By Chand Bellur
April 24, 2020 at 5:32 p.m. PT
- Three iOS Mail vulnerabilities, discovered by security firm ZecOps, may be exploited by malicious actors.
- Hackers may be exploiting the security flaws to execute malicious code on iOS devices.
- ZecOps claims to have definitive evidence that major corporate users were victims of cyber attacks caused by the vulnerabilities.
ZecOps Finds Three Security Flaws in iOS Mail
Apple develops operating systems, that, for the most part, feature strong security. Although Apple devices receive more attacks than others, typically, these exploits involve adware. MacBook and iPhone users don’t pay ransom for their devices. The much more egregious security issues plague other platforms.
As Apple’s operating systems grow, their codebase expands. Even with the best architectural design and code reviews, security flaws sneak into their products. Apple is well aware of this reality. They even have a bug bounty program, offering up to $1 million for discovering severe security flaws.
Unfortunately, this bounty has attracted a lot of security firms, seeking both revenues and publicity. Finding a security flaw in Apple products is monumental and rewarding. Some researchers insist these flaws have much more impact, which could earn them more significant rewards.
ZecOps, a cybersecurity firm, claims to have found three vulnerabilities in iOS mail. Malicious actors can execute remote code by merely sending large emails that overflow iOS memory. The security firm claims that the flaws affect major corporations as malicious users exploit the vulnerabilities in the wild.
Apple Denies ZecOps’ Claim of Successful iOS Mail Cyber Attacks
Apple admits that the flaws exist; however, they deny ZecOps’ stated impact. Apple countered ZecOps’ claim with the following statement:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
The problem for Apple is that the ZecOps website has examples of how to exploit the flaw. They’ve done it and have some evidence of high profile victims. Apple contends the evidence shows tampering, but no successful exploit.
ZecOps cannot demonstrate a real-world harmful payload for the flaw, however. Their site merely shows how large emails set off a cascade of buggy behavior. Apple contends that people who have experienced this in the wild received large emails, instead of a malicious attack.
Whatever the case, it’s a good idea to update iOS. The next version, iOS 13.4.5, launches soon and addresses the security flaws. For now, if this issue is a concern, consider using a different email client. Gmail is an excellent alternative to iOS Mail. Users can also opt for a web-based client until the next iOS update is released.