Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
IOS Security Apple

Researcher Dumps Three iOS Zero-days After Apple Failed To Fix Issues for Months (therecord.media) 64

A security researcher has published details about three iOS zero-day vulnerabilities, claiming that Apple has failed to patch the issues, which they first reported to the company earlier this year. From a report: Going by the pseudonym of Illusion of Chaos, the researcher has published their findings on Russian blogging platform Habr and has released proof-of-concept code for each vulnerability on GitHub. This includes:

1. A vulnerability in the Gamed daemon that can grant access to user data such as AppleID emails, names, auth token, and grant file system access.

2. A vulnerability in the nehelper daemon that can be used from within an app to learn what other apps are installed on a device.

3. An additional vulnerability in the nehelper daemon can also be used from within an app to gain access to a device's WiFi information.

This discussion has been archived. No new comments can be posted.

Researcher Dumps Three iOS Zero-days After Apple Failed To Fix Issues for Months

Comments Filter:
  • If they have been known about for months, how are they zero-day?
    • Zero day means that the issue has been in the product since zero day not that it only has been recently discovered.
      • Then using the term zero-day for this is stupid. It is a bug. It was released with a bug. The bug has not been fixed.
        • Re:Months? (Score:5, Informative)

          by AleRunner ( 4556245 ) on Friday September 24, 2021 @12:44PM (#61828787)

          Then using the term zero-day for this is stupid. It is a bug. It was released with a bug. The bug has not been fixed.

          "Day" refers to the number of days since the vendor released a fix for the problem. We still have no fix so it we are still waiting for "Day Zero" when we can start fixing our systems.

          This came from the idea that normally most vulnerabilities had a vendor advisory telling people how to protect against the bug and it would take several days for people to reverse engineer the vulnerability. Thus, you would say "we need to be able to patch our systems within three days of a vulnerabilty", then when after a week an 8-day vulnerability came out you breathed a sigh of relief that you had patched so quickly and kept your company safe from any worm that cam out to exploit the vulnerability.

          The bugs are Zero day vulnerabilities. Until we get a fix or at least a work around from Apple it remains that way. No matter how many people on Slashdot seem to want to try sematic tricks to make that go away.

      • by flink ( 18449 )

        It used to mean "cracked on release day", it's since been diluted to the point where it is almost useless.

        • It never meant that. You thought it meant that, so you misunderstood a lot of stories. But they still seemed to mean something, so you didn't notice they meant something different than you thought.

          It is never too late to learn a new word. Some people learn new words every day.

          • by flink ( 18449 )

            When I was on dial up BBSes in the early 90s a "0-day" was, 100% of the time, a copy protection crack released on the same day as the software or the software itself found in the warez section.

            Later, sometime in the mid 2000s, but could have been earlier, the security community adopted it to mean a vulnerability released on the same day as a piece of software, a new version of the software, a feature, or patch meant to fix a vulnerability. I.e. it took the cracking community "0 days" to p0wn you.

            Now it jus

            • The longer you misunderstand the exact meaning of a word, the more certain you'll be of what the meaning is.

              But then when you try to tell other people, and they correct you, and you argue, it really is insufferable. Especially if you blurt out how long you've been wrong. You don't comprehend that the context you were seeing the word used in failed to inform you of the narrow meaning; what you thought it meant made sense, too. So you naturally didn't notice.

        • You are correct. It originated in the warez scene in the 1980s, and I speak from experience.

          • by flink ( 18449 )

            Thank you! Someone else with a memory!

            • Yup. I was a courier for a slew of warez boards, and "Zero day" meant you had the good stuff hot off the wire. :)

              I remember laboriously downloading the full release of MS Word at 14.4Kbs, then passing it out to transfer boards...

    • âoeZero-dayâ indicates that there have been zero days between when a vulnerability has been patched and when the exploit was known or exploited in the wild. (White-hat researchers do not start the clock by reporting the vulnerability to the vendor, although they do often make vulnerabilities public if they are not addressed by the vendor.)
    • I see your point, but they still align with most of the definition of zero day: No patch available, immediate and unauthorized disclosure to the public. Additionally, with exploits developed for the vuln.

