Apple Inc iOS 15.0.1 official release, there are still 3 zero-day vulnerabilities that have not been fixed.

鳳凰網 · Oct 2, 2021 16:02

IT之家 10月2日消息苹果今天向iPhone和iPad用户推送了iOS/iPadOS 15.0.1更新，内部版本号：（19A348）。

iOS 15.0.1正式版修复了一个用 Apple Watch 解锁的 Bug，该 Bug 使得当用户戴着口罩时，经过认证的 Apple Watch 无法解锁 iPhone 13/Pro 系列。

今天的更新还修复了一个可能导致设置 App 错误地显示存储空间已满警报的错误，并解决了一个可能导致 Apple Watch 的 Fitness+ 用户在启用正念冥想时意外启动训练的问题。

据 Apple Insider 报道，苹果公司最新的 iOS 15.0.1 更新不包含 3 个零日漏洞的补丁，这 3 个零日漏洞是研究人员在几个月前报告给苹果的，并在上周公开披露。

9月，安全研究员 Denis Tokarev（化名 illusionofcha0s）声称，苹果公司忽视了与新发现的存在于 iOS 系统中的零日漏洞有关的多个报告。Tokarev 在3月10日至 5 月 4 日期间向苹果公司报告了四个漏洞，虽然一个问题在iOS 14.7中得到了修补，但其他三个问题在最新的iOS 15.0.1中仍然有效。

Tokarev 承认，持续存在的零日漏洞中涉及到一个Bug，如果以某种方式允许进入应用程序商店，就可以使恶意制作的应用程序读取用户的Apple ID信息。

不过，苹果公司对通过“漏洞赏金计划”报告的披露的处理方式，让 Tokarev 感到不舒服，他在9月底写了一篇博文，详细介绍了他与科技巨头团队的互动。据这位研究人员说，苹果公司没有列出它在iOS 14.7中修补的安全问题，也没有在随后的安全页面更新中添加有关该缺陷的信息。

苹果公司看到了Tokarev的博文，并再次表示歉意。该公司表示，截至9月27日，其团队仍在调查剩余的3个漏洞，但Tokarev上周按照标准漏洞披露协议公开了这些缺陷。

IT之家获悉，本周早些时候，研究人员 Bobby Rauch 公开披露了一个AirTag漏洞，此前苹果公司没有回答关于该漏洞的基本问题，也没有回答Rauch是否会因发现该漏洞而得到奖励。该漏洞允许攻击者插入代码，当设备在丢失模式下被扫描时，可以将好心人重定向到一个恶意的网页上。

It House, Oct. 2, Apple Inc today pushed iOS/iPadOS 15.0.1 update to iPhone and iPad users, internal version number: (19A348).

IOS 15.0.1 official fixed a Bug unlocked with Apple Watch so that the certified Apple Watch could not unlock the iPhone 13/Pro series when the user was wearing a mask.

Today's update also fixes an error that could cause App to incorrectly display alarms that storage space is full, and resolved an issue that could cause Fitness+ users of Apple Watch to accidentally start training when enabling mindfulness meditation.

According to Apple Insider, Apple Inc's latest iOS 15.0.1 update does not contain patches for three zero-day vulnerabilities that researchers reported to Apple Inc a few months ago and disclosed publicly last week.

In September, security researcher Denis Tokarev (alias illusionofcha0s) claimed that Apple Inc ignored several reports related to newly discovered zero-day vulnerabilities in iOS systems. Tokarev reported four vulnerabilities to Apple Inc between March 10 and May 4. Although one issue was fixed in iOS 14.7, the other three issues are still valid in the latest iOS 15.0.1.

Tokarev acknowledges that the persistent zero-day vulnerability involves a Bug that allows maliciously crafted applications to read users' Apple ID information if they are allowed to enter the app store in some way.

However, Tokarev was uncomfortable with the way Apple Inc handled the disclosure of the report through the loophole reward program, and he wrote a blog post at the end of September detailing his interaction with the tech giant team. According to the researcher, Apple Inc did not list the security issues it fixed in iOS 14.7, nor did it add information about the flaw in subsequent security page updates.

Apple Inc's company saw Tokarev's blog post and apologized again. The company said its team was still investigating the remaining three vulnerabilities as of Sept. 27, but Tokarev last week disclosed them under a standard vulnerability disclosure agreement.

It House learned that earlier this week, researcher Bobby Rauch publicly disclosed an AirTag vulnerability after Apple Inc did not answer basic questions about the vulnerability or whether Rauch would be rewarded for discovering it. The vulnerability allows an attacker to insert code and redirect a well-intentioned person to a malicious web page when the device is scanned in lost mode.

The translation is provided by third-party software.

The above content is for informational or educational purposes only and does not constitute any investment advice related to Futu. Although we strive to ensure the truthfulness, accuracy, and originality of all such content, we cannot guarantee it.

苹果iOS 15.0.1正式版发布 仍有3个零日漏洞未修补

Apple Inc iOS 15.0.1 official release, there are still 3 zero-day vulnerabilities that have not been fixed.

Risk Disclaimer

Statement

苹果iOS 15.0.1正式版发布仍有3个零日漏洞未修补