Apple fails to patch publicly disclosed zero-day flaws with iOS 15.0.1
Apple's latest point update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company months ago and publicly disclosed last week.
In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company's flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.
By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.
Still, Apple's handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant's team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote at the time. "There were three releases since then and they broke their promise each time."
Apple saw Tokarev's blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.
Ethical hackers have criticized Apple's Bug Bounty Program and the company's general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.
Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.
Read on AppleInsider
In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company's flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.
By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.
Still, Apple's handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant's team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote at the time. "There were three releases since then and they broke their promise each time."
Apple saw Tokarev's blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.
Ethical hackers have criticized Apple's Bug Bounty Program and the company's general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.
Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.
Read on AppleInsider
Comments
Apple could be mitigating this through the App approval process using automated tools, which still has the added effect of not allowing Apps into user devices with this exploit (outside of jailbreaking or direct installs using Xcode or enterprise certificates).
It’s not an easy process, especially when each team already has an existing bug backlog that is competing for attention with the newly submitted bugs. For a large dev team I’m assuming they are doing triage on a nearly continuous basis and have a team of developers/maintainers pulling whatever bug is at the top of each bug fix backlog following a Kanban like process.
With this process in mind, it should not come as a big surprise that some specific bugs, even high visibility ones, don’t immediately pop out the other side on the next release of the software. The good news is that Apple no longer treats software releases as a big ceremonial event and more releases are always in the pipeline. However, I totally sympathize with researchers who are submitting bugs and not seeing their efforts rewarded with recognition and rewards, where appropriate. Apple needs to close the loop and get its act together on the their side of this feedback process because it is in the best interests of Apple and Apple’s customers.
Apple's secrecy is really all about the pride of the top management. They like to walk out on stage and proudly announce their new product features to gasps of amazement and delight of their (virtual) audience. Instead they are just confirming the rumors and leaks from the past year. This bruises their precious egos so they take it out on their employees, contractors and third party manufacturers with crippling levels of secrecy which clearly does not work. In fact you could make a strong argument that all the secrecy makes it more likely that some disgruntled oppressed worker will spill the beans.
Here is the actual situation: Apple is well ahead of other companies on chip design and production. It is able to source most of its necessary silicon components and they are better than what the competition can produce. On the other hand, all other components of the iPhone are about the same or inferior to phones made by other companies. This includes the screen, camera and battery. The connector is now at least five or six years out of date compared to USB C. The screen has a notch at the top rather than a small hole or behind the screen cameras now starting to appear in some phones. The screen does not wrap around the edges of the phone as it does on Samsung and other phones. The camera does not have a massive zoom feature like the current Samsung phones which can photograph the mountains of the moon. None of these advantages or disadvantages have to do with secrecy.
FaceID notch is bigger because they eliminated the chin and forehead while maintaining face authentication, whereas the others still have a chin, don’t have good face id, etc. Notch is complete non-issue for actual people who actually have an iPhone.
Screens wrapping around the edges is a silly gimmick. You can keep it!
Samsung’s 30x Space Zoom is based on 3x optical zoom plus digital zoom. iPhone 13 is also 3x optical.
Secrecy is fine. No company is lining up to tell their secrets. And as the market leader, Apple has more to lose by tipping off the knockoffs.
TLDR: yet another armchair CEO running an imaginary company in his head, whereas Apple is running the most successful public firm in history.