    • Re:Months? (Score:4, Informative)

      by Moloth ( 2793915 ) on Friday September 24, 2021 @10:40AM (#61828321)

      "Zero day" once referred to the number of days since the vendor has known about the exploit.
      Now it is a broad term that means any unpatched exploit.

      • "Zero day" once referred to the number of days since the vendor has known about the exploit.
        Now it is a broad term that means any unpatched exploit.

        Almost. It was actually the time from the moment that the vendor passed on the knowledge of the report (just like in the Warez scene - it's from the day of release, not from the day you start writing your software). At one point there was a discussion about when this happened with vendors trying to have lists of favoured customers who would get to patch before the others. That's probably the point where this confusion began and some people began thinking that day zero was the day of the report or the day

    • Seems everyone has a different definition of Zero day.

      MY understanding is that the Zero Day means that the exploit ALREADY happened when it was discovered/reported to vender for patching. As in Already exploited.

      Having Proof of concept, reported to vendor, who does nothing to patch for months, is a Zero Day, meaning there is likely to be exploits active in the wild.

  • Failed to address for months?

    By definition they are not "zero-day" vulnerabilities.

    • by jeromef ( 2726837 ) on Friday September 24, 2021 @10:38AM (#61828311)
      They are zero days because no patches are available: https://en.wikipedia.org/wiki/... [wikipedia.org]
      • Wikipedia is wrong. Whoever wrote that is clueless.
        • OK then "unpatched vulnerability" or "unpatched exploit" are probably much better terms.
          • Unpatched vulnerability is fine. However it's not an "unpatched exploit" it could be an "exploit for an unpatched vulnerabilty" but "zero-day" is a reasonable term. The Wikipedia article is pretty fine and correct. There are a bunch of people here who misunderstand the way that "zero-day" is use here and are confused because day zero happens after the software release. What they have to realise is that in the case of software vulnerabilities, day zero is the day that the patch to fix the vulnerability w

    • by mark-t ( 151149 )

      This is why the term "zero day" is so problematic, because it starts counting from the day that the bug is disclosed, every newly disclosed bug effectively becomes "zero day".

      The term carried far more weight when it referred to counting the number of days *since* the bug's existence prior to discovery (which is at best the number of days since the company last updated the software).

      • by Frobnicator ( 565869 ) on Friday September 24, 2021 @11:53AM (#61828575) Journal

        "Zero Day" is yet another good term ruined by misuse.

        Another good one was "Shelter In Place" before the recent pandemic. Before it meant exactly what the words meant: No matter what place you are in, a grocery store, at school, at work, at the gas station, you stop there and take shelter. You do not go home, you do not travel, you do not go outside. Often it was done in response to chemical spills, active shooters, or other short-term emergencies where going out in the open is problematic. Far too many media called the stay home orders "shelter in place", now many plebes think it means "travel to your home at your convenience and stay there".

        If we're limiting it to computer terms: "broadband" becoming an ever-sliding target for high speed Internet rather than the opposite of baseband, or dating myself, "hacker" being an evil person rather than a person who assembles together systems MacGyver style. So many good terms adopted, abused, and ruined by the masses.

        • The meaning of "shelter in place" never changed.

          You simply didn't comply with it. But the meaning didn't change.

        • >"So many good terms adopted, abused, and ruined by the masses."

          Yep. Like "male"/"female". "Racism" (which used to mean malevolent action, and now means just about anything/everything). "Shot" (instead of injection or vaccination). "Neuter or spay" (which is really just "neuter", otherwise what is meant is "castrate or spay"). "Mad" (which means crazy, when what was meant was "angry").

          The list just goes on and on. Oh well.

      • That is a good take on it.

  • I think the should stop holding on to these and make them public as soon as they are discovered.
    • Yeah, it's a game for dealing with bad response from the party that messed up. If apple doesn't improve their behavior or make things right with this researcher he will likely dump the vulns on discovery next time. Otoh, giving a vendor time to respond appropriately should give the researchers funding to continue their work.

    • Apple's bad behavior doesn't justify bad behavior in return.

      Security industry standard for nearly 40 years has been responsible timed disclosure. Notify the company and also start a clock. If the company sits on it (like Apple now does), the public disclosure also includes the back-and-forth with the company and they get egg on their face.

