Apple fails to patch publicly disclosed zero-day flaws with iOS 15.0.1

Apple's latest point update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company months ago and publicly disclosed last week.

In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company's flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.

By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.

Still, Apple's handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant's team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.

"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote at the time. "There were three releases since then and they broke their promise each time."

Apple saw Tokarev's blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.

Ethical hackers have criticized Apple's Bug Bounty Program and the company's general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.

Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.

Latest Exclusives

Latest comparisons

14 Comments

🎅

Mork 8 Years · 26 comments

About 3 years ago

Does anyone know if 15.1 Beta has patched these security issues? Maybe Apple is working to fix these in a soon to be 15.1?

🕯️

silvergold84 7 Years · 107 comments

Mork said:

Does anyone know if 15.1 Beta has patched these security issues? Maybe Apple is working to fix these in a soon to be 15.1?

Apple create the most secure products and software. When they are sure about vulnerability (very rare on Apple devices) they fix it quickly and definitively. They can’t follow media, they have to look at reality.

illusionofchaos 3 Years · 1 comment

the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.

Thats a bit of an understatement.

- Apple ID email and full name associated with it
- Apple ID authentication token which allows to access at least one of the endpoints on *.apple.com on behalf of the user
- Complete file system read access to the Core Duet database (contains a list of contacts from Mail, SMS, iMessage, 3rd-party messaging apps and metadata about all user's interaction with these contacts (including timestamps and statistics), also some attachments (like URLs and texts)
- Complete file system read access to the Speed Dial database and the Address Book database including contact pictures and other metadata like creation and modification dates
- The vulnerability allows any user-installed app to determine whether any app is installed on the device given its bundle ID.
- This makes it possible for any qualifying app (e.g. posessing location access authorization) to gain access to Wifi information without the required entitlement.

Read my blog posts for details.

22july2013 11 Years · 3736 comments

The only thing necessary for the triumph of malware is for good companies to say nothing. -- John Stuart Mill, paraphrased.

❄️

chadbag 13 Years · 2029 comments

As far as I understand it, one of them is not actually a bug -- the one where having location permission lets you get extensive WiFi connection data. That is by design, unfortunately. Because you can use WiFi data to extrapolate a user's location, Apple requires you to have (request and be granted) location permission to be able to get detailed WiFi info from the system.