A Google Project Zero researcher has called Apple out for patching iOS and macOS vulnerabilities without informing users.
Apple has been busted fixing critical flaws last month in iOS 12, tvOS 12 and Safari 12 but not including details in its advisory about the fixes until a week later, after it released fixes for the same issues affecting macOS Mojave 10.14.
The missing bugs were reported to Apple by Project Zero researcher, Ivan Fratric, who used an open source fuzzer he developed called Domato, which he used to uncover 17 bugs in Safari last year.
Apple’s current advisory for Safari 12 dated 17 September lists nine vulnerabilities credited to Fratric, but a week earlier the same advisory, as captured by the Wayback Machine, listed none that were attributed to the researcher.
All the bugs reported by Fratric were in Safari’s WebKit browser engine. Several were use-after-free issues that could lead to remote code execution.
Apple most likely kept the bugs under wraps because it wanted to fix the issues on macOS first before revealing the same vulnerabilities were fixed in iOS. While that’s understandable from Apple’s perspective, Fratric makes a few points as to why it could be putting users at risk.
The worst risk is that Apple, by supplying patches to iOS a week ahead of macOS, could give attackers enough information to reverse-engineer a patch and build an exploit for Apple desktop systems.
At the same time, macOS users wouldn’t have an available patch to install, but they’d also not be aware that information has been made public to develop the attack.
Another problem is that Apple’s omissions are “misleading" to users. That's because the original advisory doesn't accurately convey the importance of installing a particular update and the fact that the advisory is likely only read once, meaning users are unlikely to check again and see why an update is important to install.
“This practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case,” writes Fratric.
On the other hand, the big question is whether users actually sift through security advisories and understand the potential impact of security flaws detailed in them. Apple and other major software vendors don't provide the full picture about flaws they fix.
The third main issue stems from the tool that Fratric developed and made publicly available a year ago. While Fratric’s recent Domato fuzzing of Safari turned up only half the bugs the tool found a year ago, it’s still a large number of bugs uncovered using a tool at anyone's disposal.
And based on his findings using the tool, Fratric wrote and just published an exploit that could be used to hack a Mac, but is nowhere near as potent as an exploit that a skilled attacker with the intent and resources could develop with tools that aren’t publicly available. His exploit, for example, did not include a sandbox escape, which would make it more powerful.
“The goal was not to write a very reliable or sophisticated exploit - highly advanced attackers would likely not choose to use the bugs found by public tools whose lifetime is expected to be relatively short. However, if someone with exploit writing skills was to use such a bug in, for example, a malware spreading campaign, they could potentially do a lot of damage even with an unreliable exploit.”
Fratric noted that he successfully tested the exploit Mac OS 10.13.6, build version 17G65. “If you are still using this version, you might want to update,” noted Fratric.
Fortunately — or perhaps not — it’s not known whether the bugs Fratric reported have been exploited.
“While it is easy to brush away such bugs as something we haven’t seen actual attackers use, that doesn’t mean it’s not happening or that it couldn’t happen,” the researcher noted.