Security: The commerce of zero-day security vulnerabilities in iOS is driving an industry willing to pay hundreds of thousands of dollars to afford the vulnerabilities. Faced with this, Apple must run after the patches and reform its bug bounty, criticized by researchers.


Louis Adam

Tuesday September 14, 2021

Apple has released a new update for its mobile operating system, aimed at correcting two zero-day vulnerabilities, one of which was allegedly exploited by NSO Group, according to CitizenLab.

The vulnerability, identified as CVE-2021-30860 or by the name FORCEDENTRY, allowed an attacker to execute code on the target’s device, tricking it into opening a trapped PDF file. It required no user interaction and allowed control of the target device to be taken without the knowledge of its owner.

According to the CitizenLab researchers behind the discovery, traces of exploitation of this flaw were discovered in March on the phone of an activist targeted by the Pegasus software, a forensic interception software sold by the Israeli company. NSO Group. This is the same software that was accused of having been used by foreign intelligence services to spy on several prominent figures and members of the French government in early July.

As Le Monde reminds us, it is this flaw that was blamed during the July revelations about the infection of several phones by the Pegasus software. The daily explains that the first elements communicated to Apple in July by the Amnesty International team did not allow the publisher to precisely identify the vulnerability at the origin of the compromises.

CitizenLab released new material from the compromised phone, analyzed in March, September 7 to Apple. The company came up with a patch released yesterday, a speed it does credit to.

For Apple, the challenge is great: the publisher has indeed positioned its iPhone as one of the phones with the best security guarantees for its users. It is therefore frequently used by people wishing to protect themselves against intrusions and espionage. Unfortunately, software published by Apple is not free from vulnerabilities, and an ecosystem of companies with questionable practices has formed to bypass iPhone protections. First link in the chain, zero-day fault brokers, who buy and sell loopholes discovered by researchers.

One of the most well-known players in the sector, Zerodium, does not hesitate to post on its site an indicative price list for various zero-day flaws: for an iMessage flaw allowing remote code execution and elevation of privilege without user interaction, as was the case for the FORCEDENTRY flaw, Zerodium explains that it can go up to $ 1.5 million. Some iOS vulnerabilities can be as high as 2 million.

Fault brokers acquire information about zero-day vulnerabilities from security researchers. They then sell this information to companies and governments who wish to design espionage or surveillance tools. Some of these clients, such as NSO Group, which developed Pegasus, or Gamma Group, which markets Finfisher spyware, are private players. Others are intelligence services and governments. Officially, these tools are exclusively reserved for the fight against terrorism and law enforcement investigations, but recent revelations on the use of Pegasus show that not all the clients of these brokers are necessarily astride rights. humans, and that traces of infections are found on the devices of activists or political opponents.

Faced with this, Apple must rely on the work of its engineers, but also on its bug bounty program to recover the information: Apple promises to pay bonuses of up to $ 1 million for a flaw allowing the execution of remote code without user interaction. Either the type of flaw that CitizenLab reported, and that vulnerability brokers are willing to buy for double the price.

Unfortunately, this bug bounty program doesn’t make everyone happy. In a Washington Post article published last week, many researchers point to the lack of goodwill on Apple’s teams towards the company’s bug bounty program. Lack of communication, discounted bonuses, excessively long bug correction time: reading the complaints of researchers interviewed by the American daily, we say that the correction of the FORCEDENTRY flaw in less than a week is rather an exception. .

Apart from “media” vulnerabilities, such as the one identified by the CitizenLab teams, Apple is apparently slower in distributing patches. A researcher put off by Apple’s bad reputation might be tempted to put his good conscience aside and sell discovered vulnerabilities to breach brokers, who promise far greater rewards.

The total bonuses distributed by the Apple program are quite eloquent on this subject: Google’s bug bounty program redistributed $ 6.7 million in bonus over the year 2020, Microsoft $ 13.7 million over the year. year 2020/2021. Apple for its part redistributed $ 3.7 million.

For reporters at the Washington Post, Apple’s corporate culture does not fit well with the demands of security researchers, who would like greater transparency on its part in paying bonuses and remedying vulnerabilities.

Apple seems to want to change these practices, however, and told the Washington Post that a new director has been hired for its bug bounty program. Premiums should also be revised upwards. However, the manufacturer did not want to formalize anything to journalists, perhaps to keep the scoop on the announcement during its back-to-school conference scheduled for tonight.

For the first time in the history of its mobile OS, the Apple firm will deploy an x.8 version.

Cyber ​​attack
4G Monitor


Louis Adam

Tuesday September 14, 2021

Apple releases update to protect devices from NSO Group spyware

Both a laptop PC and a fixed workstation, how do you choose your hybrid laptop?

Both a laptop PC and a fixed workstation, how do you choose your hybrid laptop?

Receive the best of IT Pro news every day in your inbox

We are temporarily in maintenance mode, which means you will not be able to sign up for a newsletter. Please check back shortly to resume the subscription process. Thank you for your patience.

Discover our file

We support SMEs in their IT development. We share with you our customer stories, webinars, white papers …
5 IT files to discover each month

The secrets of PowerStore: Automation to meet the challenge of innovation
See the article

Teleworking, infrastructure, tips, innovations …
Discover our new section

Copyright © 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. CUP Interactive SAS (France). All rights reserved. Legal notices | Confidentiality
| Cookies | Frequently Asked Questions – Your Choices Regarding the Use of Cookies | Configure cookies