Security researchers at cybersecurity company ZecOps have discovered two vulnerabilities which they believe are widely exploited in the wild to target iPhone and iPad users. The researchers discovered the bugs in the default iOS and iPadOS Mail app.
The bugs allow to run remote code in the context of MobileMail (iOS 12) or Mail (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails.
"Additional kernel vulnerability would provide full device access -- we suspect that these attackers had another vulnerability. It is currently under investigation," the San Francisco-based ZecOps said on Wednesday.
iOS 13 users at higher risk
What is more, on iOS 13, end-users do not require to perform any action for the exploitation to succeed. On iOS 12, the bug requires the victim to click on an email. If an attacker controls the mail server, the attack can be performed without any clicks on iOS 12 too, the researchers said.
Once the vulnerabilities are triggered or exploited, users should not observe any anomalous behavior besides a temporary slowdown of a mobile mail application, the researcher said. When the exploit fails on iOS 12, users may notice a sudden crash of the Mail application.
On iOS13, besides a temporary slowdown, it would not be noticeable. Failed attacks would not be noticeable on iOS 13 if another attack is carried afterward and deletes the email, they added.
"With very limited data we were able to see that at least six organizations were impacted by this vulnerability – and the potential abuse of this vulnerability is enormous," ZecOps said in a blog post.
Fix is underway
iOS is vulnerable to these bugs at least since iOS 6 – September 2012, ZecOps said, adding that it did not check earlier versions. MacOS is not vulnerable to these bugs, it added.
Following the discovery of the vulnerabilities, ZecOps said it alerted Apple in February.
Apple has patched both the bugs in the latest beta releases of iOS 13, while a fix is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5, reports AppleInsider.
"The newly released beta update of 13.4.5 contains a patch for these vulnerabilities. If you cannot patch to this version instead of using Mail application consider to use other mail applications until a GA patch is available," ZecOps said.