From Newsgroup: comp.sys.mac.advocacy

Chris said:

Zero-day exploitation rates do not show iOS as "way more secure." Google
Project Zero's annual reports show that Apple repeatedly ships code that
has never been fuzzed or tested with modern techniques.

Cite required.

Saying "cite required" to facts you've been provided many times already
is not a serious response here, Chris. It's not expected of adults.

This has been linked to in this newsgroup multiple times already, and it is
not some fringe blog post, it is Google Project Zero's own reporting.

Entire threads on this newsgroup have been devoted to Google's facts.
For you to outright deny all Google's facts is not what adults should do.

A relevant cite are Google Project Zero's yearly writeups on 0-days
exploited in the wild, where you can see some of that in this overview.
"0day In-The-Wild Exploitation in 2021" by Maddie Stone, Project Zero <https://projectzero.google/2022/04/the-more-you-know-more-you-know-you.html>

But I'll quote others even though all of these have been discussed here.
SO for you to remain ignorant of them, makes it impossible to carry on an
adult conversation with you if you refuse to read any cites and yet you
deny that the cites which you refused to read exist.

That's not acting like an adult, Chris.
Sorry. It's just not.

You need to be able to carry on an adult conversation, Chris.
If you want to be treated as an adult.

You can't just deny all cites you haven';t read.
You have to read them first, Chris.

Then you can tell us what you think of them.

In that report, Project Zero explicitly calls out that multiple iOS vulnerabilities which were exploited in the wild were in code that had
never been subjected to modern testing techniques such as coverage-guided fuzzing. They make the point that these bugs were "not technically sophisticated" and should have been caught by basic, systematic testing
before shipping, but were not. Apple is named explicitly in that context as
a vendor shipping code that had never been fuzzed or properly tested,
despite being widely deployed in security critical paths.

You do not have to take my word for it. Read the report yourself. The whole point of those "year in review" posts is to look at how 0-day exploitation happens in practice, and what it says about vendors' secure development and testing processes.

So to restate the original claim in precise terms:

Project Zero's own data and analysis show that multiple in-the-wild iOS
0-days were in code that had never been fuzzed or subjected to basic modern testing, which directly contradicts the idea that Apple is consistently
doing a clearly superior job of secure development compared to everyone
else.

If you want to argue that iOS is "way more secure," you need to engage with that actual evidence, not just demand a fresh "cite" every time the same
report is mentioned. You ignoring facts does not make them go away.
--
I'm different than most posters here, not only because I'm extremely
well informed & well educated, but because I can understand complexity.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian wrote:

A relevant cite are Google Project Zero's yearly writeups on 0-days
exploited in the wild, where you can see some of that in this overview.
"0day In-The-Wild Exploitation in 2021" by Maddie Stone, Project Zero <https://projectzero.google/2022/04/the-more-you-know-more-you-know-you.html>

But I'll quote others even though all of these have been discussed here.

The Project Zero statement about Apple shipping code that had never been
fuzzed comes from their root-cause analysis of iOS WebKit vulnerabilities.

This source has been cited MANY TIMES in this newsgroup, so it's not the
adult thing to do if people on this newsgroup claim it's not a fact simply because they may refuse to click and read and understand what Google found.

One relevant source is Google Project Zero
*Root Cause Analysis: WebKit 0-days*
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

In that analysis, Project Zero explains that:

Many WebKit bugs exploited in the wild were "trivially discoverable" by
modern fuzzers.

The vulnerable code paths had never been subjected to coverage-guided
fuzzing.

Apple was repeatedly shipping WebKit code that would have been caught by standard fuzzing techniques used by other vendors.

The exploited iOS WebKit bugs were in code that would have been found by
basic fuzzing, but Apple had not applied those techniques to that code.

