Google reveals fistful of flaws in Apple's iMessage app

I&#x27;m honestly appalled at the number of comments in this thread trying to lambast Project Zero for the good work they do in improving software security. Even if Google specifically started and ran Project Zero to target competitor&#x27;s products (which they didn&#x27;t, and they don&#x27;t, there&#x27;s over 100 bugs found by P0 in Google products), it wouldn&#x27;t matter because the effect would still be that the online world is a safer place with more secure software.<p>Of all places, I thought Hacker News would have a community which understands the critical importance of security research and the fact that fixing software security bugs is a net benefit to everyone, every time, all the time.

It seems like peoples hatred for Google is leaking over to how they think vulnerability disclosures should happen.<p>Reading through the comments is disorientating - people are angry that researchers are.. <i>gasp</i>... researching vulnerabilities. It&#x27;s not some faceless Google Incarnate monstrosity, they are paid researchers (humans, too!). If it was Cure53 that did this, for free, and made the exact same announcement no one would bat an eye.<p>Good on <i>whatever</i> company does vulnerability research, follows established protocols in disclosure, and makes the world a safer place.

I believe Natalie Silvanovich is giving a talk at Black Hat about some of these next week. Silvanovich is a machine.

&gt;We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability<p>Wonder how this happened? rushed patch or perhaps they only tested against a submitted PoC? Only a week left until the defcon talk. Still listed as &quot;fixed&quot; in Apple&#x27;s release here: <a href="https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT210346" rel="nofollow">https:&#x2F;&#x2F;support.apple.com&#x2F;en-us&#x2F;HT210346</a>

This type of thread always goes alot differently when the flaws revealed aren&#x27;t in Apple products

Apparently iOS 12.4 came out last week but I have automatic updates on and the update is not installed. I just triggered it manually a moment ago.

Project Zero continues to be a Good Thing

Is this why Apple also quietly released updates for older devices as iOS 9.3.6 and 10.3.4? IIRC Apple has only patched EOL&#x27;d iOS releases once before - in 6.1.6 for the ssl gotofail?

Interesting that there isn&#x27;t a post on Project Zero&#x27;s blog. That&#x27;s typically how they do public notification.

I wonder what kind of infrastructure they had set up to find these vulnerabilities and extract names of classes and methods. Do they jailbreak iPhones and run fuzzers directly on the device? Do they analyze IPSWs directly?<p>Edit: <i>and explains how to set up tooling to test these components.</i> I&#x27;ll wait for the BlackHat slides.

Glad to see tech companies holding each other accountable. I hope the white hat hacking between these folks continues. The more vulnerabilities found, the safer our data will be.

TBH, while I think the iMessage service is invaluable, the app itself is often buggy for me. On OS X, it often hangs w&#x2F; the spinning beach ball when attempting text input, the iCloud sync can be spotty, and the cardinal sin, on my iPhone X, there are inexcusable screen draw bugs w&#x2F; orientation rotation, or w&#x2F; the keyboard popping up to type....so I am not entirely surprised. It is an app in need of a good overall bug hunt.

TL;DR Apple happily fixes what Google’s hackers uncover and responsibly disclose but the beeb desperately spices things up because clickbait ;)

Does anyone know how to file a bug report for iMessages? I have a slew of bugs I&#x27;d like to report from my day to day usage.

Meanwhile google keyboard collects everything you type and android collects everything you say. Who needs bugs..

On the surface it appears Google is spending millions of dollars to expose flaws in competitor&#x27;s products.

Would be nice if Google finally came out with their own iMessage-like service that texted over the Internet instead of 30 year old SMS

The recent barrage of security bugs in iOS makes me wonder if Apple has been more lenient on their security posture in recent times.<p>It also shows that Google Project Zero is very successful in marketing their work. There are several other players reporting security bugs in iOS regularly, I see Tencent KeenLab, Pangu, Checkpoint, GaTech SSLab in the last two releases to name a few, but very few have achieved similar recognition as GPZ.

A fish, a barrel, and a smoking gun.

Hard to tell what’s really going on here from this article. Although it seems like five vulnerabilities were fixed and one remains (and google is being unusually patient about the sixth issue)<p>One thing I’ve always struggled with is the strategy of these white hat teams. I’m sure Google Zero spends a lot of time on Apple because Apple is an enormous company, large partner, and competitor in some spaces.<p>So now I wonder: does the release of vulnerabilities ever get effected by business agenda?<p>I assume it has to, although I’m not sure of the agenda here. In this case, iMessage is in direct competition with a Google sms protocol (although googles hasn’t gained much traction). Maybe the vuln is less impressive than saying, “there’s one more”?

Project Zero Works for the manufacturer of the largest data exfiltration vector in human history and don’t seem to be making meaningful progress on fixing that.<p>All their bug reports come with a bad taste in my mouth.

Project Zero has always been disguised marketing, and IMHO an extremely nasty form of it. I have no doubt they plan coordinated releases like this on a regular basis<p>(these downvotes are confusing. Do you disagree that it is marketing? That their approach is brutal? That they plan this regularly?)