Hacker News new | past | comments | ask | show | jobs | submit login

If it was so trivial, why didn't anyone find it before? The source is open. PZ only found it after finding these sites exploiting it. Unused code is not uncommon.

The point is, all software has bugs; but there's no way Google can know what "QA" iOS goes through, and to pretend it's nothing is ridiculous. There's plenty of examples out there of code being reviewed by several super clever people, and yet they miss something. Trying to work backwards from a bug without the context of actually working in the team that wrote the code never works.




> If it was so trivial, why didn't anyone find it before? The source is open. PZ only found it after finding these sites exploiting it.

No; as the first sentence states, Project Zero found this independently:

> This exploit chain is a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security.

(For what it's worth, this ended up in a jailbreak too, and has its own blog post: https://googleprojectzero.blogspot.com/2019/01/voucherswap-e...).

> Unused code is not uncommon. The point is, all software has bugs; but there's no way Google can no what QA iOS goes through, and to pretend it's nothing is ridiculous.

It isn't uncommon, but it is clear that the code was not QA'd, for the reasons given in the article: trying to call this method would instantly panic the kernel (which is easy to triage–you don't even have to have much knowledge of the iOS QA process to guess that).


> No; as the first sentence states, Project Zero found this independently:

Oops, my bad, I had in my head the opening of the first post talking about how they had come across the sites using these exploits.

I think we agree that this piece of code was not well tested. Where I think I set my expectations of Apple lower is that this code was never used, essentially forgotten about and that I've literally done this myself. And I simply don't believe you can tell simply from a bug whether "QA" happened or not.

Why I give the benefit of doubt to Apple here is that it's not in something that is called everyday in normal devices. It's not in part of the OS that sees constant use. If this error occurred (and yes I'm aware that the end result is the same) in say the network stack or media stack, then I'd start having my doubts, since they regularly process untrusted data, and Apple should have proactively checked, just like Android now does with Stagefright. But this was in an essentially undeclared api that was never even used by Apple themselves. I think this was more a fuck up rather than not doing their jobs.

As a side note, whilst I do have an iPhone, my 2015 MacBook runs Linux and i generally don't consider myself an "apple fanboy".




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: