There’s A New 0-Day Exploit For iOS Mail But Apple Already Has A Fix Coming
Apple has another security issue on its hands with security group ZecOps sharing the news that two new vulnerabilities have been found in the Mail app in iOS 13. And to make matters worse, one of those vulnerabilities doesn’t need any input from the user for it to do anything.
The findings were shared on a ZecOps blog post with more information available there.
The most serious of the exploits affect users of iOS 12 and iOS 13 in their current state, although Apple has already fixed it in the latest beta build of iOS 13.4.5. We don’t know when that will be made available, but it’s likely that it will be sooner rather than later.
Worryingly, ZecOps says that it has found evidence that suggests both exploits have been used out in the real world, rather than just in a lab.
The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).
However, there is at least some good news. The security outfit notes that the emails needed to cause these kinds of problems are particularly large with service providers often blocking them as a matter of course. Not all will, though, leaving people potentially at risk.
Thankfully Apple already has the fix and just needs to make it available.