Watch out Apple users! The default mail app pre-installed on millions of iPhone and iPad has been found vulnerable to two critical flaws that could let remote hackers secretly take complete control over Apple devices just by sending an email to targeted individuals.
According to cybersecurity researchers at ZecOps, the vulnerabilities in question are out-of-bounds write and remote heap overflow issues, one of them is a dangerous ‘zero-click‘ flaw that can be exploited without requiring any interaction from the targeted recipients.
Both remote code execution flaws reside in the MIME library of the mail app that can get triggered while processing the email content. These flaws existed for the last 8 years since the release of iOS 6 and also affect the latest iOS 13.4.1.
What’s more worrisome is that multiple groups of attackers are already exploiting these flaws—for at least 2 years as zero-days in the wild—to target individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel, and journalists in Europe.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,” the researchers said.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.”
According to the researchers, it could be tough for Apple users to know if they were targeted as part of these cyber-attacks because it turns out that attackers delete the malicious email immediately after gaining remote access to the victims’ device.
“Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of an attack’s operational security cleanup measures,” the researchers said.
“Besides a temporary slowdown of a mobile mail application, users should not observe any other anomalous behavior.”
To be noted, on successful exploitation, the vulnerability runs malicious code in the context of the MobileMail or maild application, allowing attackers “to leak, modify, and delete emails.” However, to remotely take full control over the device, attackers need to chain it together with a separate kernel vulnerability.
ZecOps discovered these flaws and in-the-wild-attacks almost two months ago and reported it to the Apple security team.
At the time of writing, only the beta 13.4.5 version of iOS that was released last week contains security patches for both zero-day vulnerabilities.
For all iPhone and iPad users, a software patch will soon be available in an upcoming iOS update, but meanwhile, users are strongly advised to do not use built-in mail application; and instead switch to Outlook or Gmail apps.