Apple Mail on iOS has two severe "zero-click" flaws

The eight-year-old vulnerabilities can be triggered by cyber criminals on iOS 13 without any user action

The Mail app on Apple’s flagship iOS operating system has been afflicted with two serious vulnerabilities that can allow a hacker to attack a device by sending emails that consume significant levels of memory.

Hackers have triggered two vulnerabilities in the Mail app, which have existed since iOS 6 was released in 2012, giving them the power to leak, modify or delete emails, according to findings by ZecOps. In addition, the flaws have been exploited in combination with another as-of-yet unidentified bug to gain full device access.

Advertisement - Article continues below

To initiate the attack, one would send an email message designed to cause a buffer overflow in the Mail app, which means the hacker can fill a block of memory beyond its capacity. These content of these emails, once sent, can then be deleted.

The receipt of an email triggers the code paths for both vulnerabilities, the first known as OOB Write and the second dubbed Remote Heap Overflow. When exploited in the wild, ZecOps researchers believe the OOB Write flaw was accidentally triggered while hackers were aiming to trigger the Remote Heap Overflow.

All iOS versions are vulnerable, including the Mail app on iOS 13.4.1, although the researchers haven’t been able to test versions prior to iOS 6. MacOS is not vulnerable to either flaw.

Advertisement
Advertisement - Article continues below

The vulnerability can be triggered remotely on iOS 13 when the Mail application is opened in the background. For iPhone users still on iOS 12, meanwhile, the attack requires a click on the email. If the hacker controls the email server, however, the attack can be triggered in a zero-click fashion in a similar way to how it’d be conducted on devices running iOS 13. 

Advertisement - Article continues below

Researchers have identified several targets as having been attacked using the mechanism, including individuals from a Fortune 500 business in the US, a European journalist, and MSSPs from Saudi Arabia and Israel.

Related Resource

Introducing VMDR: Vulnerability Management, Detection and Response

The all-in-one vulnerability management service

Download now

ZecOps began tracking the attacks being triggered from January 2018 on a device running iOS 11.2.2, with the same threat operators likely abusing the vulnerabilities now. It’s possible, moreover, that the attackers were using the vulnerabilities even earlier.

Following a routine iOS security probe, researchers found a number of suspicious events affecting the default Mail app. Following analysis, ZecOps discovered the exploitable vulnerability affecting iPhones and iPads, as well as multiple triggers in the wild, with targets including enterprise users, VIPs, and MSSPs over a prolonged period of time.

ZecOps reported the issue to Apple on 19 February, with the developer patching both flaws in a publicly available beta between 15 and 16 April. 

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Apple hit with $1.4 billion Siri patent infringement lawsuit
Policy & legislation

Apple hit with $1.4 billion Siri patent infringement lawsuit

3 Aug 2020
Apple acquires startup to turn iPhones into payment terminals
Technology

Apple acquires startup to turn iPhones into payment terminals

3 Aug 2020
Big tech CEOs grilled by House Judiciary Committee’s antitrust panel
Policy & legislation

Big tech CEOs grilled by House Judiciary Committee’s antitrust panel

30 Jul 2020
Apple is under investigation for alleged deceptive practices
Policy & legislation

Apple is under investigation for alleged deceptive practices

24 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020