Apple fails to patch publicly disclosed zero-day flaws with iOS 15.0.1

Posted:
in iOS edited October 2021
Apple's latest point update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company months ago and publicly disclosed last week.

iPhone 13 mini


In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company's flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.

By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.

Still, Apple's handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant's team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote at the time. "There were three releases since then and they broke their promise each time."

Apple saw Tokarev's blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.

Ethical hackers have criticized Apple's Bug Bounty Program and the company's general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.

Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.

Read on AppleInsider

Comments

  • Reply 1 of 14
    MorkMork Posts: 22member
    Does anyone know if 15.1 Beta has patched these security issues? Maybe Apple is working to fix these in a soon to be 15.1?
    watto_cobra
  • Reply 2 of 14
    silvergold84silvergold84 Posts: 107unconfirmed, member
    Mork said:
    Does anyone know if 15.1 Beta has patched these security issues? Maybe Apple is working to fix these in a soon to be 15.1?
    Apple create the most secure products and software. When they are sure about vulnerability (very rare on Apple devices) they fix it quickly and definitively. They can’t follow media, they have to look at reality. 
    watto_cobra
  • Reply 3 of 14
    the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store. 
    Thats a bit of an understatement.

    - Apple ID email and full name associated with it
    - Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
    - Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
    - Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates
    - The vulnerability allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
    - This makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement.

    Read my blog posts for details.
    dope_ahminefastasleepelijahgapplguyprismaticsfahlmancaladanianwatto_cobra
  • Reply 4 of 14
    22july201322july2013 Posts: 3,564member
    The only thing necessary for the triumph of malware is for good companies to say nothing. -- John Stuart Mill, paraphrased.
  • Reply 5 of 14
    chadbagchadbag Posts: 1,999member
    As far as I understand it, one of them is not actually a bug -- the one where having location permission lets you get extensive WiFi connection data.  That is by design, unfortunately.  Because you can use WiFi  data to extrapolate a user's location, Apple requires you to have (request and be granted)  location permission to be able to get detailed WiFi info from the system. 
    watto_cobra
  • Reply 6 of 14
    “Failed to patch” doesn’t mean “failed to deal with”.

    Apple could be mitigating this through the App approval process using automated tools, which still has the added effect of not allowing Apps into user devices with this exploit (outside of jailbreaking or direct installs using Xcode or enterprise certificates).
    watto_cobra
  • Reply 7 of 14
    Is it not possible Apple already knew about it and was working on a complicated, difficult fix?
    edited October 2021 watto_cobra
  • Reply 8 of 14
    dewmedewme Posts: 5,334member
    I know firsthand that people submitting bug reports sometimes assume that their bug is the #1 priority. But when you have 1000 people submitting new bugs and they are all flagged as a #1 priority, the software team has to go through the full list and reprioritize (triage) everything using some sort of multifaceted criteria. Apple obviously has a bug triage process and performs some sort of impact assessment to decide which team owns the bugs, which bugs get fixed, in what order they get fixed, and when they get fixed.

    It’s not an easy process, especially when each team already has an existing bug backlog that is competing for attention with the newly submitted bugs. For a large dev team I’m assuming they are doing triage on a nearly continuous basis and have a team of developers/maintainers pulling whatever bug is at the top of each bug fix backlog following a Kanban like process. 

    With this process in mind, it should not come as a big surprise that some specific bugs, even high visibility ones, don’t immediately pop out the other side on the next release of the software. The good news is that Apple no longer treats software releases as a big ceremonial event and more releases are always in the pipeline. However, I totally sympathize with researchers who are submitting bugs and not seeing their efforts rewarded with recognition and rewards, where appropriate. Apple needs to close the loop and get its act together on the their side of this feedback process because it is in the best interests of Apple and Apple’s customers.
    12StrangersStrangeDayswatto_cobra
  • Reply 9 of 14
    Apple's bug bounty program and security fix disclosures are fundamentally incompatible with the company's insane corporate secrecy. Apple's secrecy is borne of the wrong idea that keeping everything secret will somehow allow it to out compete other companies. People don't buy Apple's products because they did or did not keep something secret. They buy Apple's products because they trust the company to make great products, to keep their private information private and to treat them with respect. If another company releases a phone with similar, even better features than an iPhone, people still buy iPhones because they simply like them more.

    Apple's secrecy is really all about the pride of the top management. They like to walk out on stage and proudly announce their new product features to gasps of amazement and delight of their (virtual) audience. Instead they are just confirming the rumors and leaks from the past year. This bruises their precious egos so they take it out on their employees, contractors and third party manufacturers with crippling levels of secrecy which clearly does not work. In fact you could make a strong argument that all the secrecy makes it more likely that some disgruntled oppressed worker will spill the beans.

    Here is the actual situation: Apple is well ahead of other companies on chip design and production. It is able to source most of its necessary silicon components and they are better than what the competition can produce. On the other hand, all other components of the iPhone are about the same or inferior to phones made by other companies. This includes the screen, camera and battery. The connector is now at least five or six years out of date compared to USB C. The screen has a notch at the top rather than a small hole or behind the screen cameras now starting to appear in some phones. The screen does not wrap around the edges of the phone as it does on Samsung and other phones. The camera does not have a massive zoom feature like the current Samsung phones which can photograph the mountains of the moon. None of these advantages or disadvantages have to do with secrecy.
  • Reply 10 of 14
    I don’t want screens wrapped around the edges. My two cents to this point only. 



