There is no evidence for any of the above scenarios, they are provided as some examples of the different reasons the researcher may have chosen to remain anonymous. It may have been that the security and intelligence agencies had a need to exploit the vulnerability, but having done so chose to disclose it to Apple so that it could be fixed. Read more: GCHQ reveals why it keeps some software vulnerabilities secretĪlternatively, it could be that the vulnerability was reported by a Western government with a vulnerabilities equity process, such as the UK's National Cyber Security Centre, a part of GCHQ. If so, revealing that they knew about the attack - by attributing the disclosure to a name associated with the victim - could provide the attacker with some feedback about their offensive operation. Potentially it could also be that the researcher works for a company or government organisation that was targeted through this vulnerability. There could be a number of reasons for them doing so, including simply that they didn't want the attention that the report would have brought them. The researcher who reported the vulnerability chose to remain anonymous. This is why it is so important to install the latest security updates. However now that the vulnerability is publicly known, it could be that criminals reverse engineer the security update and target members of the public who haven't yet updated their devices. There are also important security reasons to update to iOS 16. This limited time in which a vulnerability can be exploited also impacts the market dynamics for selling, purchasing and using such tools.Īll of this means that before the vulnerability was discovered by Apple - when it was a "zero day" vulnerability because the vendor had zero days to develop the patch - it would likely not be used for general targeting. Apple’s iOS 16.4 upgrade is finally here, along with a bunch of brilliant new iPhone features. Offensive cyber tools like exploits for serious vulnerabilities like this don't last forever.Īs soon as the vulnerability is discovered then the software vendor can begin developing a fix for it - and any attempt to exploit the vulnerability risks revealing that it exists. Within the cyber security world, the ability to execute code on a victim's device just by making them open a web page is extremely rare and powerful.Īs a simple matter of supply and demand, the exploit could have been purchased for a lot of money - and if so, then it would likely have been used to attack a high-value target.
0 Comments
Leave a Reply. |