Researchers from cyber security firm ZecOps, have discovered critical security bug on Apple Mail app.
The bug is worst then ever because of following points -
- Its is an 0-click bug.
- Bug in default mail app, which means millions of iPhone and iPad users affected
- Its an Remote Code Execution bug.
- Bugs was for almost 8 years, from iOS6 release.
In a report published today, ZecOps said the attack is a zero-click exploit that doesn't require users to interact with the email, with the exploit triggering once the user receives the email or the user opens the Apple Mail app.
"The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13)," the ZecOps team said. "Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails."
This bug doesn't trigger on Gmail or any other mail app. Successful exploit doesn't grant control over the full device, as this also need another iOS kernel vulnerability to get full control.
According to the researchers, both flaws existed in various models of iPhone and iPad for the last 8 years since the release of iOS 6 and, unfortunately, also affect the current iOS 13.4.1 with no patch yet update available for the regular versions.
ZecOps noted that multiple groups of attackers are already exploiting these flaws for at least 2 years as zero-days in the wild, to target individuals from various industries and organizations.
The company said that until today it had detected exploitation attempts against targets such as:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise.
ZecOps researchers notified the bug to Apple security team on February 19. Apple published a patch for this bug on April 15, with the release of iOS 13.4.5 beta.
Apple haven't pushed the patch update for this bug till yet, but its possible to seen soon on upcoming iOS update.
Till then Apple users are strongly advised to do not to use their smartphones' built-in mail application; instead, temporarily switch to Outlook or Gmail apps.