Apple has denied that three severe flaws in its Mail app for iOS devices have been used to attack iPhone users, suggesting the flaw does “not pose an immediate risk”.
Researchers with ZecOps outlined in detail the mechanism by which two severe flaws in the in-built iOS Mail app had been used to attack individuals since at least January 2018.
The flaws, present in the flagship operating system since at least iOS 6 in 2012, allowed hackers to leak modify or delete emails. On one occasion, they were used in combination with a third unknown vulnerability to give cyber criminals full control of a device.
The alleged targets, identified by the researchers, included MSSPs and individuals from a Fortune 500 company, among other victims, although Apple has found no evidence that its users were attacked.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” Apple said in a statement, according to Reuters.
“The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”
ZecOps has stood by its initial research, however, suggesting in a response that several targets were indeed affected by the vulnerability, which has not yet been officially patched. The firm reported the issue to Apple on 19 February, with the developer issuing fixes in a publicly available iOS beta between 15 and 16 April.
“According to ZecOps data, there were triggers in-the-wild for this vulnerability for a few organisations,” the cyber security company said in response to Apple's statement.
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
“We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs once a patch is available.”
To initiate the attack, a hacker would only need to send email messages that consumed significant amounts of memory in order to trigger a buffer overflow. This means the attackers could fill a block of memory beyond its capacity and overwrite areas that hold executable code, with their own malicious code.
The flaws can be exploited in a ‘zero-click’ fashion on iOS 13, meaning no user interaction would be needed, and attackers could trigger the pathways while Mail was running in the background. On iOS 12, by contrast, users would need to click on the malicious email messages received, unless the cyber criminals also controlled the email server.
All iOS versions are vulnerable, including iOS 13.4.1, although the researchers haven’t been able to test the Mail app on versions prior to iOS 6. MacOS is not vulnerable to either flaw.
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Open source security in the spotlight as UK gov publishes fresh guidanceNews The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
-
86% of enterprise codebases contain open source vulnerabilitiesNews Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Google patches second Chrome browser zero-day of 2022News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Google Chrome update fixes zero-day under active exploitationNews Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
CISA updates must-patch bug list for federal agenciesNews Latest collection includes bugs up to seven years old that are still exploited in the wild
-
Visa card holders using Apple Pay warned of payment exploit that bypasses user authenticationNews Commuters are being urged to disable Apple Pay express transit mode for Visa cards
