All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com

Thank you for buying via links and ads on this site,
which earn me advertising fees or commissions.
As an Amazon Associate I earn from qualifying purchases.

Other World Computing...
B&H Photo...
Amazon
As an Amazon Associate I earn from qualifying purchases.
Up to 1527MB/s sustained performance
877-865-7002
Today’s Deal Zone Items... Handpicked deals...
$1100 $880
SAVE $220

$999 $779
SAVE $220

$1299 $949
SAVE $350

$799 $549
SAVE $250

$1499 $999
SAVE $500

$799 $549
SAVE $250

$2797 $2497
SAVE $300

$1997 $1797
SAVE $200

$549 $499
SAVE $50

$1699 $949
SAVE $750

$240 $175
SAVE $65

$3399 $2699
SAVE $700

Apple is slow to fix critical security bugs, leaving you vulnerable to disaster

Hot on the heels of a zero-click security bug that could compromise your Mac or iPad/iPhone, a security researcher state that three zero-day bugs reported to Apple remain unfixed. That’s just one researcher; the are probably dozens of severe vulnerabities out in the wild.

Apparently, total system compromise bugs are not a top priority for Apple.

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program

 I want to share my frustrating experience participating in Apple Security Bounty program. I've reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case. 

I'm not the first person that is unhappy with Apple Security Bounty program. Here are some other reports and opinions:

...

Here are links to GitHub repositories that contain PoC source code that I've sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI...

WIND: Apple software quality is an oxymoron. Apple Core Rot is getting worse, but that’s just for starters.

When it comes to security, your entire life and life savings could be impacted. Think of having your Mac or iPad/iPHone compromised, which then results in all your financial accounts being drained. It can and will happen to some unlucky people.

So we have a company whose propaganda is all about security and privacy that now wants to insert spyware infrastructure into iOS and macOS, while being slow to act or not acting at all on critical security bugs.

View all handpicked deals...

Apple 13.3" MacBook Air with Retina Display (Early 2020, Gold)
$999 $779
SAVE $220

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__