iOS Mail app zero-day exploit discovered; Apple to roll out fix soon [updated with official statement]

For now, using a different email client is the only workaround until Apple releases the iOS 13.4.5 build.

Highlights
  • The vulnerability allows remote code execution and enables attackers to harm a device by sending emails that consume a significant amount of memory
  • The exploit doesn’t apply to Gmail or Outlook iOS apps but it isn’t clear if emails sent to Gmail accounts opened through Apple’s Mail app are also vulnerable
  • ZecOps hasn’t found evidence of the exploits being used for mass attacks — instead, it is only sent to targeted ones

A new software vulnerability has supposedly been discovered in iOS 13 that works via the default Mail app on iPhone and iPad. Security firm ZecOps claims that one of the two vulnerabilities is a zero-click exploit that doesn’t require user interaction and can be performed remotely. The vulnerability apparently allows remote code execution capabilities and enables attackers to harm a device by sending emails that consume a significant amount of memory. This has affected the latest iOS 13 public beta release as well, but Apple has patched the flaws in the recent iOS 13.4.5 beta.

ZecOps says that it has discovered evidence of the attacks being used in the wild and believes to be widely exploited. The attacker sends an email to a victim, which enables it to trigger the vulnerability in the iOS Mail application. The report says the emails that sent are then deleted by the hackers after using them to access target devices. “Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of attack’s operational security cleanup measures,” the report said.

However, one weakness in the flaw is that it requires a relatively large email, which can be blocked in certain cases. Luckily, the exploit doesn’t apply to Gmail or Outlook iOS apps but it isn’t clear whether emails sent to Gmail addresses opened through the Apple Mail app are also vulnerable. Motherboard report notes that ZecOps hasn’t found evidence of the exploits being used for mass attacks — instead, it is only sent to targeted ones. For now, using a different email client is the only workaround until Apple releases the iOS 13.4.5 build.

[Update] We now have an official statement regarding the reported vulnerability from an Apple spokesperson:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”