Experts at cybersecurity firm ZecOps have discovered two zero-day vulnerabilities in iPhone and iPad devices that have been exploited in a series of attacks that targeted iOS high-profile users since at least January 2018.
The two zero-day vulnerabilities affect the default mailing app pre-installed on iPhones and iPads and could be exploited by remote attackers to take over the devices just by sending an email to any targeted individual with his email account logged-in to the vulnerable app.
The two critical vulnerabilities are an out-of-bounds write bug and a heap overflow issue respectively, both reside in the MIME library used in Apple’s mail app, they are an out-of-bounds write bug and second, is a heap overflow issue.
Experts pointed out that the second flaw requires no interaction for the exploitation.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” explained ZecOps researchers. “Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability.”
The disconcerting aspect of the story is that both vulnerabilities existed in various models of Apple devices since the release of iOS 6 eight years ago, currently, they are yet to be fixed by the company.
Zecops revealed that several threat actors are already exploiting both issued in targeted attacks against high-profile individuals. Victims of the attacks are individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel, and also journalists in Europe.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.” continues the report.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,”
An attacker could exploit the flaws on iOS 13 without user interaction, while on iOS 12 victims have to click on the email to get hacked.
Experts added that to remotely take full control over the device, attackers have to chain the issue with a separate kernel vulnerability.
Apple users could mitigate the risk of exploitation by avoiding to use the device built-in mail application.
“The newly released beta update of 13.4.5 contains a patch for these vulnerabilities.” ZecOps concludes.
“If you cannot patch to this version, make sure to not use Mail application – and instead to temporarily use Outlook or Gmail which, at the time of this writing, were not found to be vulnerable,”.
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – iPhones, zero-days)