The American security researchers at ZecOps have disclosed a zero-day exploit in Apple Mail that the researchers say has existed since September 2012, the release date of iOS 6 and iPhone 5, at least. According to the research results, all iOS versions since iOS 6 are affected by the vulnerability, including iOS 13.4.1. Older versions could also be vulnerable to the exploit – ZecOps has so far simply not checked them. The results also show that attackers have been actively exploiting the vulnerability since January 2018 (iOS 11.2.2).-
The vulnerability in Apple Mail leads unsuspecting users to malicious codes on their iPhones, so that in the worst case, attackers can gain control over the victims’ devices. This is achieved by sending emails to iOS users that take up a lot of memory and “overload” the device, so to speak. The bugs are not sufficient for full control over the end devices – the attackers have to take further steps for this. However, changing, deleting and publishing e-mails is very possible.
Particularly worrying: According to ZecOps, iOS 13 users don’t even have to actively open the mail; it is sufficient if the mail app is open in the background. With iOS 12, the exploit is only triggered if the malicious emails are also clicked – unless the attacker has previously obtained access to the victim’s mail server. Only in the iOS beta 13.4.5 the gaps are closed.-
–
