Apple's latest point update for iOS 15 does not contain patches for three zero-day vulnerabilities that were reported to the company months ago and publicly disclosed last week.
In September, security researcher Denis Tokarev, better known by his pseudonym illusionofcha0s, claimed that Apple ignored multiple reports pertaining to newly discovered zero-day vulnerabilities present in iOS, the company's flagship mobile operating system. Tokarev reported four flaws to Apple between March 10 and May 4, and while one issue was patched in iOS 14.7, the other three remain active in the latest iOS 15.0.1.
By his own admission, the zero-day vulnerabilities that persist are not critical, with one pertaining to a bug that could enable maliciously crafted apps to read users' Apple ID information if somehow allowed onto the App Store.
Still, Apple's handling of the disclosures, reported through the Bug Bounty Program, does not sit well with Tokarev, who penned a blog post in late September detailing his interactions with tech giant's team. According to the researcher, Apple failed to list the security issue it patched in iOS 14.7 and did not add information about the flaw in subsequent security page updates.
"When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," illusionofchaos wrote at the time. "There were three releases since then and they broke their promise each time."
Apple saw Tokarev's blog post and again apologized. The company said its teams were still investigating the three remaining vulnerabilities as of Sept. 27, but Tokarev made the flaws public last week in line with standard vulnerability disclosure protocols.
Ethical hackers have criticized Apple's Bug Bounty Program and the company's general handling of public security researchers, citing a lack of communication, payment issues and other problems. The initiative offers payouts for bugs and exploits.
Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple failed to answer basic questions about the bug and whether Rauch would be credited with the find. The flaw allows attackers to insert code that could redirect good Samaritans to a malicious webpage when the device is scanned in Lost Mode.
14 Comments
Does anyone know if 15.1 Beta has patched these security issues? Maybe Apple is working to fix these in a soon to be 15.1?
The only thing necessary for the triumph of malware is for good companies to say nothing. -- John Stuart Mill, paraphrased.
As far as I understand it, one of them is not actually a bug -- the one where having location permission lets you get extensive WiFi connection data. That is by design, unfortunately. Because you can use WiFi data to extrapolate a user's location, Apple requires you to have (request and be granted) location permission to be able to get detailed WiFi info from the system.