Apple and Google's Incomplete Disclosures Leave 0-Day Hunters in the Dark
Incomplete disclosures by Apple and Google regarding critical zero-day vulnerabilities have created a "huge blindspot" that is leaving many offerings from other developers unpatched. Researchers have found evidence suggesting that the vulnerabilities reported by Apple and Google, which stem from a bug in libwebp, are likely the same. However, instead of coordinating and accurately reporting the common origin of the vulnerability, separate CVE designations were used. This has resulted in millions of applications remaining vulnerable and automated vulnerability scanners failing to detect the critical vulnerability. Google has faced criticism for limiting the scope of the vulnerability and not mentioning the widely used libwebp library.