Apple is disputing the accuracy of this weeks report that found attackers have been exploiting an unpatched iOS bug that allowed them to take full control of iPhones.
San Francisco-based security firm ZecOps said on Wednesday that attackers had used the zero-day exploit against at least six targets over a span of at least two years. In the now-disputed report, ZecOps had said the critical flaw was located in the Mail app and could be triggered be sending specially manipulated emails that required no interaction on the part of users.
Apple declined to comment on the report at the time. Late on Thursday night, however, Apple pushed back on ZecOps findings that (a) the bug posed a threat to iPhone and iPad users and (b) there had been any active exploit at all. In a statement, officials wrote:
Apple takes all reports of security threats seriously. We have thoroughly investigated the researchers report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.
A fair number of independent researchers have also questioned the ZecOps conclusion. Generally, the critics said that the evidence ZecOps based its findings on wasnt persuasive. The disputed findings were based on evidence that the malicious emails were deleted, presumably to hide attacks, but that data that remained in logs indicated the deletions and crashes were the result of an exploit.
The critics said if the exploit was able to delete the emails ,it would have been able to delete the crash log data as well. The critics said that failure and some technical details contained in the ZecOps report strongly suggested the flaw was a more benign bug that was triggered by certain types of emails. Also skeptical, the critics said, is that an advanced exploit would cause a crash at all. Those doubts have continued ever since.
HD Moore, vice president of research and development at Atredis Partners and an expert in software exploitation, told me on Friday:
It looks like ZecOps identified a crash report, found a way to reproduce the crashes, and based on circumstantial evidence assumed this was being used for malicious purposes. It sounds like after he reported it to Apple, Apple investigated, found out these were just crash bugs, and that shuts the door on this being actually in-the-wild-exploitation of a new iOS zero-day.
It could be Apple is wrong, but given their sensitivity to this stuff, they probably did a decent job of investigating it. Through the grapevine I heard that the internal security team that handled this investigation at Apple was pissed off about it, since ZecOps went straight to press before they had a chance to review.
Other critics have delivered their critiques on Twitter.
“Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution,” researcher Rich Mogul wrote. “Any update you can share? Pretty big claim of a no-click mail 0-day being used.”
Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution. Any update you can share? Pretty big claim of a no-click mail 0-day being used. https://t.co/xrWbXTPndQ