Security News > 2021 > July > Microsoft researcher found Apple 0-day in March, didn’t report it
Like almost all Apple security fixes, the update arrived without any sort of warning, but unlike most Apple updates, only a single bug was listed on the "Fix list," and even by Apple's brisk and efficient bug-listing standards, the information published was thin.
All we know is that Apple says that it "Is aware of a report that this issue may have been actively exploited".
Well, no sooner was Apple's pach out than security researcher Saar Amar added a whole new of splash of intrigue into the existing puddle of of mystery.
Saar Amar, who describes himself as working at MSRC and being into "Reversing, exploits, Windows internals, virtualization, [and] mitigations", tweeted that he'd discovered this very vulnerability back in March 2021, but hadn't had time to exploit it properly and therefore hadn't bothered to report it to Apple.
On the same day that Apple announced the fix for CVE-2021-30807, Saar Amar published a document on Github that had that very SHA-512 hash, as you can check for yourself.
Saar Amar says he put the basic vulnerability to one side in March because he intended to come back to it in August and to groom his code into a full-blown exploit before disclosing it to Apple as a "High-quality submission".
News URL
Related news
- Apple creates Private Cloud Compute VM to let researchers find bugs (source)
- Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Week in review: Microsoft patches actively exploited 0-days, Amazon and HSBC employee data leaked (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-19 | CVE-2021-30807 | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved memory handling. | 7.8 |