Hackers can just send emails and breach into your iPhones and iPads
William Marshal
Posted On April 23, 2020
Apple iPhones and iPads come with a default email app called ‘Mail’, which has become another zero-day topic for today. Security researchers from ZecOps have detected two new critical vulnerabilities that are actively being exploited in the wild. The hackers have just to send out an email to the targeted user account and boom they are inside your Apple devices.
According to ZecOps, these vulnerabilities are remote code execution flaws in the app’s MIME library, the first vulnerability is because of the out of bounds write issue and the second is for a heap overflow. Although users’ actions are intended for the first vulnerability, the second one can be exploited with zero actions from the victim, delivering the mail to the inbox will be all sufficient to breach into user devices.
Six organizations become victim to this vulnerability
Security researchers believe this attack is existing in the app for almost 8 years now, and has been affecting iOS 6 and iOS 13.4.1 version, the recent one. Considering apple is yet to release a patch for these critical vulnerabilities, the situation is little serious. Additionally, multiple hacking groups are already taking advantage of these zero-days to target high profile individuals, industries, organizations, MSSPs, and MSP from Saudi Arabia, Europe and Israel.
ZecOPs researchers have identified six organizations have become victim to this vulnerability exploitation in the wild, and that is only based on the data that they had, and the situation could actually be even worse.
What is even more scary about this vulnerability?
Hackers just need an email id to get inside your Apple device using the email app vulnerability, however if the victims are looking to identify anything fishy on their inbox, the email sent for breaching the device can be deleted as soon as the hacker has successfully breached the device. Victims will experience an unknown crash of the email app once the hack is achieved. After hackers are inside the device, the can remotely do anything, including stealing, encrypting, modifying and deleting of the devices. This is because, hackers can deploy other malware into the system, and also spread across a network using a kernel vulnerability, if present.
How to fix these zero-day vulnerabilities?
The recently released version of iOS 13.4.5 version holds the fix for these vulnerabilities, so please update to the latest version of iOS if the update is shown in your devices. Moreover, for other versions of iOS, patches will be available soon, so please ensure your email app is updated first before others. The ZecOps researchers have already reported these flaws to Apple, and the patch could be available anytime soon. IT managers, please ensure you set a reminder for these zero-day vulnerabilities and deploy them as soon as it is made available.
However, until the patch gets released, it is better to use other mail apps.
It is not even a day, since we discussed about IBM’s four new zero-day vulnerabilities, and here is Apple with another two zero-days. Please deploy the patches as soon as they are made available.
Note: macOS is not vulnerable to these vulnerabilities, these are pertaining to iOS only.
Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.
