Two critical zero-day vulnerabilities have been identified in the iOS Mail application that have been exploited by threat actors in attacks on high profile targets since at least January 2018.
The flaws were identified by the cybersecurity firm ZecOps which traced the flaws back to iOS 6, which was released by Apple in 2012, but it is possible that the flaws were introduced in an earlier Mail app version. The vulnerabilities have been described as out of bounds write and heap overflow flaws which can be exploited remotely by sending a specially crafted email to a targeted individual. The flaws are present in the MobileMail application on iOS 12 and maild on iOS 13 and affect iPhones and iPads. If the flaws are exploited, they will allow remote code execution in the context of the application and an attacker will be able to access, edit, and delete emails.
The attack on iOS 13 does not require any user interaction. All that is required is for the mail program to be operating in the background. Attacks on iOS 12 require the victim to click on a specially crafted email. It is likely that the exploit could be performed without the user being aware of the attack. All that is likely to occur is a slowing down of the mail application or, potentially, the attack could cause the mail application to crash. The attackers can delete the malicious email after the exploit has been triggered to hide the attack.
If the attack fails, on iOS 12, the message will be displayed as “This message has no content” in the inbox, but failed attempts to exploit the flaw would be undetectable on iOS 13.
The flaws could be paired with a kernel vulnerability which would give the attackers full access to a vulnerable device. The researchers believe that the threat group(s) exploiting the flaws have paired it with another vulnerability.
Exploitation of the flaws was detected during a routine iOS Digital Forensics and Incident Response (DFIR) investigation. Further investigation into attacks revealed the exploit had been used on individuals in an unnamed Fortune 500 company, a journalist in Europe, a VIP in Germany, an executive from a carrier in Japan, and potentially, and executive from a Swiss enterprise.
While the identity of the threat group has not been determined, the nature of the attacks and the selection of high-profile individuals strongly suggests the attackers are part of a nation state sponsored hacking group, and potentially more than one. The researchers suggest a third-party researcher may have developed a proof of concept exploit for the vulnerabilities and sold it to nation state hackers.
The researchers reported the flaws to Apple in February and March and Apple has now released a patch to correct the flaws in iOS 13.4.5 beta 2, which was released on April 15. Apple will be releasing a patch for other iOS versions in the next few days.
“If you cannot patch to this version, make sure to not use Mail application – and instead to temporarily use Outlook or Gmail which, at the time of this writing, were not found to be vulnerable,” said ZecOps.