Η Apple issued a statement stating that it had "thoroughly investigated" its recent report ZecOps about them hackers which took advantage of three iOS zero-day vulnerabilities, but “they did not find data to prove that vulnerabilities were used against customers ”.
ZecOps said vulnerabilities had been used by hackers to carry out attacks on VIP targets:
- Employees of Fortune 500 companies in North America
- An executive of a transport company in Japan
- A VIP from Germany
- MSSP from Saudi Arabia and Israel
- A journalist in Europe
- And most likely, a director of a Swiss company
However, in a report published by Apple, he says that he examined the details that ZecOps announced in its report and did not come to the same conclusion, that is, the vulnerabilities have been used by hackers.
Apple's full statement is as follows:
"Apple is taking all the reports seriously threats for safety. We have thoroughly researched the researchers' report and, based on the information provided, We have come to the conclusion that these issues are not immediate risk for users us. The researchers identified three issues in the Mail, but only those they are not enough to bypass their security protections iPhone and iPad and we didn't find it data to prove that they were used against our customers. These possible issues will soon be addressed with one software update. We value our collaboration with security researchers to keep our users safe and thank the researchers for their help. "
The ZecOps survey provoked reactions not only from Apple but also from Twitter. Several iOS security researchers disputed that the errors had been used in attacks.
ZecOps researchers believe vulnerabilities are being used by hackers because of crash logs found in device.
These crash logs have been interpreted as attempts to exploit vulnerabilities.
ZecOps said the failed operation left a void emails and a crash log on the device. According to the company, the successful operation leads to the deletion of blank emails to hide the attacks.
Security researchers have noted that if the intruder can delete emails, he or she may also delete crash logs.
The opposite view is that the researchers simply saw the problem emails triggering a bug (not malicious), not malicious attacks against iOS users. Apple needs more data to classify these crash bugs as attacks.
Responding to a Reuters report today, ZecOps promised to release more information about the errors when Apple released an updated version of the code.
Errors have been corrected 13.4.5 iOS beta and the repair is expected to reach the iOS stable channel in the coming weeks.
ZecOps' full statement is as follows:
"According to ZecOps, there were attacks due to these vulnerabilities in some organisms. We want to thank Apple for working on the patch and look forward to updating our devices as soon as it is available. ZecOps will release more information and POCs when the update is available.
The existence of errors has never been disputed, neither by Apple nor by the security community. In addition, it is recommended to install the version iOS 13.4.5when it's released.
In a statement, Apple wanted to make it clear that it was taking into account the researchers' reports, but said that the conclusion of this report could not be verified, at least for the time being.