Google created its Project Zero team to improve internet security — including both Google and third-party products — so the fact that its researchers found bugs in Apple’s Safari web browser isn’t particularly surprising. But a new blog post takes aim at Apple’s approach to fixing bugs, including an interesting discovery: Apple quietly changes its security advisories after publication, a practice Project Zero calls “misleading,” as well as potentially dangerous for macOS users.
Much of the new post discusses Google’s use of a publicly available tool to find exploitable bugs in Safari. Project Zero explained that it used the same tool a year ago to locate 17 bugs, and this year found nine more — all of which Apple fixed after being told and prior to the report’s publication.
Unfortunately, the researchers said that most of the latest bugs were in Apple’s WebKit codebase for somewhere between six months and a year before being addressed, though they (and their predecessors) might have survived longer if Google hadn’t reported them. That gives attackers a significant window to formulate working exploits. Project Zero suggested that if Apple had used the same public bug testing tool identified a year ago, the bugs could have been caught before release rather than leaving users vulnerable.
Bugs aside, Project Zero expressed concern about the way Apple addressed the issues with users. To Apple’s partial credit, fixes for the nine bugs arrived together with published security advisories on September 17, 2018, updating iOS 12, Safari, and tvOS 12 roughly three months after the issues were reported. But Apple’s advisories initially didn’t mention the fixes; they were actually disclosed a week after initial publication, when macOS Mojave was released, and Apple quietly went back and changed its earlier advisories.
Project Zero speculates that Apple might have had a reason for doing this — holding back on disclosing vulnerabilities that were yet to be fixed in macOS — but:
[T]his practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case.
Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves.
It would be easy to dismiss Google’s comments as competitive sour grapes — and no surprise given Apple’s needling of its rival over trust and privacy issues — but Project Zero is making fair points. Between security-compromised OS releases and a fair number of Safari issues, bugs and omissions aren’t hard to spot in Apple’s codebases, and some oddly seem to pop up again in later releases after being “fixed.” Better pre-release debugging and greater transparency would go a long way towards addressing issues that have clouded the company over the past year.