A potentially scary exploit has been recently discovered in the default iOS Mail app, which is found on both iPhones and iPads.
This exploit checks just about all the boxes for something that is a big deal:
- the vulnerability has existed for awhile (since iOS 6 (8 years!))
- it’s in the default mail app (which is used by millions)
- it requires little (open a malicious email) to no interaction on the part of the user
- it’s only patched in the most recent 13.4.5 iOS beta
- it’s not obvious that anything bad has happened when the attack is carried out
This vulnerability was discovered by security firm ZecOps, and you can read more about their discoveries on their blog entry about the exploit.
Interestingly, Apple has pushed back against two important parts of the Mail exploit:
- That the vulnerability posed any sort of threat to iPhone or iPad users.
- That there has been any active exploit at all.
While Apple definitely has a motivation to downplay a vulnerability as serious as this, they aren’t the only one doubting the ZecOps report. Many of these recognize that the Mail app does have a bug, but it’s unclear if the bug could be exploited in the way ZecOps has claimed.
You can read a bit about Apple’s (and others) doubts about the ZecOps report over at Ars Technica. Once Apple has patched the bug, ZecOps has said that they will provide more information about the exploit.
Even if the exploit is as bad as ZecOps claims, there is a small amount of good news: this attack does appear to be highly targeted, so it’s unlikely that you’ll get random malicious emails. According to the original ZecOps report, targets so far appear to be high-ranking individuals from organizations like a North American Fortune 500 Company, a VIP from Germany, a journalist in Europe, etc.
Another small bit of good news, although this vulnerability existed in iOS since iOS 6, it looks like it wasn’t actively exploited until a couple of years ago – in the early days of 2018. Of course, it could be that it was used (and just not noticed) before then.
If you’re concerned, the simplest way to protect yourself right now is is by using a different mail app other than the default. It appears that free (and reputable) mail apps like Google’s GMail or Microsoft’s Outlook are not vulnerable to this exploit.
It will be interesting to see whether this was as bad as ZecOps claims. Time will tell!