A Turkish expert who discovered a security vulnerability that Apple patched in its 10.2 update has claimed that iPhones are vulnerable to a heap overflow bug.
Speaking to Siber Bülten in an exclusive interview, Celil Ünüver said: “We discovered two vulnerabilities in iOS. The first, harmless according to us, was a null pointer dereference. We wanted to report this to Apple to get a reference. It took 2-3 months for Apple to patch this. The other, a heap overflow, we consider worthy but did not report it to Apple as we wanted to keep it a zero-day.”
The heap overflow bug gives malicious programs a chance to work in targeted Apple products.
Apple released an update, iOS 10.2, on December 12, 2016 to patch a null pointer dereference, among many others. The company said the bug was processing a maliciously crafted font file that may lead to unexpected application termination.
The bug was addressed “through improved input validation,” according to Apple. That bug affected iPhone 5 and later models, 4th generation and later iPads, and the iPod touch (6th generation and later).
Ünüver, a co-owner of the Izmir-based security firm TRAPMINE, a subsidiary of SignalSEC, stressed that his company had found a double free bug in Windows Mobile systems in 2010.
“That bug could be exploited through an SMS that would let a code work from a distance,” Ünüver said, adding that “it was one of the first bugs that was detected in Windows Mobile.”
SignalSEC is a research company that provides information security services. The company said it has been working with respected corporations in Europe, the Middle East and Africa since 2011. SignalSEC has also provided consultancy and training services to banks, GSM carriers, CERT, and military and police institutions.
Ünüver said he tried to draw attention to vulnerabilities present in mobile systems during a conference held in Switzerland in 2011.
During his presentation on “Threats On Your Smartphone,” Ünüver said hackers’ new target would be media players in smartphones, adding that he predicted the Stagefright vulnerability, which was discovered in 2015 in Android smartphones, four year earlier.