Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Apple Finds No Evidence of Attacks Targeting iOS Mail App Vulnerabilities

Apple has confirmed that its Mail application for iOS is affected by some vulnerabilities, but the tech giant has downplayed their impact and disputed claims that the flaws have been exploited in attacks.

Apple has confirmed that its Mail application for iOS is affected by some vulnerabilities, but the tech giant has downplayed their impact and disputed claims that the flaws have been exploited in attacks.

Cybersecurity automation company ZecOps reported on Wednesday that it had identified a couple of critical zero-day vulnerabilities in the Mail app for iOS. The flaws, which the company says have existed since the release of iOS 6 in 2012, can be exploited to execute arbitrary code in the context of the application by sending a specially crafted email to the targeted user.

An attacker can leverage the vulnerabilities to view, modify or delete the victim’s emails. Combined with other flaws, it may be possible for a hacker to gain full access to a compromised device, ZecOps said.

While on iOS 12 some user interaction is required for exploitation (i.e. the victim has to open the malicious email), ZecOps noted that no user interaction is required on iOS 13.

ZecOps says it has seen evidence that at least one of the vulnerabilities has been exploited to target a Fortune 500 company, a VIP, executives, managed security service providers (MSSPs), and a journalist. Attacks have allegedly been launched since at least January 2018.

Apple says it has analyzed ZecOps’ report and determined that “these issues do not pose an immediate risk to our users.” The company said the researchers actually identified three issues in the Mail app, “but alone they are insufficient to bypass iPhone and iPad security protections.”

Apple also said that it found no evidence the vulnerabilities were used against its customers.

The tech giant has already addressed the flaws in iOS 13.4.5 beta, and the company plans on rolling out the patches to all users when it releases its next security updates.

Advertisement. Scroll to continue reading.

Some members of the industry have also called into question ZecOps’ claims about the vulnerabilities being exploited in attacks, but the cybersecurity firm stands by its report and has promised to publish a follow-up blog post with additional details.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said in its blog post. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Related: Google Spots Attacks Exploiting iOS Zero-Day Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...