From the statement:
Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.
A blog is a collection of blog posts.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
In the first couple of years of the iPhone’s availability, users simply needed to tap a link on a webpage to jailbreak their device. Even though it was an elegant solution, there was still a nagging feeling that this mechanism could be easily abused.
As far as I know, nobody has yet published a list of the websites affected, but I imagine they’re highly targeted. That is, even though anyone could have accessed them, that doesn’t mean every iPhone user is equally vulnerable or a likely victim.
Update: Ryan Mac of Buzzfeed News reports that this attack campaign originated in China. Apple and Google have so far skirted that aspect of the story.
Update: Michael Tsai thoughtfully disputes Apple’s downplaying. Regardless of scale, I think Bruce Schneier explained very well the way in which these findings change how we think about zero-day vulnerabilities.