Zero-Day Warning: Hacking iPhone Just by Sending Emails
The default mailing app pre-installed on countless iPhones and iPads has been found covered with flaws two vital flaws that attackers ar exploiting within the wild, at least, from the last 2 years to spy on high-profile victims.
The fault may eventually allow remote hackers to secretly take control of Apple devices by sending an email to anyone targeted with their email account signed in to a vulnerable app.
According to cybersecurity researchers at ZecOps, the bugs mentioned are RCE(Remote Code Execution) that reside in the MIME library of the Apple mail app — first, because of out-of-bounds writing and second, it’s having a overflow issue.
Although both errors first occur while processing the content of the email, the second error is more serious because it can be exploited by ‘zero-click,’ where communication is not required from the intended recipients.
8 year old Apple Zero-Days Abused In The Wild
According to investigators, both errors have been present in various iPhone and iPad models over the past 8 years since the release of iOS 6 and, unfortunately, it interferes with the current iOS 13.4.1 with no patch yet to be updated to regular versions.
Ironically, many groups of attackers have already been using these vulnerability for at least 2 years to target people from various industries and organizations, MSSPs from Saudi Arabia and Israel and also journalists in Europe.
‘With very little information, we have been able to see that a minimum of six organizations are affected by this weakness – and therefore the total number of abuse cases is huge,’ cybersecurity researchers aforementioned.
‘While ZecOps denies that the attack has been targeted by a selected threat maker, we all know that a minimum for ‘hackers-for-hire’ organization sells the exploits using weakness that purchase email addresses as the primary symbol.’
According to cybersecurity researchers, it would be difficult for Apple users to know if they were targeted as part of this cyber attack because it turns out that attackers deleted the malicious email immediately after gaining remote access to the victim’s device.
Noteworthy, although details confirm that malicious emails were received and processed by iOS devices for victims, the corresponding emails that should have been received and stored on the mail server did not exist. Therefore, we conclude that these emails were removed deliberately as part of an attack’s working security clear out measures, “cybersecurity researchers said.
‘In addition to the temporary delays of mobile email application, users not notices for the other abnormal behaviors.’
While in successful exploitation, the vulnerability extends to malicious code in the context of MobileMail or app maild, allowing attackers to “leak, alter and delete emails.”
However, to remotely control this device, attackers need to integrate it with different kernel vulnerabilities.
Although ZecOps has not yet provided details on what kind of malware attackers were using to guide users, it was believed that attackers exploiting the flaws encountered other kernel issues to effectively check their victims.
Be careful! No Patch is currently Available
Cybersecurity Researchers have noticed an attack and found vulnerabilites related to it about two months ago and reported it to Apple’s security team.
At the time of writing, only the beta version 13.4.5 for iOS, released just last week, contains security risks for both the zero-day.
For millions of iPhone and iPad users, a patch will soon be available with the release of the next iOS update.
Meanwhile, Apple users are strongly advised not to use their built-in smartphones email; instead, temporarily switch to Outlook or Gmail apps.