Google security researcher Ian Beer has posted a blog about a security issue he found, but in which he also criticizes the way Apple handles security issues. The reason is that Apple recently patched several vulnerabilities in iOS 12 that were discovered by Beer, but that the Cupertino tech giant doesn’t mention them in their security bulletins.
Beer discovered the issues by using a method called “variant-analysis”. With this method security researchers analyze known vulnerabilities and check whether software contains code that is vulnerable in a similar way. Beer used this method to find new iOS vulnerabilities after which he developed an exploit that combines both the old and the newly discovered vulnerability. The exploit makes it possible for a malicious app to read and write kernel memory of iOS 7.1.2.
Beer reported the vulnerabilities to Apple which patched them in iOS 12. Nevertheless, Apple doesn’t mention the vulnerabilities discovered by Beer in the security bulletin of iOS 12. The company also hasn’t assigned any so-called CVE codes them. The CVE system provides a reference-method for publicly known vulnerabilities and is a commonly accepted way of disclosing security issues.
Beer argues that Apple not mentioning all security issues is bad practice. He explains this in his blog as he writes, “ In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were.”
It’s not the first time Apple receives this criticism. Google security researcher Ivan Fratric previously also criticized Apple for the same reason in a blog he wrote about a security issue.