Apple releases iOS 15.0.2 to fix two zero-day exploits; and fails to credit the researcher who found the vulnerability

Ashwin
Oct 14, 2021
Mobile Computing
|
9

Last month, Apple released an emergency update for its iPhones, iPads, Mac computers, and Apple Watches to fix a serious security vulnerability. It's happening again, two more zero-day vulnerabilities have been patched in iOS 15.0.2.

Apple releases iOS 15.0.2 to fix zero-day exploits; update your iPhone now

The update fixes an exploit with the tracking entry CVE-2021-30883. It fixes a security vulnerability related to the IOMobileFrameBuffer, that could allow execution of arbitraty code with kernel privileges. Apple says it has resolved the problem by improving the memory handling of devices.

The other vulnerability that was fixed is called Gamed O-day. It allowed apps installed from the App Store to access user data such as the Apple ID email and full name linked to it, the Apple ID authentication token, the file system which in turn allows access to SMS, Mail, iMessage, 3rd party messengers, and the user's interaction with the contacts, not limited to timestamps and attachments.

The iOS 15.0.2 and iPadOS 15.0.2 is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

There's a bit of a drama behind the iOS 15.0.2 Update. If you go to the Apple Security Update page for the latest patch, you may be surprised to find that the second security exploit that we mentioned above is not listed there. It almost looks like they wanted to keep it quiet, doesn't it? Well, that is exactly what happened.

Bleeping Computer reports that Apple did not credit the researcher who found the 2nd vulnerability. The exploit was discovered by Denis Tokarev, a Russian software developer. If you look back a few months, you may know that the Cupertino based company patched its operating system quite a few times to address security advisories. Tokarev assisted Apple by sharing his discoveries, and the company included a fix for the exploit that he reported in iOS 14.7, 15.0 (2 issues).  When he asked Apple to credit him for his findings, he was instead told to treat the email correspondence as confidential. This is highly unusual and unethical. The Apple Security Bounty Program exists for a reason, to reward security experts who help the company patch vulnerabilities, for their contribution to protect millions of users worldwide.

Apple Security Bounty

As a matter of fact, the page for the bounty program states that

Apple offers public recognition for those who submit valid reports, and will match donations of the bounty payment to qualifying charities

And yet, Tokarev was not credited for his findings. Speaking of which, the developer has a GitHub page where he outlines the technical information of the exploit, including a proof of concept.

I wonder what would happen if these white hat hackers become annoyed by such treatment, and stopped helping Apple? Imagine the chaos if the users had their email IDs, names, logs, had been leaked on the dark web. It could prove to be very costly, quite literally.

On a side note, the security vulnerability related to the IOMobileFrameBuffer, that was patched in iOS 15.0.2 has been released on GitHub. That's good news, because we can expect a new Jailbreak for it.

Summary
Apple patches two security vulnerabilities in iOS 15.0.2
Article Name
Apple patches two security vulnerabilities in iOS 15.0.2
Description
Apple fixes two zero-day exploits in the iOS 15.0.2 update. Patch your iPhone and iPad now to stay safe.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Rush said on August 28, 2023 at 9:50 pm
    Reply

    If Nothing OS is nothing more that an overlay with Google still in the midst….then I ain’t interested.

    1. Seeprime said on September 12, 2023 at 4:12 pm
      Reply

      Another unrelated comment older than the article. Pathetic.

      1. Robenroute said on September 13, 2023 at 9:06 am
        Reply

        it is becoming mindbogglingly annoying indeed…

  2. ThisIsTheWayTheGhacksEnds said on September 13, 2023 at 9:09 am
    Reply

    Under: https://www.ghacks.net/2023/09/12/iphone-15-with-usb-c-port/

    Apple was forced to add USB-C to a phone and the maccultists start talking about “revolution” and “paradigm shift” (as if USB phones had never come out before). It’s so ridiculous it’s reminiscent of comedians doing the “stepped on a water hose” stunt – that was at least somehow funny a hundred years ago.
    Reading this on a site that used to be a technical resource is especially ridiculous.
    How pathetic

  3. Anonymous said on September 14, 2023 at 4:28 pm
    Reply

    “An iPhone 15 with a USB-C port will mean more than you think”

    That Apple can finally stop hindering progress if spanked hard enough ?

  4. Alex Hales said on September 21, 2023 at 12:51 am
    Reply

    I’m thrilled to see Instagram taking steps to enhance the user experience with features like Live Activities. This update is a game-changer, especially for those who frequently upload content on the platform.

    The ability to track upload progress in the background is a simple yet incredibly useful addition. It not only keeps users informed about the status of their uploads but also allows for a more seamless experience on the platform. No more constantly checking if your post has successfully uploaded or worrying about interrupted uploads due to a weak signal.

    As an active Instagram user, this feature is a relief. It showcases Instagram’s commitment to improving user satisfaction and addressing common pain points. It’s all about making the platform more user-friendly, and this feature certainly accomplishes that.

    I can’t wait to try out Live Activities and enjoy a stress-free posting experience. Kudos to Instagram for continually innovating and making our social media lives easier!

    Keep up the great work, Instagram, and thanks to ghacks for keeping us in the loop with the latest tech updates!

    I am additionally add one more think if you want to watch instagram stories anonymously to visit site storysnooper.com.

  5. Alex Hales said on September 25, 2023 at 6:02 pm
    Reply

    I found this post really insightful! It’s always intriguing to learn about the various ways we can navigate and understand social media platforms. The idea of checking someone’s Threads following list might seem like a niche topic, but in today’s digital age, it can be quite relevant.

    As someone who uses social media regularly, I appreciate the tips and guidance provided here. It’s not just about curiosity; it’s also about understanding our online connections better. This information can help us engage more effectively and stay updated with the content that interests us the most.

    The step-by-step instructions provided in the article are clear and easy to follow. It’s great that the author has taken the time to break down the process, making it accessible to both tech-savvy individuals and those who might not be as familiar with these platforms.

    I also appreciate the emphasis on privacy and ethics. It’s essential to remember that online interactions should always respect the boundaries and consent of others. The article’s focus on respecting others’ privacy is a reminder of the importance of responsible online behavior.

    Overall, this post is a valuable resource for anyone looking to understand more about the Threads following list on social media platforms. I’ll definitely be sharing this with my friends and followers who might find it useful. Keep up the great work, ghacks!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.