Apple Scrambles to Patch Old iOS Mail Bugs

A pair of unpatched vulnerabilities in Apple iOS have been quietly exploited for months—possibly years. They let an attacker silently read your email. Scary.

The bugs have existed since 2012. Not only are they zero-days, but they’re also zero-click.

Apple has a beta patch ready, but nothing for regular users yet. In today’s SB Blogwatch, we uninstall Mail.app.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: dance like an idiot.


Apple iOS 0-click 0-day

What’s the craic? Lorenzo Franceschi-Bicchierai reports—“iPhone Zero-Day Hack in the Wild”:

 ZecOps [said] a few of its customers were targeted with two zero-day exploits for iOS last year. Apple will patch the vulnerability underlying these attacks on an upcoming release of iOS 13.

The attack shows, once again, that iPhones can be hacked. … One of the two vulnerabilities … can be used by an attacker against anyone on the internet, and the target gets infected without any interaction. [They] are not patched yet [but] Apple says the ZecOps zero-days have been patched in the latest iOS beta.

Independent experts who reviewed [the] research believe the firm’s assessment. … On the other hand, this is not as polished a hack as others, as it relies on sending an oversized email.

The disclosure of these hacks is likely to reignite the debate over whether Apple is doing enough to secure the iPhone. … If you’re worried about someone using this zero-day against you, delete the default Mail app from your phone.

And Shaun Nichols adds—“Zero-click, zero-day flaws in iOS Mail”:

 A pair of critical vulnerabilities in iOS … are being exploited by what appears to be government-backed hackers to spy on high-value targets. Think senior executives, journalists, managed security service providers, and similar.

[They] can be abused to achieve remote code execution without the victim ever needing to open a booby-trapped message. … The attack can be performed when Mail automatically downloads messages in the background. … No user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.

We’re told the bugs have been present in iOS since version 6, released in 2012. … iOS 13.4.1 and below are all vulnerable. … Keep an eye out for iOS updates over the next week or so, and promptly install them.

Horse’s mouth? ZecOps’ Zuk Avraham and chums descend into AOhell—“You’ve Got (0-click) Mail!”:

 We surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s). … Targets included: Individuals from a Fortune 500 organization in North America, an executive from a carrier in Japan, a VIP from Germany, MSSPs from Saudi Arabia and Israel, a Journalist in Europe.

We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade. … We are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.

Both bugs were already disclosed during the publicly available beta update [so we are] disclosing these bugs. … The attackers are already aware that the golden opportunity … is almost over and they will likely use the time until a patch is available to attack as many devices as possible.

The potential abuse of this vulnerability is enormous. … We hope that with making this information public it will help to promote a faster patch.

Wow, shouldn’t Apple be doing a better job? ArmoredDragon lights the flame:

 From where I see it, their security mostly relies on a simultaneously anti-competitive app whitelist model.

And EnviableOne does not envy the job of IT:

 Yet again. Another reason iThings are not enterprise devices.

But is it really that bad? It’s only a bug in one sandboxed app. Put the needle on the Analog Kid and the drumbeat goes like this: [You’re fired—Ed.]

 This is a place where sandboxing is insufficient. Generally the sandbox means a user breaching an app can only access data from that app, but if that apps data is all of my email that’s a freaking treasure trove.

This sounds like a pretty big bug to have been lurking through 7 versions of iOS.

But phearnomore says it isn’t so:

 Nah. I remember so time ago there was a Windows bug which was unpatched for ~20 years. **** happens to everyone.

Meanwhile, Euler gives zero ****s:

 Overly used jargon does have negative consequences. It doesn’t communicate what you specifically want it to, shuts the greater audience out of the conversation. And, quite frankly, takes more effort to educate everyone on the terminology.

‘Unpatched security flaw’ is just as easy to say as “Zero-day hack” and carries a lot less presumptions that may or may not be true.

And Finally:

Hopefully this rule also holds for Dad-dancing

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image sauce: Paulo Henrique (cc:by)

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 171 posts and counting.See all posts by richi