A security company which discovered iPhone Mail vulnerabilities claimed that they have been ‘widely exploited’ in real-world attacks. Apple has now denied this claim, stating that it could find ‘no evidence’ that the exploits have been used.
Additionally, it says that the vulnerabilities in question cannot bypass iPhone and iPad security safeguards …
Background on iPhone Mail vulnerabilities
Apple has acknowledged the three issues discovered by security group ZecOps, and has patched these in the iOS 13.4.5 beta which should be released to the public soon.
However, ZecOps went on to claim that real-world attacks have been carried out by exploiting these vulnerabilities as far back as January 2018 (in iOS 11.2.2). It went so far as to give examples of specific individuals it believes were targeted using the exploit.
Based on ZecOps Research and Threat Intelligence,we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).
The suspected targets included:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
Bloomberg reports that Apple not only says it can find no evidence to support this claim, but that the vulnerabilities are not sufficient to allow the reported attacks to succeed.
The U.S. company is countering assertions by cybersecurity company ZecOps Inc. that software flaws may have allowed hackers to infiltrate iPhones and other iOS devices for more than a year. Apple launched an investigation and said in a statement the mail issues were insufficient by themselves to allow cyber-attackers to bypass built-in security, adding it will issue a fix soon.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”
The denial is not a complete refutation of the claim. It may be the case that the specific vulnerabilities alone cannot bypass security safeguards, but that they can be combined with existing exploits in order to do so. However, the denial is strongly-worded, suggesting the Cupertino company does genuinely believe that no real-world attacks have taken place.