iOS Has A Mail Exploit That Is Unpatched…. Should You Worry?

The news came out last week that a company called ZecOps found a vulnerability in iOS Mail that has no fix and that has likely been exploited in the wild:

The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).

The suspected targets included:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan 
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

That’s pretty scary. And Apple served up a response basically saying that there’s nothing to see here:

“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

However security researchers disagree with Apple’s assessment:

The fact that Apple has been unable to independently verify that the bugs were exploited in the wild is not surprising, says Patrick Wardle, a former National Security Agency analyst and Apple security researcher at the firm Jamf.

“It is unlikely that if this vulnerability was used in highly targeted attacks that Apple would find evidence of such attack,” Wardle says. “Either way, it would be helpful for Apple to articulate how they came to this conclusion.”

Even the crudest zero-click attacks leave little trace, which makes tracking them an issue. Security analysts say that in many cases, the very features that make software more secure often make zero-click attacks harder to detect.

The only good news is that iOS 13.4.5 which is in beta at the moment has a fix for this. But the question is, should you be worried?

Yes. You should be worried.

This is a zero day exploit. Now that it is public, any limited usage of this exploit is about to skyrocket as miscreants try to figure out how to leverage this exploit. Thus Apple would be smart to get a fix for this out ASAP to protect their user base. If they don’t, they are basically leaving their user base insecure. And that’s not acceptable. So Apple, please step up to the plate and do what is right for your users.

6 Responses to “iOS Has A Mail Exploit That Is Unpatched…. Should You Worry?”

  1. […] Straight Talk About Information Technology From A Nerd Who Speaks English « iOS Has A Mail Exploit That Is Unpatched…. Should You Worry? […]

  2. […] bug where a specific combination of characters would cause iOS devices to crash. The other was a zero day exploit in Mail that is likely being exploited as you read this. This likely has created a lot of bad press for Apple as people like yours truly have reported on […]

  3. […] to crash, or even worse force you to restore from a backup. And possible it was also going to fix a zero day iOS Mail exploit that is allegedly being exploited. Well, as I type this it is Friday at 2:21 PM EST and no patch […]

  4. […] is also a zero day iOS Mail exploit that is allegedly being exploited […]

  5. […] might recall that I’ve been covering a rather nasty exploit in iOS Mail that has been exploited in the wild. Now this and one other security issue was promised to be fixed by Apple a couple of weeks ago. But […]

  6. […] few minutes ago, Apple released iOS 13.5 which addresses  a zero day iOS Mail exploit which despite what Apple thought, was so serious that Germany said that the flaw was critical […]

Leave a Reply to We Now Have Proof That Apple Has Completely Lost The Plot When It Comes To Security | The IT Nerd Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: