iPhones are vulnerable to zero-day vulnerabilities in Apple Mail. picture: zecops
–
New security holes endanger iPhone and iPad users – so you can protect yourself
Beware of anyone using Apple’s email app on their iPhone or iPad. Because security researchers warn of two serious gaps. Criminals have been reported to have been exploiting them for a long time.
US security researchers warn of gaps in Apple’s mail app for iPhones and iPads. Criminals can use two undetected vulnerabilities in the application to load malicious code onto the device. An attacker is given access to the mail app, but can also take over the entire iPhone or iPad if a kernel vulnerability is known, reports the security company ZecOps.
For devices with the current iOS 13.4.1, it is sufficient if users receive a manipulated email. A user action is not required, which is what makes the gap so dangerous. Under iOS 12 this only works if the attacker also has control over the mail server, otherwise the victim would first have to be made to open the manipulated email (which is not a very high hurdle).
Swiss company allegedly among the victims
The security company writes that the gap, which is valuable for hackers and secret services, was or is used specifically against people such as managers, journalists or VIPs. A high-ranking manager of a Swiss group is said to be among the victims, writes ZecOps.
iOS users find out nothing about the attack. However, the iOS app may crash under iOS 12, and may work slower under iOS 13. If the attacks fail, users can receive emails with messages such as “This message has no content”, ZecOps report in a blog post.
Gap exists since iOS 6
According to ZecOps, the gap should have existed since iOS 6, i.e. for about 8 years. The operating system appeared with the iPhone 5. However, ZecOps can only trace the first attacks on the vulnerability to the iOS 11.2.2 operating system from January 2018.
Update not yet available (for everyone)
ZecOps has informed Apple about the vulnerability, but an update is not yet available. Apple only closed the gap in iOS beta version 13.4.5.
So how should you protect yourself? You can either no longer use Apple’s mail app (deactivate mail synchronization) or install the beta version of iOS 13.4.5. As usual with beta versions, you do this at your own risk.
ZecOps advises users to avoid Apple’s mail app until Apple delivers an update. Well-known alternatives are Gmail and Outlook. When this update will be made available via the automatic update function is currently unclear.
Vulnerability information is typically not released until the manufacturer has updated its device. However, ZecOps argues that Apple has disclosed details of the vulnerability in the information about beta update 13.4.5.
Security researchers fear that attackers will increasingly exploit the vulnerability before Apple releases an update for all users. “We hope that the release of this information will help the patch to be released faster,” writes ZecOps in a blog post.
(oli / avr / t-online.de)
Since you have scrolled this far, we assume that you like our journalistic offer. As you may know, we have each other recently decidednot to require a login at watson. There will also be no payment barriers with us. We do not want to create any obstacles to access to watson because we believe that in a democracy everyone should be able to get information easily and at any time. If you still want to support us with a small amount, please do so here.
—
–
