Three iOS 0-days revealed by researcher frustrated with Apple's bug bounty:
Yesterday, a security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple's iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher's frustration with Apple's Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.
[...] illusionofchaos says that they've reported four iOS security vulnerabilities this year—the three zero-days they publicly disclosed yesterday plus an earlier bug that they say Apple fixed in iOS 14.7. It appears that their frustration largely comes from how Apple handled that first, now-fixed bug in analyticsd.
[...] According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple did indeed fix the bug with iOS 14.7, but the security content list for iOS 14.7 acknowledged neither the researcher nor the vulnerability.
Apple told illusionofchaos that its failure to disclose the vulnerability and credit them was just a "processing issue" and that proper notice would be given in "an upcoming update." The vulnerability and its resolution still were not acknowledged as of iOS 14.8 on September 13 or iOS 15.0 on September 20.
Frustration with this failure of Apple to live up to its own promises led illusionofchaos to first threaten, then publicly drop this week's three zero-days. In illusionofchaos' own words: "Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would."
[...] Assuming illusionofchaos' description of their disclosure timeline is correct—that they've waited for longer than 30 days, and in one case 180 days, to publicly disclose these vulnerabilities—it's hard to fault them for the drop. We do wish they had included full timelines for their interaction with Apple on all four vulnerabilities, rather than only the already-fixed one.
[...] Since Ars published a piece earlier this month about Apple's slow and inconsistent response to security bounties, several researchers have contacted us privately to express their own frustration. In some cases, researchers included video clips demonstrating exploits of still-unfixed bugs.
We have reached out to Apple for comment, but we have yet to receive any response as of press time. We will update this story with any response from Apple as it arrives.
(Score: 5, Insightful) by fustakrakich on Sunday September 26 2021, @11:37PM (1 child)
Sold to the highest bidder... When will the History Channel broadcast the auctions?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Monday September 27 2021, @01:31PM
everyone else's data is a commodity, why shouldn't apple's data be a commodity?
(Score: 5, Insightful) by Anonymous Coward on Monday September 27 2021, @01:27AM (1 child)
Apple has a long, ugly history of proving themselves to be the biggest dicks in town, and not even in the happy showboaty sort of pornalicious way that one would get in a porn movie. Everyone else is just "out of touch" or "doesn't get it" or "wasn't in the room, so they don't know what went into this" or ... you know, whatever the excuse of the week is. And why should we be surprised? It was the style of Steve Jobs not to be reasonable. He kind of made it work by actually giving a damn about usability (while the cameras were rolling, anyway) and about clean design, and insisting that everyone else live by that or find alternative employment. Now they're coasting on his style and rep without the half-lame broken genius behind it, and we get this kind of horseshit.
And the fanbois will make excuses for them. Again.
(Score: 2) by PinkyGigglebrain on Tuesday September 28 2021, @01:01AM
I've noticed that companies tend to retain the culture set by their founder for a long time after said founder is gone.
Steve Jobs was a brilliant visionary in some regards and a complete dick in others. And the current culture at Apple has continued that patteren.
Smaller companies are more flexible and can change and evolve as they mature but once they pass a certain threshold of size they become too inflexible to ever change without something forcefully imposing change from the outside.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 0) by Anonymous Coward on Monday September 27 2021, @12:21PM (1 child)
ApPlE DeViCeS ArE NoT SuScEpTiBlE To sEcUrITy iSsUeS!!!
(Score: 3, Touché) by PinkyGigglebrain on Tuesday September 28 2021, @12:54AM
would have been better if you had remembered the "sent from my iPhone" sub note :)
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."