A number of security flaws in Apple’s mobile operating system have been unveiled by Google’s Project Zero in recent months, and Apple has only recently rolled out an update to address them, yet the company failed to deliver on all of the issues, the BBC reported Tuesday.
According to the report, Project Zero – a team of security experts dedicated to hunting bugs in various manufacturers’ software products – revealed five vulnerabilities, at least one of which allowed all files to be copied off without any assistance from the user. Another flaw was invasive enough that a targeted phone could only be saved by a complete reset to factory defaults, erasing all data.
The two above-mentioned flaws were revealed in April and May of this year, yet Apple only saw fit to fix them in an iOS update released last week, BBC report says.
"That's quite unusual," Alan Woodward, a cyber-security expert at the University of Surrey, commented on Apple’s foot-dragging. "The reputation of the Google Zero team is such that it is worth taking notice of."
However, the Cupertino-based tech giant failed to tackle a sixth vulnerability unveiled by Google, codenamed CVE-2019-8641, Project Zero says, despite Apple claims made in a patch note that the issue had been “addressed.”
We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability— Natalie Silvanovich (@natashenka) July 29, 2019
“We are withholding CVE-2019-8641 [detailed description] until its deadline because the fix in the advisory did not resolve the vulnerability,” Project Zero’s Natalie Silvanovich tweeted.
According to the iOS 12.4 patch note, the flaw in question allows a hacker to crash an application or simply execute “arbitrary code” on the hacked device.
Apple did not comment on the issue, but urged users to make sure their iOS version is always up to date, the BBC report says.
Silvanovich reportedly intends to share more information on Project Zero’s findings at a presentation at the Black Hat conference in Las Vegas, which will be attended by Apple’s cybersecurity experts, among others.
Previously, Google’s bug-hunting team alerted Microsoft, Facebook and Samsung, among other tech companies, about flaws in their code, the BBC says.