This is just one of many citations we've referred to when we say Project
Zero found that Apple shipped unfuzzed code.
--
Part of being an adult is acting like an adult, where simply claiming all facts we're ignorant of can't possibly exist is not what adults should do.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian wrote:

One relevant source is Google Project Zero
*Root Cause Analysis: WebKit 0-days*
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

Here are a few of the specific Project Zero statements explaining what
Google really said about Apple never having tested much of the iOS code.

In the Project Zero root cause analysis of WebKit 0-days exploited in the
wild, they explain that many of the iOS WebKit vulnerabilities were:
a. trivially discoverable by modern fuzzers
b. reachable through shallow code paths
which is evidence that the affected iOS code had not been subjected to systematic fuzz testing before shipping.

Clearly these are the kind of bugs that would have been found quickly by coverage-guided fuzzing (which Apple clearly has not done on iOS code).

The relevant page is:
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

Google's Project Zero technical conclusion is unambiguous in that the
exploited WebKit bugs were the type that standard fuzzing would have
caught, and the presence of these bugs in production strongly implies that
the iOS code had never been fuzzed nor tested with modern techniques.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian wrote:

The relevant page is:
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

Google's Project Zero technical conclusion is unambiguous in that the exploited WebKit bugs were the type that standard fuzzing would have
caught, and the presence of these bugs in production strongly implies that the iOS code had never been fuzzed nor tested with modern techniques.

This CyberScoop article summarizes Project Zero's technical findings about
a specific class of iOS/WebKit vulnerabilities which were exploited.
<https://cyberscoop.com/iphone-hack-google-project-zero/>

The underlying research showed that:
a. Several iOS 0-day bugs exploited in the wild were
simple memory-safety bugs.
b. These bugs were shallow, easy to reach, and exactly
the kind of issues that modern fuzzers catch quickly.

The fact that these bugs survived into production strongly implies that the affected code had never been fuzzed nor systematically tested with modern techniques.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian wrote:

The fact that these bugs survived into production strongly implies that the affected code had never been fuzzed nor systematically tested with modern techniques.

Chris, those were the same references you've been given many times.

For you to claim "cite please" when you've been given them many times,
is not conducive to an adult discussion of what Google said about iOS.

It's not what adults (should) do.

Those are just some of the actual references you've been provided.
These are not opinions, and they are not blog gossip.

They are Google Project Zero's own technical analyses of iOS 0-days
exploited in the wild.

Project Zero, "A Very Deep Dive Into iOS Exploit Chains Found in the Wild"
<https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html>

This report shows that multiple iOS exploit chains worked across
many iOS versions because the vulnerable code had never been subjected
to systematic testing. The bugs were simple logic and memory-safety
errors that persisted for years. Project Zero notes that these bugs
were shallow, easy to reach, and exactly the kind of issues that
modern fuzzing and automated testing would have caught early.

Project Zero, "Root Cause Analysis: WebKit 0-days"
<https://googleprojectzero.github.io/0days-in-the-wild/rca/webkit.html>

This analysis explains that many WebKit vulnerabilities exploited
in the wild were trivially discoverable by modern coverage-guided
fuzzers. Project Zero states that the presence of these bugs in
production strongly suggests that the affected WebKit components
had not been fuzzed or tested with modern techniques before shipping.

CyberScoop summary of the Project Zero findings
<https://cyberscoop.com/iphone-hack-google-project-zero/>

This article summarizes the Project Zero conclusion that Apple
shipped large portions of iOS code that had never been subjected
to modern security testing. It is a secondary source, but it
accurately reflects the technical findings in the two Project
Zero reports above.

The accurate summary statement is:
Project Zero demonstrated that multiple iOS components, including
WebKit, contained simple, shallow, trivially fuzzable bugs that
survived across many iOS releases. The only reasonable technical
conclusion is that these parts of iOS had never been fuzzed or
systematically tested with modern techniques before being shipped.
--
If all people do is deny the facts, and require the facts to be cited
over and over again, and yet they don't read them, but still deny them,
then no adult conversaion will be possible with those kinds of people.
--- Synchronet 3.21a-Linux NewsLink 1.2