Apple to Patch iOS Mail Zero Day
Apple said this week that it will fix two vulnerabilities affecting iOS 6 through 13.4.1 that could let an attacker leak, modify, and delete user email.
Apple said this week it will fix an email vulnerability that exists in iOS on both iPhones and iPads that could open the devices up to attack.
It's been estimated the vulnerability, which is present in Apple's default email software, exists in more than half a billion devices.
The firm that disclosed the exploit, ZecOps, said this week the vulnerability could let attackers steal data like photos and contacts off iPhones remotely and that it could also give an attacker access to confidential messages on the device via the Mail app. ZecOps, which bills itself as a cybersecurity automation company, is encouraging users to stop using iOS' default Mail app until the fix is pushed widespread.
“The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails," the company wrote in a lengthy recap of the vulnerability on its blog. "Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation.”
The company's CEO Zuk Avraham said his company discovered the bug while looking into a sophisticated cyberattack against one of its clients - reportedly at a Fortune 500 organization in North America - and suggested it could have been exploited in at least six other attacks, including attacks against an executive from a carrier in Japan, and a VIP from Germany, and MSSPs from Saudi Arabia and Israel, to name a few.
Apple told publications this week that the vulnerability did exist on its software for email on iPhone and iPads and that its already developed a fix due for release soon. In its writeup, ZecOps thanks Apple’s product security and engineering team for pushing a beta patch in iOS version 13.4.5, available here for users who download and use beta releases.
On iOS 13, the flaw can apparently be triggered just by sending a blank email. The email software automatically downloads the message and a user doesn't even need to open it in order to exploit the vulnerability. On iOS 12, a user needs to click on an email - unless the attacker controls the mail server, ZecOps writes. As part of the attack, researchers believe the emails are intentionally deleted after they're processed by the device.
The researchers point out that it's unlikely the vulnerabilities on their own would pose a threat to an iOS user. It would require some additional legwork, namely an information leak bug and a kernel bug, in order to gain full control of a targeted device.
Even so, the attacks are fairly tailored and it's unlikely a user on iOS 13 would realize they're being attacked. On iOS 12, a user might notice a sudden crash of the Mail app.
A write up on the vulnerability suggests the vulnerability has existed in iOS versions dating back to iOS 6 (2012) but that it was first seen exploited in iOS 11.2.2 in January 2018.
The researchers claim there's actually a second vulnerability, a remote heap overflow in MFMutable, that could reveal the hidden memory location. Both bugs stem from the same problem however: not handling the return value of the system calls correctly.
Awaiting details of the vulnerability has been somewhat of a waiting game. Rumors of the exploit were rampant on Twitter for almost two weeks days prior to the company’s disclosure. Patrick Wardle, an ex-NSA researcher who's skilled at finding Apple 0days and analyzing macOS malware, posted a series of emojis on Twitter hinting at the bug on April 10.
While ZecOps’ blog on the vulnerabilities has a time stamp of Monday, news of the bugs was circulated via major publications, like Reuters and the Wall St. Journal on Wednesday.