Newly In Stock: SEE ALL...
Sony Mirrorless wish list • Deals on Sony
$2997 Nikon Z7 II Mirrorless Camera OUT OF STOCK in Cameras: Mirrorless	$2297 Nikon D780 DSLR OUT OF STOCK in Cameras: DSLR	$2997 Nikon D850 DSLR OUT OF STOCK in Cameras: DSLR	$720 ZEISS 32mm f/1.8 Touit Lens for FUJIFILM X OUT OF STOCK in Lenses: Mirrorless	$497 Pentax 70mm f/2.4 HD Pentax DA Limited IN STOCK in Lenses: DSLR

Highly Recommended!
External SSD wish list • Deals on OWC
$220 SAVE $130 = 37.0% Western Digital 16.0TB Western Digital Ultrastar DC HC550 3.5-in… in Storage: Hard Drives	$680 OWC 2.0TB OWC Atlas Ultra CFexpress 4.0 Type B Memory Card in All Other Categories	$580 OWC 4.0TB OWC Envoy Pro Elektron USB-C Portable NVMe SSD in All Other Categories	$630 OWC 4.0TB OWC Express 1M2 USB4 (40Gb/s) Bus-Powered Portable NVM… in All Other Categories	$2380 OWC 72.0TB OWC ThunderBay 4 Four-Drive Thunderbolt External Stor… in All Other Categories

Apple is slow to fix critical security bugs, leaving you vulnerable to disaster

2021-09-26 • SEND FEEDBACK |

Related: Apple, Apple Core Rot, Apple macOS, iOS, security

Hot on the heels of a zero-click security bug that could compromise your Mac or iPad/iPhone, a security researcher state that three zero-day bugs reported to Apple remain unfixed. That’s just one researcher; the are probably dozens of severe vulnerabities out in the wild.

Apparently, total system compromise bugs are not a top priority for Apple.

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program

I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.

I'm not the first person that is unhappy with Apple Security Bounty program. Here are some other reports and opinions:

...

Here are links to GitHub repositories that contain PoC source code that I've sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI...

WIND: Apple software quality is an oxymoron. Apple Core Rot is getting worse, but that’s just for starters.

When it comes to security, your entire life and life savings could be impacted. Think of having your Mac or iPad/iPHone compromised, which then results in all your financial accounts being drained. It can and will happen to some unlucky people.

So we have a company whose propaganda is all about security and privacy that now wants to insert spyware infrastructure into iOS and macOS, while being slow to act or not acting at all on critical security bugs.