paying lip service to security and the project is pure PR. The focus will clearly be on their SaaS and PaaS offerings, as that's where the money is.
Google are one security disaster away from Android being seen as the same insecure mess as XP.
Does look like that from here but I'll guess we'll see.
Various companies (Samsung, Blackberry, etc.) now tout hardened Android so there's obviously a market for it. Conveniently for Google other companies are prepared to take on the liability.
But we need to remember that Apple's own record on vulnerability discovery, disclosure and fixing is lamentable. I don't have an I-Phone but I've had a Mac for many years and have got used to the basically piss poor quality assurance for each release with things breaking for no good reason and not being fixed within a major version. In this context I, for one, heartily welcome Google's research and with the next breath check what data they're trying to slurp from me.
Charlie Clark,
In the context of Project Zero this will just make you sound like a bitter fanboi.
I don't see why. I'm having a go at Google for doing the easy thing - security research into other peoples' projects and then sometimes being arses about it. Remember last year when Google disclosed a vulnerability in Windows because MS had got the patch written and tested after the deadline for December patches, and so held it until January? So Google put at risk the security of millions of people by publicly disclosing a bug that was due to be patched in about twenty days time. That was childish. And clearly suggests that Project Zero is really a marketing attack on its rivals.
It's a lot easier, and cheaper, than to fix the gaping flaw in the whole design of Android. Which is the patching model. If Google had worked harder on this, against the obvious crapness of the vendors, I'd have some sympathy. But until recently they've not seemed to give a damn. And they remain pretty ineffective at fixing it.
Anyway, If I'm a fanboi, it's not of Apple. My favourite phone OS by far is Windows Phone 8 - now sadly dead. Course it would have been better if MS had looked like they cared about it, or had written it a better browser...
I also suspect Apple are dropping the ball on security and quality control. My impression from the outside is that Macs haven't really improved in the last few years and are now no better than Windows 7 or 10 (let's not mention 8). And they deserve less forgiveness for problems, given that in Mac and iOS they completely control the hardware - so testing should be a damn site easier than they seem to make it. Though my experience of having an iPad is that updates are a lot more reliable than they used to be.
To me they look like late 90s Microsoft. Greedy, arrogant and seemingly all-powerful.
.. including either blatant disregard for law (and user rights) for as long as they could get away with it, followed by attempts to buy their way out. Compliance was only ever a last resort.
I have been making that comparison for years, even when Groklaw was still staunchly defending Google because they said they would do no evil. In my opinion, they appear to be following the MS playbook almost to the letter. The only thing I haven't see is Stack-like "collaboration" and a play like SCO vs Linux to damage competition - I guess Apple is still just a tad too dangerous to take on like that.
It sounds like you are too thick to understand there is a difference between Google, Google devices and android.
Dr Toboggan,
Ah the desperate defence of the man who knows he's lost the argument. The personal attack.
My posts describe how I blame Google for not forcing their vendors to issue updates in a timely manner. If I was feeling ungenerous I might suggest it was because you had trouble understanding the longer words. But I suspect it's more likely from the tone of your trolling that you understand, it's just not a point you have a counter to.
As it happens there's an argument to say this is still Google's fault, even if the vendors couldn't be made to issue updates. Apple manage it. But Microsoft manage it with Windows and also managed it with Windows Phone, on which you got all patches whether manufactured by MS themselves, Nokia, HTC, LG or anyone else.
So how come Google couldn't get a working update mechanism built into Android? Given the experience of the last 20 years of security, it was pretty stupid to not build it in from the start. But even allowing for that, they've had over ten years to get this sorted. And failed.
"Who was it who did the research to find the bug again?"
A rival company with a bug ridden piss poor designed ecosystem.
Apple - All Devices Patched - Regardless of Carrier. Check
MS (when they did mobile) - All Devices patched regardless of Vendor or Carrier - Check
Google - weeellll maybe, if you own some of our newish kit your should be ok, and a fairly recent flagship model from an other brand, but only when they can be arsed. But hey, we make shit loads of cash from our Play store and slurping your data, so who give a fuck eh?
Why would they need to retaliate? He told Apple about the bug, Apple released an iOS update that fixed it, a week later he made the info public. If he was making the exploits public without telling Apple about it I could see where they'd be pissed, but he's helping them out here.
Besides, if you read the sequence of steps here this is a REALLY esoteric and out there bug. He didn't just find a corner case, he had to build the corner first. If this is an example of the amount of work it takes to find a new jailbreak level attack, Apple is closing in on shutting down jailbreaks entirely.
"Beer went public after Apple worked out a fix for the kernel memory corruption bug."
"Worked out" - did he give them time to test it?
Of course, there is then the question of which would be the more damaging - a knee-jerk rush to push out a fix that is potentially under-tested and/or carrying further bugs, or taking the time to make sure that said fix is good but leaving the vulnerability open for a period of time?
But once again, this is Google deciding to dictate the rules with their usual "disguise attacking the competition behind a mask of altruism" approach. And, judging from the comments appearing with increasing frequency on here, the scales are slowly beginning to fall from people's eyes...
"Worked out" - did he give them time to test it?
Well, it appears they followed responsible disclosure here by announcing the problem a while after it was fixed. Not that I disagree with your assessment of the actual aim of the program, but at least this announcement left a reasonable margin between fix and publication.
Doesn't seem to be that critical. In the sense that nobody is going to suddenly break into your phone remotely and make it start tearing up your pocket.
They do say iOS 11.2 fixes it all - but from what I've read, it's a pig's breakfast of an update (though that could just be internet hyperbole)
They do say iOS 11.2 fixes it all - but from what I've read, it's a pig's breakfast of an update (though that could just be internet hyperbole)
Meh. Hooked the phone up to power and let it do its thing. I hesitate to use a cliché but it genuinely just did what it was supposed to do. That said, I'm certain it's just luring me into not make a backup just that once - it is still an IT device :).
It's not much of a bug tbh, more a means to jailbreak the device.
It's not trivial to execute, requires some fairly specialized knowledge and tools, can't be executed remotely and the end result is not a final aim for hackers (they might want to jailbreak the device in order to deploy a more useful attack, but won't simply be looking to jailbreak it as their endgame).
This is kinda useful for security researchers (who like having jailbroken devices for testing purposes) but I wouldn't panic over this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
