Apple silently fixed iOS zero-day without crediting the expet who reported it

Pierluigi Paganini October 13, 2021

Apple has silently addressed a zero-day vulnerability that could allow attackers to gain access to sensitive user data.

Apple has silently addressed zero-day vulnerability with the release of iOS 15.0.2, the vulnerability could allow attackers gain access to sensitive user information.

The flaw was reported to the IT giant by software developers Denis Tokarev seven months ago, but according to the experts Apple did not credit him. The expert claims that Apple told him they were going to fix it on August 25, but since then, he did not receive any updates from Apple. The expert said that this is a second vulnerability fixed by Apple without crediting his work.

After the release of the iOS 15.0.2 version, Tokarev contacted Apple requesting it to credit him for the discovery of the issue as agreed in the past email exchange, but the company only asked him to do not disclose the conversation.

According to the researcher, Apple addressed one of the issues in July without crediting him, while the remaining flaws are yet to be patched.

“I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update.” wrote the expert. “There were three releases since then and they broke their promise each time.”

The expert attempted to contact Apple for clarification, but the remaining flaws were not addressed.

Below is the list of GitHub repositories that contain PoC source code for the zero-days discovered by the expert, which were also shared with Apple.

This week Apple has released iOS 15.0.2 and iPadOS 15.0.2 to address a zero-day flaw, tracked as CVE-2021-30883, that is actively exploited in the wild.

The flaw is a critical memory corruption issue that resides in the IOMobileFrameBuffer, an application can trigger the vulnerability to execute commands on vulnerable devices with kernel privileges.

Apple is aware of attacks in the wild exploiting this flaw, but it avoided sharing details about them.

“An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by the IT giant. “A memory corruption issue was addressed with improved memory handling.”

The situation faced by Tokarev is similar to the experience of other experts that attempted to report vulnerabilities to Apple through its Bug Bounty Program.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment