News

Apple Denies iOS Mail Vulnerabilities Pose Any Immediate Threat, But a Patch Is on the Way

Apple, responding to a recent report on iOS Mail app vulnerabilities, denies that the issues pose an immediate risk to users.

Earlier this week cybersecurity firm ZecOps revealed that it had discovered two zero-day security vulnerabilities that affects Apple’s Mail app for iPhones and iPads.

ZecOps explains the vulnerabilities as follows:

  • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory
  • The vulnerability does not necessarily require a large email – a regular email that is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
  • Both vulnerabilities were triggered in-the-wild
  • The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device

Apple has responded to the report by saying the flaws do not pose an immediate threat to iOS Mail users:

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

The vulnerabilities are believed to affect all iOS software versions between iOS 6 and iOS 13.4.1. ZecOps reports that Apple has patched the security holes in the latest beta of iOS 13.4.5, which should be released sometime in the next few weeks. Until the patch is available, ZecOps recommends using a third-party email app like Gmail or Outlook, which do not include the vulnerabilities.

Chris Hauk

Chris is a Senior Editor at Mactrast. He lives somewhere in the deep Southern part of America, and yes, he has to pump in both sunshine and the Internet.