The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Apple to Patch iOS Mail Zero Day

by Chris Brook on Thursday April 23, 2020

Contact Us
Free Demo
Chat

Apple said this week that it will fix two vulnerabilities affecting iOS 6 through 13.4.1 that could let an attacker leak, modify, and delete user email.

Apple said this week it will fix an email vulnerability that exists in iOS on both iPhones and iPads that could open the devices up to attack.

It's been estimated the vulnerability, which is present in Apple's default email software, exists in more than half a billion devices.

The firm that disclosed the exploit, ZecOps, said this week the vulnerability could let attackers steal data like photos and contacts off iPhones remotely and that it could also give an attacker access to confidential messages on the device via the Mail app. ZecOps, which bills itself as a cybersecurity automation company, is encouraging users to stop using iOS' default Mail app until the fix is pushed widespread.

“The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails," the company wrote in a lengthy recap of the vulnerability on its blog. "Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation.”

The company's CEO Zuk Avraham said his company discovered the bug while looking into a sophisticated cyberattack against one of its clients - reportedly at a Fortune 500 organization in North America - and suggested it could have been exploited in at least six other attacks, including attacks against an executive from a carrier in Japan, and a VIP from Germany, and MSSPs from Saudi Arabia and Israel, to name a few.

Apple told publications this week that the vulnerability did exist on its software for email on iPhone and iPads and that its already developed a fix due for release soon. In its writeup, ZecOps thanks Apple’s product security and engineering team for pushing a beta patch in iOS version 13.4.5, available here for users who download and use beta releases.

On iOS 13, the flaw can apparently be triggered just by sending a blank email. The email software automatically downloads the message and a user doesn't even need to open it in order to exploit the vulnerability. On iOS 12, a user needs to click on an email - unless the attacker controls the mail server, ZecOps writes. As part of the attack, researchers believe the emails are intentionally deleted after they're processed by the device.

The researchers point out that it's unlikely the vulnerabilities on their own would pose a threat to an iOS user. It would require some additional legwork, namely an information leak bug and a kernel bug, in order to gain full control of a targeted device.

Even so, the attacks are fairly tailored and it's unlikely a user on iOS 13 would realize they're being attacked. On iOS 12, a user might notice a sudden crash of the Mail app.

A write up on the vulnerability suggests the vulnerability has existed in iOS versions dating back to iOS 6 (2012) but that it was first seen exploited in iOS 11.2.2 in January 2018.

The researchers claim there's actually a second vulnerability, a remote heap overflow in MFMutable, that could reveal the hidden memory location. Both bugs stem from the same problem however: not handling the return value of the system calls correctly.

Awaiting details of the vulnerability has been somewhat of a waiting game. Rumors of the exploit were rampant on Twitter for almost two weeks days prior to the company’s disclosure. Patrick Wardle, an ex-NSA researcher who's skilled at finding Apple 0days and analyzing macOS malware, posted a series of emojis on Twitter hinting at the bug on April 10.

While ZecOps’ blog on the vulnerabilities has a time stamp of Monday, news of the bugs was circulated via major publications, like Reuters and the Wall St. Journal on Wednesday.

Tags: Vulnerabilities, Apple

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.