      If the company takes action immediately they can craft their own public response. "Today we worked with security researchers and are announcing an urgent security patch"

      • Apple's bad behavior doesn't justify bad behavior in return.

        Security industry standard for nearly 40 years has been responsible timed disclosure.

        Responsible timed disclosure is a quite serious risk for some security researchers. It means creating a two way communication channel over a long period of time so that they can't claim they didn't get your notification which can be reversed by the vendor in order to find you. Multiple researchers have found themselves in legal trouble at that stage. If your vendor has any history of bad behaviour (as with Apple) you may be better advised to simply release so that at least the enemy secret services have mor

  • by mark-t ( 151149 ) <markt@ner[ ]at.com ['dfl' in gap]> on Friday September 24, 2021 @10:34AM (#61828297) Journal

    "Researcher decides to publicly disclose iOS bugs after Apple fails to fix them for months"

    "Zero-day" has taken on a tautological definition. and does not usefully contribute to the significance of the issue.

    • I think "zero-day" has become newspeak for "you should be scared." The problem with that sort of mentality is that they label EVERY bug as zero-day, and you get desensitized to it to the point that even if something really is a zero-day, all you feel like doing when you hear about another one is shrugging and moving on with your day.

      Can't wait for the next scary trigger word to come along and make zero-day into a has-been.

      • by mark-t ( 151149 )

        This could be solved entirely if the term "zero day" was only ever used to describe bugs uncovered within the first 24 hours that the software susceptible to that exploit had been available to the public.

        In other words, hardly ever.

  • by AndyKron ( 937105 ) on Friday September 24, 2021 @10:42AM (#61828327)
    iOS zero-day vulnerabilities. They just work
  • by bobstreo ( 1320787 ) on Friday September 24, 2021 @10:50AM (#61828351)

    Did the Researcher get any money for Bug Bounties?

    • by tlhIngan ( 30335 )

      Did the Researcher get any money for Bug Bounties?

      Obviously none of the Apple ones. Publishing would be basically tantamount to cancelling the bug bounty you would've gotten.

      These issues seem related to apps though - is Apple scanning apps to see if they make use of these vulnerabilities? I mean you can't just run arbitrary code very easily on iOS anymore (or jailbreaking would still be a very common thing), so perhaps these issues aren't as urgent as other issues.

      After all, there are going to be bugs. If

    • by antdude ( 79039 )

      Probably lawsuits. :(

  • Zero-Day (Score:5, Insightful)

    by Scarred Intellect ( 1648867 ) on Friday September 24, 2021 @10:51AM (#61828359) Homepage Journal

    I like how all the comments so far are talking about whether this is or isn't really a zero-day, and discussing the fine details of the definition of zero-day, and not a word on Apple's apparent disinterest.

    Nerds.

  • by Nabeel_co ( 1045054 ) on Friday September 24, 2021 @11:02AM (#61828401) Homepage

    I used to work at Apple

    Apple's internal policy on bugs and security issues is to ignore them as much as possible and rank them by which ones are most likely to get them negative press.
    The ones which are the most likely to, or do get them negative press are the ones that get addressed first.

    You know how your iPhone always seems to have issues connecting to your car properly? Most people assume that's their car's fault... it's not.. it's your iPhone, but because people blame their car, Apple has not fixed that bug in over a decade, and it gets worse with every release of iOS.

    • by cusco ( 717999 )

      Sounds like a lot of Windows hardware driver manufacturers. Their shitty slapped-together driver pukes for no discernible reason but they don't care because they know customers will just blame Microsoft (looking at you Broadcom).

    • by antdude ( 79039 )

      It's not just Apple's too.

  • Then any vulnerability discovered against that launch code, which still goes unfixed, is by default a day zero vulnerability. A researcher found and reported it, but it is impossible to say whether anyone else (blackhat, state, etc.) could have discovered and exploited it long before.
  • by theshowmecanuck ( 703852 ) on Friday September 24, 2021 @12:33PM (#61828733) Journal

    Apple didn't fix them for a reason, and actually knew about them before they were informed. In fact Apple built these "security bugs" into iOS for the NSA and FBI. That's how they exploit iPhones to secretly surveil Apple users.

An adequate bootstrap is a contradiction in terms.

Working...