An unfixable vulnerability has been discovered in the iOS version of Apple Mail program, which can be used to read the emails of the target, Finnish Transport and Communications Agency’s National Cybersecurity Center announced yesterday.
The flaw, which was first reported by San Fransisco based ZecOps researchers last Wednesday. The vulnerability had not previously been disclosed to Apple. ZecOps believes “with high confidence” that these vulnerabilities are exploited in targeted attacks by advanced threat operators, including attacks on six high-profile targets, such as individuals from a Fortune 500 company.
According to ZecOPs, the vulnerability allows remote code execution via a regular email, even before the email is downloaded completely. In iOS 13, it’s enough that the application is open in the background and not even a click is needed. In iOS12 the attack requires a click on the email. The flaw affects only the iPhone and iPad versions of the program and not the operating system on Apple computers.
Apple downplayed the flaws in an statement, announcing that:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Cybersecurity experts suggest that until the flaw is fixed, iPhone and iPad owners would use the browser based Outlook program and turn off the exchange account in their settings.