Last week, security researcher Denis Tokarev posted on his blog three vulnerabilities zero-day from iOS, although they are not critical. Now, Apple has contacted the researcher to apologize for the delay in responses. And he ensures that he continues working in the way in which they can solve them.
Four non-critical bugs, only one fixed
As Motherboard has learned, Tokarev reported all four vulnerabilities to Apple between March 10 and April 29 of this year. While one of them was resolved with iOS 14.7, the other three are still active on iOS 15. Or, at least, Apple has not reported their resolution in any security document.
We have seen your post about this issue and the rest of your reports. We apologize for the delay in replying to you. We want you to know that we continue to investigate these issues and how to fix them to protect our customers. We appreciate the time you have taken to report these issues, we appreciate your assistance. Please let us know if you have any additional questions.
This has been the response of an Apple employee to the researcher, in an email confirmed by the publication. All three errors are not critical, since it is necessary for a malicious app to pass all the controls of the App Store in order to take advantage of them. Additionally, this app should be downloaded on an iPhone to be able to run them.
The errors are serious, although their active exploitation by an app that passes all the controls of the App Store is very complicated
There are, therefore, several barriers for these errors zero-day are usable and that their exploitation is not practical. That may be why Apple hasn’t prioritized its resolution. Of which there is no doubt is lack of communication with Tokarev. After privately communicating the errors to the company, it has proceeded to make them known after the more than 90 days of courtesy that is used in the sector (from Google’s security group, Project Zero).
Criticism of the reporting and rewards system of bugs from Apple
Apple has had its security hole bounty program for more than five years. With different prizes according to the category and severity of the error, the system has awarded several researchers to date. Although he has also received his criticism.
A few years ago, a glitch in group FaceTime calls made the news cycle. When the father of the 14-year-old who found him tried to report it to Apple privately, he was ignored. It wasn’t until the story hit the press that the company reacted.
From time to time stories of this type arise. But it is also true that in the security notes for the iOS, iPadOS or macOS versions We come across more and more names of people who fix these vulnerabilities. The process of reporting these errors to Apple is not perfect. But we are also in an area in constant motion.
There are those who claim that the rewards are not enough, causing some hackers prefer to sell them to the highest bidder. Although uploading them would only start a bidding war.