    Apple's bug bounty program and security fix disclosures are fundamentally incompatible with the company's insane corporate secrecy. Apple's secrecy is borne of the wrong idea that keeping everything secret will somehow allow it to out compete other companies. People don't buy Apple's products because they did or did not keep something secret. They buy Apple's products because they trust the company to make great products, to keep their private information private and to treat them with respect. If another company releases a phone with similar, even better features than an iPhone, people still buy iPhones because they simply like them more.

    Apple's secrecy is really all about the pride of the top management. They like to walk out on stage and proudly announce their new product features to gasps of amazement and delight of their (virtual) audience. Instead they are just confirming the rumors and leaks from the past year. This bruises their precious egos so they take it out on their employees, contractors and third party manufacturers with crippling levels of secrecy which clearly does not work. In fact you could make a strong argument that all the secrecy makes it more likely that some disgruntled oppressed worker will spill the beans.

    Here is the actual situation: Apple is well ahead of other companies on chip design and production. It is able to source most of its necessary silicon components and they are better than what the competition can produce. On the other hand, all other components of the iPhone are about the same or inferior to phones made by other companies. This includes the screen, camera and battery. The connector is now at least five or six years out of date compared to USB C. The screen has a notch at the top rather than a small hole or behind the screen cameras now starting to appear in some phones. The screen does not wrap around the edges of the phone as it does on Samsung and other phones. The camera does not have a massive zoom feature like the current Samsung phones which can photograph the mountains of the moon. None of these advantages or disadvantages have to do with secrecy.

    watto_cobra
  • Reply 11 of 14
    StrangeDaysStrangeDays Posts: 12,834member
    the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store. 
    Thats a bit of an understatement.

    - Apple ID email and full name associated with it
    - Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
    - Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
    - Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates
    - The vulnerability allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
    - This makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement.

    Read my blog posts for details.
    Read one. Your posts would be better if you self-edited more — cut out all your sour grapes whining about your lame Hobo Simulator game, and your patently false claims that Apple is a monopoly without competitors (which you claim are web apps, when of course the real competitors are other mobile platforms).
  • Reply 12 of 14
    StrangeDaysStrangeDays Posts: 12,834member
    Apple's bug bounty program and security fix disclosures are fundamentally incompatible with the company's insane corporate secrecy. Apple's secrecy is borne of the wrong idea that keeping everything secret will somehow allow it to out compete other companies. People don't buy Apple's products because they did or did not keep something secret. They buy Apple's products because they trust the company to make great products, to keep their private information private and to treat them with respect. If another company releases a phone with similar, even better features than an iPhone, people still buy iPhones because they simply like them more.

    Apple's secrecy is really all about the pride of the top management. They like to walk out on stage and proudly announce their new product features to gasps of amazement and delight of their (virtual) audience. Instead they are just confirming the rumors and leaks from the past year. This bruises their precious egos so they take it out on their employees, contractors and third party manufacturers with crippling levels of secrecy which clearly does not work. In fact you could make a strong argument that all the secrecy makes it more likely that some disgruntled oppressed worker will spill the beans.

    Here is the actual situation: Apple is well ahead of other companies on chip design and production. It is able to source most of its necessary silicon components and they are better than what the competition can produce. On the other hand, all other components of the iPhone are about the same or inferior to phones made by other companies. This includes the screen, camera and battery. The connector is now at least five or six years out of date compared to USB C. The screen has a notch at the top rather than a small hole or behind the screen cameras now starting to appear in some phones. The screen does not wrap around the edges of the phone as it does on Samsung and other phones. The camera does not have a massive zoom feature like the current Samsung phones which can photograph the mountains of the moon. None of these advantages or disadvantages have to do with secrecy.
    Incorrect. The screen on iPhone Pro is not same or inferior; it’s a custom designed and contract manufactured OLED without the cartoon colors of cheaper ones. 

    FaceID notch is bigger because they eliminated the chin and forehead while maintaining face authentication, whereas the others still have a chin, don’t have good face id, etc. Notch is complete non-issue for actual people who actually have an iPhone. 

    Screens wrapping around the edges is a silly gimmick. You can keep it!

    Samsung’s 30x Space Zoom is based on 3x optical zoom plus digital zoom. iPhone 13 is also 3x optical.

    Secrecy is fine. No company is lining up to tell their secrets. And as the market leader, Apple has more to lose by tipping off the knockoffs.

    TLDR: yet another armchair CEO running an imaginary company in his head, whereas Apple is running the most successful public firm in history.



    edited October 2021 welshdogwatto_cobra
  • Reply 13 of 14
    welshdogwelshdog Posts: 1,897member
    I do feel that Apple being Apple and all giant and dominant and stuff, that they could in general do a much better job of making all their softwares work better. Siri is kind of useful, but just barely. I find that the interaction between my phone and Homepods is just a bit weird and confusing now, what with all the various ways to connect the devices. Homekit is also nice, but needs to be more reliable and have a few more settings to help users fine tune the experience. Mac OS day in and day out works for me and always has, but it is not without little bugs and hiccups. iOS is, of course, a huge target for hacking as this article suggests. Apple might want to throw some more money and bodies at the problem. With more than a billion users, shouldn't they have a rather huge team devoted to finding and patching vulnerabilities? Maybe they do and we just can't see it. They definitely should work out the issues with the bug bounty program and get that working smoothly.


    watto_cobra
Sign In or Register to comment.