[ad_1]
Security researchers say the iPhone has a serious flaw in the native iOS Mail app that makes it vulnerable to hackers, according to a report released Wednesday by San Francisco-based ZecOps.
The flaw had not previously been revealed to Apple, making it extremely valuable to a variety of bad actors. ZecOps says it believes “with great confidence that these vulnerabilities … are widely exploited in nature in attacks directed by an advanced threat operator or operators.”
ZecOps believes that at least six high-profile targets were victims of the feat, including an executive from a mobile phone operator in Japan and “people from a Fortune 500 company in North America.” ZecOps declines to name victims for privacy reasons, saying it was unable to obtain the malicious code because hackers remotely deleted email messages.
“The scope of the attack is to send a specially crafted email to the victim’s mailbox allowing them to activate the vulnerability in the context of the iOS MobileMail app on iOS 12 or maild on iOS 13,” the report read. ZecOps says the vulnerability, which underlies at least two iOS-related zero-day exploits, has been around in the Mail app since at least iOS 6, which launched in 2012.
At this time, however, ZecOps does not appear to have public evidence of the exploits being used, it feels comfortable to share, leading some security researchers to question the validity of the claim. That includes Jann Horn, researcher at Google’s Project Zero cybersecurity project:
@ZecOps his writing reads “Suspicious events included strings commonly used by hackers (eg 414141 … 4141)”, but that’s also what it looks like when you simply encode nullbytes with base64; and this is MIME parsing, so you are likely to see base64 encoded data
– Jann Horn (@tehjh) April 22, 2020
In any case, what makes this particular exploit so dangerous in theory is that it doesn’t require the victim to download a file or visit a malware-infested website. Instead, all that is required to remotely execute code on a victim’s iOS device is for the Mail app to receive the email and for the victim to open the message.
ZecOps says it replayed the hack results in its lab after it was altered by suspicious crashes on customers’ iPhones last summer. He then reported the vulnerabilities last month to Apple, which ZecOps says has already patched the vulnerability in the latest beta version of iOS. Solutions are expected to arrive for the non-beta version of iOS in an update for all users in the coming weeks. Apple declined to comment on the findings.
“To mitigate these problems, you can use the latest available beta version. If a beta version is not possible, consider disabling the Mail application and use Outlook or Gmail that are not vulnerable,” writes ZecOps.
[ad_2]
