A New Critical Security Flaw in Devices Apple has been identified by ZecOPS researchers. According to them, the flaw allows iPhones and iPads to be hacked by the native email application, ‘Mail’.
According to the researchers, the vulnerability allows an attacker to execute malicious code and remotely infect a device. They explain that a simple email can consume a lot of RAM to make the app unusable.
These “traps”, as reported, can give read, modify or delete access to the victim’s emails. The suspicion is that attackers may combine this flaw with one that grants control of the device.
ZecOPS’ analysis identified that the vulnerability affects, for example, devices since iOS 6 (released in 2012), but that it has been exploited since 2018 on iOS 11.2.2 – in this version of the system, the attacker can trigger a blow that even needs the email to be opened, and “the user won’t notice anything unusual” in usage.
The flaw is also addressed on iOS with the same function as zero-click, when the app is open in the background, for example.
As highlighted, the flaw is not exploited extensively by attackers, but rather in targeted attacks. “The scope of the attack is to send a specially crafted email to the victim’s inbox,” researchers say. Among the likely targets identified, they highlight:
Individuals from a North American ‘Fortune 500’ Organization
An executive from a shipping company in Japan
An important figure from Germany
Managed Security Services Companies (MSSPs) from Saudi Arabia and Israel
A journalist in Europe
Suspicious target: an executive of a Swiss company
Fault already “fixed”
The researchers informed the Apple about the crash in late March, and the company released a fix on iOS 13.4.5 beta on April 15th and 16th. As of this writing, this version of the system has not been released to the public.
ZecOPS warns that to work around the vulnerability, “you can use the latest beta version available” or “consider using other email applications until a patch is available”. The analysis identified that Macs are not affected.
They cite that on iOS 13, users do not need to take any action for the vulnerability to be exploited. On iOS 12, the victim has to click on the malicious email. “If an attacker takes control of the email server, the attack can also be carried out without a single click on iOS 12,” researchers say.
Currently under investigation, they are trying to identify how an attacker could utilize an additional kernel vulnerability that would “provide full device access”.
At this point, it’s best to stop using the Mail app until iOS 13.4.5 becomes available. Currently, the public version of the system is at version ‘13.4.1’.