Apple on Friday pushed the iOS 15 revision update 15.0.1, but this version seems to be mainly aimed at usability issues because the three zero-day vulnerabilities publicly disclosed last week have not been patched. In September, security researcher Dennis Tokarev (pseudonym of illusionofcha0s) stated that Apple had ignored multiple reports related to newly discovered zero-day vulnerabilities that existed in the company’s mobile operating system, iOS.
Tokarev said in a blog post that he reported four defects to Apple between March 10 and May 4. Although one issue was fixed in iOS 14.7, the other three are still active state. The security researcher reported on Twitter on Friday that these three issues still exist in the latest iOS 15.0.1.
He himself admitted that the remaining zero-day vulnerabilities are not urgent. One of them involves an error. The hacker must somehow trick Apple’s censors into allowing him to enter the app store, so that the maliciously crafted app can read the user. Apple ID information.
🚨iOS 15.0.1 is out. I’ve just checked, three 0-days, which I publicly disclosed a week ago, are still unpatched!
— Denis Tokarev (@illusionofcha0s) October 1, 2021
However, Tokarev was dissatisfied with the handling of these vulnerabilities reported by Apple through the Bug Bounty Program. He wrote a blog post at the end of September detailing his interactions with the technology giant team. According to the researcher, Apple did not list the security issues it patched in iOS 14.7, nor did it add information about the flaws in subsequent security page updates.
Illusionofchaos wrote at the time: When I faced them, they apologized to me, assured me that it happened due to processing problems, and promised to list it on the next updated security content page. Since then, there have been Three times in similar situations, they violated their promise each time.
Apple saw Tokarev’s blog post and once again apologized. The company said that as of September 27, its team is still investigating the remaining three vulnerabilities. Tokarev made these flaws public last week as an ethical hacker criticizing Apple’s Bug Bounty program and the company’s general handling of public safety researchers, saying it lacked communication and had problems with bounty payments.
Earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability. Prior to this, Apple did not answer basic questions about the vulnerability, nor did it answer whether Rauch would be rewarded for discovering the vulnerability. The vulnerability allows an attacker to insert code that can redirect the user to a malicious web page when the device is scanned in Lost Mode.
