Apple vulnerabilities are hard to find, but when did, they’re astonishing. A new report from ZecOps revealed a critical vulnerability in the iOS Mail app, which, if exploited, can let any remote attacker install and run malicious code without the user’s knowledge.
Though this seemed natural, the exploitation is a zero-click vulnerability, which means it doesn’t need the user to interact with email in any way. Just a reception of email and partial viewing can affect the app.
Even the latest version is prone to attack.
Initially reported by ZecOps and followed by Malwarebytes, the Mail app from iOS is prone to a buffer overflow tactic, where an attacker can send a bug in code via email, and forcedly fill the block of memory in Mail beyond its capacity. This issue was found existing in the Mail app from iOS version 6 to the latest 13.4.1. ZecOps says this could be existing in earlier than v6 too, but haven’t tested. It’s terrible that even the latest version has this vulnerability.
The intriguing part comes where iOS 12 and iOS 13 were found highly critical. According to ZecOps, this operation where an attacker sends a malicious email with a bugged code to overflow the Mail app needs no interaction from the user in iOS 13. Thus, a mere receiving of email from an attacker is enough for running the malicious code behind the scenes. And in iOS 12, a user is just required to open the email to get infected. This doesn’t necessarily need him to click on any link or attachment.
Limited, but not safe
As soon as infected, the attacker has the privilege to check, modify, and even delete the email without the user’s knowledge. He can also send an email to the user’s email address to impersonate him. But a good thing here is, the exploitation is limited to the Mail app only. Unless the attackers find another vulnerability in the device and try crawling from Mail app to others, it’s okay to assume the risk is limited to a single app.
This vulnerability was discovered in February this year, and Apple has already released a beta update as v13.4.5, but this is limited to developers only. You have to wait for an official rollout to patch this issue. Until then, try disabling the Mail app and use alternatives like Gmail, Outlook, Proton Mail for a while.