When the next version of iOS 13 drops, you’ll want to update right away. That’s because it will contain a patch for potentially serious security vulnerabilities inside Apple’s Mail default Mail app.
According to research from ZecOps, a small start-up based in San Francisco, California, the two vulnerabilities are ‘zero-day’ and one is a ‘zero-click’ vulnerability. For those unfamiliar with the terms, zero-day security flaws are those that exist in software or hardware and are unknown to manufacturers. Since zero-days for Apple’s locked-down ecosystem are hard to come by, these exploits can be worth millions of dollars.
Zero-click vulnerabilities, on the other hand, require no user interaction to utilize. In other words, an attacker that targets you with a zero-click flaw would not need you to do anything. No clicking on sketchy links or downloading files. ZecOps says the zero-click they discovered is especially dangerous because attackers can exploit it remotely. The startup notified Apple of its findings at the end of March.
A patch for the vulnerabilities is on the way
Both iOS 13 and the previous iOS 12 release are affected by the flaws. However, Apple has already patched the issue in the recent iOS 13.4.5 beta and it should roll out to the public soon. Currently, those on the latest iOS version are using iOS 13.4.1.
The exploits only work with the default iOS Mail app, which means that those using third-party apps like Gmail shouldn’t have to worry. It’s unclear if someone using a Gmail email address with the default Mail app would still be vulnerable. Attackers can exploit the flaw by sending an oversized email to a target. Again, the victim doesn’t have to interact with the email, only receive it for the attack to work. ZecOps notes that some email providers may block such an email.
If attackers successfully execute the exploit, iOS 13 users may experience a temporary slowdown of the Mail app but no other indication. iOS 12 users, on the other, may see the Mail app crash, but that would be the only indication. A follow-up attack can also remove the email from a victim’s device to cover attackers’ tracks.
Vulnerabilities were exploited in the wild, but not on a mass scale
Ultimately, it appears the flaws aren’t ‘polished’ attacks and are more like a cyber smash-and-grab. In an in-depth report from Motherboard about the vulnerabilities, experts told the publication that sophisticated spy agencies would likely deem this kind of exploit too risky for use on a high-value target.
That said, ZecOps believes the flaws were actively exploited in the wild, but not on a mass scale. Instead, attackers chose specific targets to use the exploits on. However, if you believe you were targetted by the attack, deleting the default Mail app from your iPhone could help.
Further, the vulnerabilities could resurface debate over whether Apple is doing enough to secure the iPhone platform. Some believe Apple should make changes to iOS that would allow security researchers more access and improve their ability to detect and stop security flaws. And while Apple has done more in recent months to help security researchers, it continues to keep iOS under a tight lock.
Source: ZecOps, Motherboard Via: 9to5Mac
