A new potentially serious software vulnerability has been discovered in iOS 13 that works via the default Mail app on iPhone and iPad. The security group ZecOps (via Motherboard) says that one of the two vulnerabilities is a zero-click exploit (no user interaction needed) that can be performed remotely.
ZecOps detailed its findings in a blog post and the most serious vulnerability of the two affects even the latest iOS 13 public release (iOS 12 too). However, Apple has patched the flaws in the most recent iOS 13.4.5 beta that should be released to the public soon.
The zero-click exploit works through the default iOS Mail app and is potentially dangerous as a user doesn’t need to tap or click anything to have their device compromised:
The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory.
ZecOps says that it has discovered evidence of the attacks being used in the wild and believes them to be be “widely exploited.”
The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).
The report details that it appears the nefarious emails sent are then deleted by the hackers after using them to access targets’ devices.
Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of attack’s operational security cleanup measures.
One weakness in the flaw is that it requires a relatively large email, which may be blocked in some cases. The founder of ZecOps, Zuk Avraham noted that the exploit doesn’t apply to Gmail or Outlook iOS apps but it’s not clear if Gmail opened through the Apple Mail app are also vulnerable.
On the other hand, this is not as polished a hack as others, as it relies on sending an oversized email, which may get blocked by certain email providers. Moreover, Avraham said it only works on the default Apple Mail app, and not on Gmail or Outlook, for example. (Google did not respond to a request for comment asking whether it would block such emails. Microsoft declined to comment.)
As noted by Motherboard, ZecOps hasn’t found evidence of the exploits being used for mass attacks but rather targeted ones. But if you are concerned about the potential security and privacy issue, you can use another email app until iOS 13.4.5 is publicly released.
For all the fine details on these exploits, read the full post by ZecOps here.