Security researchers have a culture of being both overly paranoid and sticking to just the facts and not actively trying to minimize.
It seems Apple doesn't want them to say "here are the exploits we found, and we found them on X websites, and estimate a few thousand visits per week", they appear to want them to say: "Only the Uighurs really need to worry. And by the way, it wasn't just us! They were going after Uighurs on Windows and Android too!"
Even if PZ added "context" they seem to want, "just the Uighurs!", or "other platforms were attacked too", in what way that that actually diminish the fact that multiple 0-days with remote code execute on multiple OS versions were in the wild?
The fact that we have one case where a single geographic group was targeted does not mean that these exploits weren't being used elsewhere. Imagine there's Windows 0-day and your an IT admin, but the advisory says only Ukrainians were targeted by Russia. Does that mean you shouldn't go back and look at your logs and look to see if you've been exploited, rotate credentials, install new countermeasures, etc?
Shouldn't iPhone users be encouraged to rotate passwords on non-2FA sites after a reboot for example? To me, Apple's response looks like damage control.
And why doesn't Apple have their own Project Zero that publishes deep dives on iOS/OSX vulnerabilities and would allow the press to have more context and not fly off the handle? Wouldn't it help to engender their development community and security researchers to be more active, by educating them on how these vulnerabilities typically work and how they're discovered, so more people can learn to spot them? It would make the claim "we already knew about these and were fixing them before other people discovered them" look better.
It seems Apple doesn't want them to say "here are the exploits we found, and we found them on X websites, and estimate a few thousand visits per week", they appear to want them to say: "Only the Uighurs really need to worry. And by the way, it wasn't just us! They were going after Uighurs on Windows and Android too!"
Even if PZ added "context" they seem to want, "just the Uighurs!", or "other platforms were attacked too", in what way that that actually diminish the fact that multiple 0-days with remote code execute on multiple OS versions were in the wild?
The fact that we have one case where a single geographic group was targeted does not mean that these exploits weren't being used elsewhere. Imagine there's Windows 0-day and your an IT admin, but the advisory says only Ukrainians were targeted by Russia. Does that mean you shouldn't go back and look at your logs and look to see if you've been exploited, rotate credentials, install new countermeasures, etc?
Shouldn't iPhone users be encouraged to rotate passwords on non-2FA sites after a reboot for example? To me, Apple's response looks like damage control.
And why doesn't Apple have their own Project Zero that publishes deep dives on iOS/OSX vulnerabilities and would allow the press to have more context and not fly off the handle? Wouldn't it help to engender their development community and security researchers to be more active, by educating them on how these vulnerabilities typically work and how they're discovered, so more people can learn to spot them? It would make the claim "we already knew about these and were fixing them before other people discovered them" look better.