Published in News

How Apple kept a zero day iOS vulnerability secret for six months

by on31 October 2016


Issued a fix which did not work

Apple gamed Google’s Project Zero team into sitting on a kernel exploit in Apple’s Apple’s OSX and its mobile operating system iOS for months.

The bug was serious. It allowed for root-level escalation of privileges for an attacker and it was reported to Jobs’ Mob in June by PZ member Ian Beer. Apple asked for 60 days to fix the problem before it went public. Apparently, that was the length of time it took Apple’s auditors to counsel those who believed that the software was perfect and there could be nothing wrong with it.

Google said no but eventually agreed a deadline of 21 September.

Apple put its best software minds on the problem and came up with a solution which was too perfect for mortals and it worked as well as a chocolate teapot. But because it put out a fix just within the deadline, Google did not realise that Apple's fix never worked. Apple repaired the flaw as part of this week’s release of OSX 10.12.1 and last week’s release of iOS 10.1, In doing so it managed to get the bug fixed on its timetable and without the embarassment of such a dangerious flaw being made public.

This is great news for Apple which managed to keep the illusion of its security intact, and its software was less buggy than Android, but bad news for all its users who were exposed for rather a long time. 

 

Last modified on 31 October 2016
Rate this item
(7 votes)

Read more about: