Skip to main content

iOS Mail has 'critical' security flaws

(Image credit: StockSnap/Pixabay)

Germany's federal cybersecurity agency has issued a warning urging all iOS users to install Apple's latest security updates which patch two zero-click security vulnerabilities that impact the company's default email app.

The vulnerabilities were first discovered by the US-based security firm ZecOps which found that they were being actively exploited in attacks targeting iOS users since at least January of 2018. Apple has acknowledged the security flaws though the company says it has found “no evidence they were used against customers”.

In its warning, BSI (Bundesamt für Sicherheit in der Informationstechnik) stressed the importance of installing the updates immediately, saying:

“Apple has released security updates with iOS 12.4.7, iOS 13.5 and iPadOS 13.5 that fix the vulnerabilities for all affected iOS versions. Due to the criticality of the vulnerabilities, the BSI recommends that the respective security update be installed on all affected systems immediately.”

No-click vulnerabilities

Both of the security flaws affecting Apple's Mail app are no-click vulnerabilities which result from a memory consumption issue and they can be triggered after the app processes a maliciously crafted message. The first vulnerability, tracked as CVE-2020-9819, could lead to heap corruption while the second vulnerability, tracked as CVE-2020-9818, may lead to unexpected memory modification or application termination.

Fortunately Apple addressed the flaws with the release of iOS 13.5 and iPadOS 13.5 which offer improved memory handling and bounds checking. The vulnerabilities affect iPhone 6S and later, iPad Air 2 and later, iPad mini 4 and later and the iPod touch 7th generation, according to the iOS 13.5 security release notes.

In a blog post, ZecOps explained how a nation-state threat operator leveraged the vulnerabilities to attack high-profile targets, saying:

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications (hence the 4141..41 strings). While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

While high-profile targets are the most at risk, it is still highly recommended that all iOS users install Apple's latest security updates to avoid falling victim to any potential attacks that exploit the two vulnerabilities.

Via BleepingComputer