The default and pre-installed application to manage emails, installed on millions of iPhones and iPads, is at risk against two critical vulnerabilities (Zero-day) that Criminal Hackers have been exploiting for at least two years, to spy on high-profile victims.
The seriousness of these critical issues is such that it could allow criminal hackers to secretly take complete control of Apple devices by simply sending an email to any individual with his email account linked to the vulnerable app.
According to the researchers, the bugs in question are remote code execution defects that reside in the Apple app’s MIME library: the first, due to an off-field write bug while the second is an overflow problem.
Although both vulnerabilities are triggered while processing the content of an email, the second flaw is more dangerous because it can be exploited with ‘zero-click’, where no interaction is required from the victims.
A “new” problem from 8 years ago
According to the researchers, both defects have been found in various iPhone and iPad models in the last 8 years, in particular since the release of iOS 6 and, unfortunately, they also concern the current iOS 13.4.1 without any patch still available for the versions normal.
What is even more worrying is that several groups of Criminal Hackers are already exploiting these vulnerabilities to target individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel and journalists in Europe.
Even with a limited sample to research, the team that highlighted the issue was able to see that at least six organizations were affected by this vulnerability, but its reach could be n times larger …
Even more worryingly, the ready to use a package of this attack has already been put up for sale on the Dark Web.
Adding to the dangerousness of this attack, it may be difficult for Apple users to know if they have been targeted as part of these cyber-attacks because it has been discovered that attackers eliminate malicious emails immediately after gaining remote access to the device. of the victims.
In fact, even if the data confirm that the exploit emails were received and processed by the victims’ iOS devices, the corresponding emails that should have been received and stored on the mail server were missing. Therefore, it is concluded that these emails were intentionally deleted as part of an attack’s operational security cleanup measures.
In addition to a temporary slowdown of a mobile mail application, users should not observe any other abnormal behaviour.
Note that once successfully exploited, the vulnerability executes malicious code in the context of the MobileMail or mailed application, allowing attackers to leak, edit and delete emails.
However, in order to take full control of the device remotely, attackers must chain it with a separate kernel vulnerability.
No mention has yet been made of the type of malware that attackers have used to target users, but it is believed that they are exploiting flaws in combination with other kernel problems to successfully spy on their victims.
No patches available yet
The researchers discovered their flaws nearly two months ago and reported them to the Apple security team.
At the time of writing, only the beta version 13.4.5 of iOS, released only last week, contains security patches for both zero-day vulnerabilities.
For millions of iPhone and iPad users, a public software patch will soon be available with the release of the next iOS update.
In the meantime, Apple users are strongly advised not to use the email application built into their smartphone, but to temporarily switch to Outlook or Gmail applications.