Apple has confirmed that its Mail application for iOS is affected by some vulnerabilities, but the tech giant has downplayed their impact and disputed claims that the flaws have been exploited in attacks.
Cybersecurity automation company ZecOps reported on Wednesday that it had identified a couple of critical zero-day vulnerabilities in the Mail app for iOS. The flaws, which the company says have existed since the release of iOS 6 in 2012, can be exploited to execute arbitrary code in the context of the application by sending a specially crafted email to the targeted user.
An attacker can leverage the vulnerabilities to view, modify or delete the victim’s emails. Combined with other flaws, it may be possible for a hacker to gain full access to a compromised device, ZecOps said.
While on iOS 12 some user interaction is required for exploitation (i.e. the victim has to open the malicious email), ZecOps noted that no user interaction is required on iOS 13.
ZecOps says it has seen evidence that at least one of the vulnerabilities has been exploited to target a Fortune 500 company, a VIP, executives, managed security service providers (MSSPs), and a journalist. Attacks have allegedly been launched since at least January 2018.
Apple says it has analyzed ZecOps’ report and determined that “these issues do not pose an immediate risk to our users.” The company said the researchers actually identified three issues in the Mail app, “but alone they are insufficient to bypass iPhone and iPad security protections.”
Apple also said that it found no evidence the vulnerabilities were used against its customers.
The tech giant has already addressed the flaws in iOS 13.4.5 beta, and the company plans on rolling out the patches to all users when it releases its next security updates.
Some members of the industry have also called into question ZecOps’ claims about the vulnerabilities being exploited in attacks, but the cybersecurity firm stands by its report and has promised to publish a follow-up blog post with additional details.
“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said in its blog post. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”
Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits
Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years