Zero day vulnerability in Mojave

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
I believe Apple is aware of this. Keep in mind that this guy is no ordinary hacker and has worked for the NSA.
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
A zero day vulnerability is one that is unknown to those folks who would implement something to prevent it being used. So the zero day vulnerability in the article means that no antivirus creators can plug the hole because they don't know it's there. The NSA guy who found it says he wants to report to Apple, but doesn't know how to do that (really? Has he tried just calling Apple?) so the vulnerability isn't known to Apple, either. When they know about it, it won't be zero day anymore, and once they patch it, it won't be a vulnerability anymore. You can read more at wikipedia if you search for zero-day.
 
Joined
Feb 1, 2011
Messages
4,399
Reaction score
2,086
Points
113
Location
Sacramento, California
honestly I don't know what a zero day vulnerability is, but I'm guessing it's not good.

It's simply a freshly discovered potential vulnerability in software, in this case the Mac OS.

The thing is, new potential vulnerabilities are found in operating systems constantly. You can go to certain Web sites and see a list of them as they are found. Apple has internal Web pages with lists of them as they are found and they prioritize which ones need a more or less urgent time frame for dealing with it.

New potential vulnerabilities have ZERO relevance to end users. Why? Because until they are exploited (i.e. malware is written to take advantage of them), they present no problem to end users. And it is extremely likely that each and every potential vulnerability will NEVER be exploited.

Once a new potential vulnerability is found, a race is, figuratively speaking, on between the developer to patch it, and sociopaths who write malware to exploit the potential vulnerabilty. In this race, the developer has a huge advantage. First because it's usually way easier and faster, to patch an OS than it is to create a successful exploit. (Exploits tend to be fairly complex.) And second, an exploit doesn't just take a long time to create, it usually costs the bad guys a lot of money to create them. So, as you can guess, the bad guys are at quite a disadvantage at this. Especially since if they fail to create a viable exploit in time to take advantage of the potential vulnerability before it is patched, they may never realize any ill-gotten gains from their exploit and they may end up deeply in debt. (Most exploits these days are written to swindle money out of users.)

Add to this that the sociopaths who write exploits (malware) KNOW that Apple is very good about patching the Mac OS for security purposes when necessary. So they don't have a huge incentive to jump on any potential vulnerability unless they are the only ones that know about it (which means Apple doesn't know to patch it preemptively). This is rarely the case. There are "white-hat" hackers who look for potential vulnerabilities and report them to Apple for just this reason.

So...all of this is, at best, academic to end users. It will more than likely never effect them. It's nice fodder for anti-virus companies to use to try and scare you into purchasing anti-virus software that you don't need. But it isn't something that end users even have to think about.
 

Raz0rEdge

Well-known member
Staff member
Moderator
Joined
Jul 17, 2009
Messages
15,734
Reaction score
2,059
Points
113
Location
MA
Your Mac's Specs
2022 Mac Studio M1 Max, 2023 M2 MBA
A zero day vulnerability is one that is unknown to those folks who would implement something to prevent it being used. So the zero day vulnerability in the article means that no antivirus creators can plug the hole because they don't know it's there. The NSA guy who found it says he wants to report to Apple, but doesn't know how to do that (really? Has he tried just calling Apple?) so the vulnerability isn't known to Apple, either. When they know about it, it won't be zero day anymore, and once they patch it, it won't be a vulnerability anymore. You can read more at wikipedia if you search for zero-day.

Actually Jake, what the hacker wants is a bounty for having found the bug as opposed to just reporting it. :) Apple doesn't do that since they've switched over to the public beta process for their OS', so a lot of bugs are actively being discovered and addressed.
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
Ashwin, the article says:
Since there is no public macOS bounty program to report the vulnerabilities, Wardle said on Twitter that he's still looking for a way to report the flaw to Apple.
That implies that he's not looking necessarily for a bounty, just that no program exists and he has no clue how to report this to Apple. Again, really? Has he not got a telephone? Email to Tim Cook? Letter to Apple at their corporate address? Bug reporting process?
 

Raz0rEdge

Well-known member
Staff member
Moderator
Joined
Jul 17, 2009
Messages
15,734
Reaction score
2,059
Points
113
Location
MA
Your Mac's Specs
2022 Mac Studio M1 Max, 2023 M2 MBA
Ashwin, the article says: That implies that he's not looking necessarily for a bounty, just that no program exists and he has no clue how to report this to Apple. Again, really? Has he not got a telephone? Email to Tim Cook? Letter to Apple at their corporate address? Bug reporting process?


If you look at the screenshot, its a little bit of Developer humor. So he's being sarcastic! :)
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top