The native iOS Mail app that comes pre-installed on iPhones and iPads has been found vulnerable to a serious flaw that allows remote attackers to hack the devices just by sending an email to any targeted individual with their email account logged-in to the vulnerable app.
According to ZecOps researchers, two zero-day vulnerabilities have been exploited in the wild in the series of attacks aimed at iOS high-profile users since at least January 2018, with individuals from a Fortune 500 organization in North America, MSSPs from Saudi Arabia and Israel, and journalists in Europe being among the targets.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier,” the researchers said.
“Noteworthy, although the data confirms that the exploit emails were received and processed by victims' iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of an attack's operational security cleanup measures. Besides a temporary slowdown of a mobile mail application, users should not observe any other anomalous behavior.”
The attack involves sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13.
The vulnerabilities in question are remote code execution flaws that reside in the MIME library of Apple's mail app. The first vulnerability exists due to boundary error when processing email in the iOS MobileMail. A remote attacker can send a specially crafted email message, trigger an out-of-bounds write and execute arbitrary code on the target system. The second bug is a heap-overflow bug.
The researchers say that all iOS versions released since 2012 (iOS 6) are vulnerable, including iOS 13.4.1. The experts did not test iOS versions prior to iOS 6, but they believe they are also might be affected by these flaws.
Apple has addressed both bugs in iOS 13.4.5 beta, if installing a beta version is not possible, users are advised to disable Mail app and use alternative email apps such as Outlook or Gmail instead.