Security News > 2021 > July > Microsoft researcher found Apple 0-day in March, didn’t report it

Microsoft researcher found Apple 0-day in March, didn’t report it
2021-07-29 18:20

Like almost all Apple security fixes, the update arrived without any sort of warning, but unlike most Apple updates, only a single bug was listed on the "Fix list," and even by Apple's brisk and efficient bug-listing standards, the information published was thin.

All we know is that Apple says that it "Is aware of a report that this issue may have been actively exploited".

Well, no sooner was Apple's pach out than security researcher Saar Amar added a whole new of splash of intrigue into the existing puddle of of mystery.

Saar Amar, who describes himself as working at MSRC and being into "Reversing, exploits, Windows internals, virtualization, [and] mitigations", tweeted that he'd discovered this very vulnerability back in March 2021, but hadn't had time to exploit it properly and therefore hadn't bothered to report it to Apple.

On the same day that Apple announced the fix for CVE-2021-30807, Saar Amar published a document on Github that had that very SHA-512 hash, as you can check for yourself.

Saar Amar says he put the basic vulnerability to one side in March because he intended to come back to it in August and to groom his code into a full-blown exploit before disclosing it to Apple as a "High-quality submission".


News URL

https://nakedsecurity.sophos.com/2021/07/29/microsoft-researcher-found-apple-0-day-in-march-didnt-report-it/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-19 CVE-2021-30807 Out-of-bounds Write vulnerability in Apple products
A memory corruption issue was addressed with improved memory handling.
local
low complexity
apple CWE-787
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 480 75 2308 5127 264 7774
Apple 68 212 1433 2208 257 4110