All Posts by Date or last 15, 30, 90 or 180 days.

As an Amazon Associate I earn from qualifying purchases @AMAZON

Designed for the most demanding needs of photographers and videographers.
The fastest, toughest, and most compatible portable SSD ever with speeds up to 2800MB/s.

Apple is slow to fix critical security bugs, leaving you vulnerable to disaster

Hot on the heels of a zero-click security bug that could compromise your Mac or iPad/iPhone, a security researcher state that three zero-day bugs reported to Apple remain unfixed. That’s just one researcher; the are probably dozens of severe vulnerabities out in the wild.

Apparently, total system compromise bugs are not a top priority for Apple.

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program

 I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case. 

I'm not the first person that is unhappy with Apple Security Bounty program. Here are some other reports and opinions:

...

Here are links to GitHub repositories that contain PoC source code that I've sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI...

WIND: Apple software quality is an oxymoron. Apple Core Rot is getting worse, but that’s just for starters.

When it comes to security, your entire life and life savings could be impacted. Think of having your Mac or iPad/iPHone compromised, which then results in all your financial accounts being drained. It can and will happen to some unlucky people.

So we have a company whose propaganda is all about security and privacy that now wants to insert spyware infrastructure into iOS and macOS, while being slow to act or not acting at all on critical security bugs.

View all handpicked deals...

FUJIFILM GF 20-35mm f/4 R WR Lens
$2499 $1999
SAVE $500

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | X.com/diglloyd
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__