Zero-day vulnerabilities in iOS Mail are being actively exploited to target high-profile users

Old iPhone and new iPhone

Security firm ZecOps has published research about security vulnerabilities affecting iPhones and iPads. The critical flaws are yet to patched by Apple and are said to be actively used to target high-profile users such as journalists, employees of Fortune 500 companies and VIPs.

What's particularly worrying about the flaws is that they can be exploited by sending a message that appears to be blank. Opened in iOS Mail, the message can be used to run code and spy on activity without the need for any interaction from the victim. There is a suggestion that a nation-state could be involved.


See also:

According to ZecOps, the vulnerability is present in all versions of Apple's mobile operating system since iOS 6. The security firm also says that there is evidence that they have been under active exploitation since 2018, and possibly even earlier.

In a blog post about its finding, ZecOps says:

Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps found a number of suspicious events that affecting the default Mail application on iOS dating as far back as Jan 2018. ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple's iPhones and iPads. ZecOps detected multiple triggers in the wild to this vulnerability on enterprise users, VIPs, and MSSPs, over a prolonged period of time.

The attack's scope consists of sending a specially crafted email to a victim's mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities -- in particular, the remote heap overflow -- are widely exploited in the wild in targeted attacks by an advanced threat operator(s).

ZecOps informed Apple about the vulnerabilities last month, and the iPhone-maker was unaware of the zero-days. The fact that no interaction is needed from a victim means that those who are targeted are extremely unlikely to know that anything has happened.

The security researchers say:

We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used "as-is" or with minor modifications (hence the 4141..41 strings).

While ZecOps refrains from attributing these attacks to a specific threat actor, we are aware that at least one "hackers-for-hire" organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.

So far, ZecOps is aware of numerous targets:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

Addressing the question of why it has chosen to go public with details of the vulnerabilities before a patch is available, ZecOps says:

  • These bugs alone cannot cause harm to iOS users -- since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device.
  • Both bugs were already disclosed during the publicly available beta update. The attackers are already aware that the golden opportunity with MobileMail/maild is almost over and they will likely use the time until a patch is available to attack as many devices as possible.
  • With very limited data we were able to see that at least six organizations were impacted by this vulnerability -- and the potential abuse of this vulnerability is enormous. We are confident that a patch must be provided for such issues with public triggers ASAP.

While Apple is yet to publish a patch for all iPhone and iPad users, it is said that the beta version of iOS 13.4.5 addresses the vulnerabilities.

Image credit: Serge Cornu / Shutterstock

Comments are closed.

© 1998-2022 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.