Apple Mail on iOS has two severe "zero-click" flaws
The eight-year-old vulnerabilities can be triggered by cyber criminals on iOS 13 without any user action
The Mail app on Apple’s flagship iOS operating system has been afflicted with two serious vulnerabilities that can allow a hacker to attack a device by sending emails that consume significant levels of memory.
Hackers have triggered two vulnerabilities in the Mail app, which have existed since iOS 6 was released in 2012, giving them the power to leak, modify or delete emails, according to findings by ZecOps. In addition, the flaws have been exploited in combination with another as-of-yet unidentified bug to gain full device access.
To initiate the attack, one would send an email message designed to cause a buffer overflow in the Mail app, which means the hacker can fill a block of memory beyond its capacity. These content of these emails, once sent, can then be deleted.
The receipt of an email triggers the code paths for both vulnerabilities, the first known as OOB Write and the second dubbed Remote Heap Overflow. When exploited in the wild, ZecOps researchers believe the OOB Write flaw was accidentally triggered while hackers were aiming to trigger the Remote Heap Overflow.
All iOS versions are vulnerable, including the Mail app on iOS 13.4.1, although the researchers haven’t been able to test versions prior to iOS 6. MacOS is not vulnerable to either flaw.
The vulnerability can be triggered remotely on iOS 13 when the Mail application is opened in the background. For iPhone users still on iOS 12, meanwhile, the attack requires a click on the email. If the hacker controls the email server, however, the attack can be triggered in a zero-click fashion in a similar way to how it’d be conducted on devices running iOS 13.
Researchers have identified several targets as having been attacked using the mechanism, including individuals from a Fortune 500 business in the US, a European journalist, and MSSPs from Saudi Arabia and Israel.
RELATED RESOURCE
Introducing VMDR: Vulnerability Management, Detection and Response
The all-in-one vulnerability management service
ZecOps began tracking the attacks being triggered from January 2018 on a device running iOS 11.2.2, with the same threat operators likely abusing the vulnerabilities now. It’s possible, moreover, that the attackers were using the vulnerabilities even earlier.
Following a routine iOS security probe, researchers found a number of suspicious events affecting the default Mail app. Following analysis, ZecOps discovered the exploitable vulnerability affecting iPhones and iPads, as well as multiple triggers in the wild, with targets including enterprise users, VIPs, and MSSPs over a prolonged period of time.
ZecOps reported the issue to Apple on 19 February, with the developer patching both flaws in a publicly available beta between 15 and 16 April.
-
Anthropic's Claude Cowork tool is coming to Microsoft CopilotNews The new Copilot Cowork tool will be made available through a new Microsoft 365 tier at the end of March
-
McLaren Racing's Dan Keyworth on how data drives F1 in 2026Interview With new rules to contend with and mounting sensor data, McLaren Racing has doubled down on in-house specialists and partner expertise
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
