
About the security content of Security Update 2018-001 - mafro
https://support.apple.com/en-au/HT208742
======
CognitiveLens
For anyone unfamiliar with Project Zero, it's a team at Google dedicated to
finding security vulnerabilities across the internet (and in software in
general, it seems)

[https://security.googleblog.com/2014/07/announcing-
project-z...](https://security.googleblog.com/2014/07/announcing-project-
zero.html)

~~~
ehsankia
Some high profile exploits they either discovered or played a big role in:

\- SHAttered(?)

\- Row hammer

\- Cloudbleed

\- Lastpass exploit

\- Meltdown & Spectre

~~~
0xFFFF0000
Would be good to also highlight the other finders of some of these issues, but
this view shows that Google Project Zero is a well executed PR machine taking
away the focus of other security researchers. The title of this thread is
similarly misleading.

~~~
ehsankia
To be clear, I state that "they played a role in", implying that there were
other people too.

------
lawguy
Here are the details on Project Zero's tracker:
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=15...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1529)

------
epistasis
Google's PR machine strikes again, robbing Tencent of their due.

~~~
0xFFFF0000
Exactly what I thought. Project Zero allows Google to segway away from their
Android ecosystem mess they left beyind and (even relatively benign findings
at times - there was a Defense in Depth issue in Windows recently I remember
that got an article) get a lot of media attention, and other researches are
ignored. Shows that Google's PR works really well. I first noticed that during
Meltdown/Spectre where most of the heavy lifting was done by university
students somewhere in Europe, but they nowhere got as much attention as
Google. Sad.

------
kerng
What about Tencent? Very misleading title.

------
mafro
Guys seriously.. Nobody is going to read a link titled "About the security
content of Security Update 2018-001".

People need some kind of pointer about _why_ they might want to read a
security update statement.

Granted the original title should have included Tencent's name too.

------
threeseed
What is with this title ? It's a result of two CVEs.

~~~
awat
In the support article Apple is crediting one of the CVEs “CVE-2018-4206: Ian
Beer of Google Project Zero”

~~~
PakG1
Title could still be better than it is, I think. Original title is much
better. Things like attribution can be done fine in the comments if that's not
in the title.

Furthermore, Project Zero was involved in only one of the CVEs anyway then.
Why not put the other credit in the title too? CVE-2018-4187: Zhiyang Zeng
(@Wester) of Tencent Security Platform Department, Roman Mueller (@faker_)

~~~
rurban
Correct. And I would rather emphasise Tencent more. They did amazing security
work in recent years, to me more impressive work than Google zero.

