Apple has long been appreciated for being highly secure. But, there’s a vulnerability existing in the iOS Mail app for past 10 years. This was reported by ZecOps, a San Francisco based firm that claims Apple’s Mail app in iOS to have a zero-click vulnerability, which means it doesn’t need any user interaction to get infected. Not only are they zero-days, but they are also zero-click.
While this vulnerability is considered serious and is still in wild, ZecOps says Apple’s new beta version comes with a patch for this issue.
One of the prime reasons for people choosing Apple products is security. The company has long maintained strict policies for safeguarding its users’ communication and data. But, ZecOps, a cybersecurity firm now claims a critical time vulnerability found in the Mail app of iOS. WSJ also reported the issue.
Editor’s Pick: iPhone 11: Everything you need to know
Unlike other vulnerabilities that at least require a users to open an email, the zero-click attack requires no user interaction at all. The company says the iOS Mail app can be breached with buffer overflow technique, which is by sending a bugged code to the Mail app to overfill the block memory of the app beyond its capacity.
This starts with a crafted email sent by a malicious attacker to the target, and the user doesn’t need to interact with it to get infected. ZecOps says the vulnerability exists in iOS versions 6 to the latest version 13.
It further presses that versions 12 and 13 are more prone to simple attacks, as just a mere reception of malicious email will infect the device. And with that access, a hacker can read/write emails and try impersonating you too.
Previously, any malware attack would need a user to open the email and click on any links or open the attachment to download the malware, but compromising with just a receiving of email is serious.
ZecOps further claims the vulnerability is in wild since a decade, and few exploits have happened too. While it didn’t reveal the victims’ list, at last, it hints about journalists and VIP persons from various countries be the victims.
ZecOps claims they’ve informed this issue to Apple last month, and the company’s latest update version 13.4.5 has a patch for rectifying this issue in the iOS Mail app. While this update was still in the beta phase, only developers can access it for now. So until the official rollout, ZecOps recommends users to disable the Mail app and use alternatives like Outlook or Gmail temporarily.
iOS Mail App Vulnerability Key Details:
- The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
- The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
- Both vulnerabilities were triggered in-the-wild
- The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
- We are not dismissing the possibility that attackers may have deleted remaining emails following a successful attack
- Vulnerability trigger on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
- Vulnerability trigger on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
- Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
- The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released
- The earliest triggers we have observed in the wild were on iOS 11.2.2 in January 2018