Security Experts:

Connect with us

Hi, what are you looking for?



Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks

The Mail application in iOS is affected by two critical zero-day vulnerabilities that appear to have been exploited in targeted attacks since at least January 2018, cybersecurity automation company ZecOps reported on Wednesday.

The Mail application in iOS is affected by two critical zero-day vulnerabilities that appear to have been exploited in targeted attacks since at least January 2018, cybersecurity automation company ZecOps reported on Wednesday.

According to ZecOps, the vulnerabilities have existed since iOS 6, a version released in 2012. The company reported its findings to Apple in February and March, and notified the tech giant of attacks exploiting the flaws. The vendor has patched the weaknesses in iOS 13.4.5 beta. Other email apps for iOS, such as Gmail and Outlook, do not seem to be impacted so using these applications is recommended for preventing attacks until Apple rolls out the patch to all users.

The vulnerabilities, described as out-of-bounds write and heap overflow issues, affect the MobileMail application on iOS 12 and maild on iOS 13, and they can be exploited by sending specially crafted emails to the targeted user. Exploitation of the flaws can result in remote code execution in the context of the targeted application, allowing the attacker to view, modify or delete emails.

ZecOps researchers believe that the threat actors who exploited these flaws also combined them with a kernel vulnerability that may have given them full access to the compromised device.

The attack does not require any user interaction on iOS 13 (i.e. zero-click attack); opening the Mail app in the background is enough to trigger the exploit. On iOS 12, the targeted user needs to click on the malicious email to trigger the exploit — zero-click attacks are possible on iOS 12 if the attacker can control the mail server.

“Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s),” ZecOps said in a blog post.

The cybersecurity firm says it’s aware of attacks aimed at individuals at a North American Fortune 500 company, a VIP from Germany, an executive from a carrier in Japan, a journalist based in Europe, managed security service providers (MSSPs) in Israel and Saudi Arabia, and possibly an executive at a Swiss organization.

ZecOps researchers determined that exploitation can result in a temporary slowdown or a crash of the email application, but victims should not see other suspicious behavior. Moreover, the attacker can delete the malicious email after exploitation to cover their tracks.

“We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications,” ZecOps said. “While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier.”

ZecOps has released technical information about the vulnerabilities and attacks, and it soon plans on publishing proof-of-concept (PoC) exploit code as well.

Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Related: Google Spots Attacks Exploiting iOS Zero-Day Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.