Zero-click and zero-day vulnerabilities in iOS Mail ‘exploited to hijack’ VIP smartphones. Apple rushes beta patch

%1$s', sprintf( '', esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ), esc_attr( sprintf( __( 'View all posts by %s', 'generatepress' ), get_the_author() ) ), esc_html( get_the_author() ), get_avatar( get_the_author_meta( 'ID' ) ) ) ); $time_string = ''; if ( get_the_time( 'U' ) !== get_the_modified_time( 'U' ) ) { $time_string = $time_string . ''; } $time_string = sprintf( $time_string, esc_attr( get_the_date( 'c' ) ), esc_html( get_the_date() ), esc_attr( get_the_modified_date( 'c' ) ), esc_html( get_the_modified_date() ) ); printf( '%1$s', // WPCS: XSS ok, sanitization ok. sprintf( '%3$s', esc_url( get_permalink() ), esc_attr( get_the_time() ), $time_string ) ); if ( ! is_single() && ! post_password_required() && ( comments_open() || get_comments_number() ) ) { echo ''; comments_popup_link( __( 'Comments', 'generatepress' ), __( '1 Comment', 'generatepress' ), __( '% Comments', 'generatepress' ) ); echo ''; } ?>


Update Apple has reportedly fixed a pair of critical vulnerabilities in iOS that are exploited by what appear to be government-backed hackers to spy on high-value targets. Think of senior management, journalists, managed security service providers and the like.

ZecOps Bods this week claimed bugs are buried in the iOS Mail app and can be abused to perform remote code execution without the victim ever needing to open a booby-trapped message. The device only has to receive and process incoming email, specially designed to exploit Apple's programming errors, and malicious code embedded in the message will be executed, we are told. This code can then potentially spy on and meddle with the victim's online activities.

“We believe that these attacks correlate with at least one threat operator from a nation-state or a nation-state who purchased the exploit from a third-party researcher as Proof of Concept (POC) and used” as is “or with minor modifications,” said the ZecOps team.

“Although ZecOps refrains from attributing these attacks to a specific threat actor, we are aware that at least one” for-hire hackers “organization sells exploits using vulnerabilities that exploit e-mail addresses. mail as the primary identifier. ”

We are told that bugs have been present in iOS since version 6, released in 2012. ZecOps said it noticed hackers exploiting weaknesses in January 2018 in version 11.2.2. Now they have determined that iOS 13.4.1 and below are all vulnerable. iOS 13 is the latest major version officially available.

According to infoec biz, the vulnerabilities are a pair of out-of-bounds heap and overflow errors that are triggered when a malformed email is recovered by Mail. Although the flaws themselves only grant hackers limited access to the compromised device, they can be chained with exploits for kernel-level security flaws that increase access to the entire iThing , we are told. It is believed that the hackers used a privilege escalation exploit at the kernel level.

Here is the technical description:

More importantly, the researchers said that in iOS 13, the attack can be carried out when Mail automatically downloads messages in the background, which means that no user interaction is required: the data is extracted , analyzed and bugs exploited immediately. iOS 12 is slightly more secure, apparently, because the user would have to tap the email to retrieve it and trigger exploitation. That said, we are told: “If an attacker controls the mail server, the attack can also be carried out without any click on iOS 12.”

Apple Safari icon

Flaw hunter saves Apple $ 75,000 after cheating Safari to spy on iPhone and Mac devices without permission


While there are currently no official official fixes for the reported bugs, we are told that the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should arrive. soon. ZecOps said it alerted Apple to the holes last month after witnessing their exploitation in the wild, hence the appearance of a beta version that fixes the problem.

If you can't fix, ZecOps advises those who are worried about attacking using another email client and disabling Mail.

It was Noted by Jann Horn of Google Project Zero, that the operating evidence disclosed by ZecOps may have been false to zero bytes encoded in base64. ZecOps CEO Zuk Avraham insisted his team had discovered evidence of a successful operation.

In the context of iOS, flaws in the execution of arbitrary code are often exploited either intentionally by the user to jailbreak their devices, or secretly by criminals to put surveillance software and other malicious software on the devices. Interestingly, the researchers note that exploits for both flaws can be done before the full message loads, which means that spies could potentially cover their tracks by deleting the poisoned messages before the user even knew about it. what happened.

“Remarkable, although the data confirms that exploit emails were received and processed by victims' iOS devices, the corresponding emails that should have been received and stored on the email server were missing,” said they. “Therefore, we infer that these emails were intentionally deleted as part of the operational security clean-up of the attack.”

It should be reiterated that these reported attacks are limited in scope and targeted only a small set of high-value targets.

That said, it would be wise to keep an eye out for iOS updates over the next week and install them quickly, as these types of bugs will often attract copy attacks from other cyber crooks. And, as mentioned above, if you are concerned, deactivate Mail on your iThing and use another client if possible. ®

Updated to add

Apple has minimized the threat of the vulnerabilities discovered, but said it would release an official bug fix in due course.

Office 365 client-to-client migration tips


Notify of
Inline Feedbacks
View all comments