Apple ‘Still Investigating’ Unpatched and Public iPhone Vulnerabilities Originally Reported in March

Lorenzo Franceschi-Bicchierai, reporting for Motherboard:

On Thursday, a security researcher published details of three iPhone vulnerabilities that are unpatched as of today. The security researcher, whose name is Denis Tokarev, said he decided to publish the bugs’ details as well as the source code that makes it extremely easy to reproduce and exploit them, because he was tired of waiting and felt like Apple ignored him.

Tokarev reported the vulnerabilities to Apple between March 10 and April 29, but the last time he heard back from Apple about the three vulnerabilities was August 6, August 12, and August 25, respectively. Then the researcher said he told Apple on September 13 he would publish details of the bugs unless he heard back.

It was only after he went public with details about the unpatched bugs that Apple reached out, according to Tokarev, who shared Apple’s email with Motherboard.

“We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you,” an Apple employee wrote. “We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions.”

Tokarev, in his follow-up post:

Indeed, I do have questions.

Wednesday, 29 September 2021