Apple says iOS Mail vulnerabilities do not pose immediate threat, patch coming

AppleInsider · April 24, 2020 2:55AM

Apple on Thursday responded to reports concerning the discovery of two zero-day vulnerabilities found in its Mail app for iOS, saying the unpatched flaws do not pose an immediate threat to users.

On Wednesday, security firm ZecOps published a report claiming the discovery of two previously unknown Mail vulnerabilities that, if exploited, allow attackers to remotely access, modify or delete user emails.

As detailed by ZecOps, attackers can exploit the iOS bug by sending specially crafted emails that trigger faults, enabling them to run remote code. While the attack requires a user to click on the malicious email in iOS 12, it becomes a zero-click, or unassisted, vector when Mail is opened in the background in iOS 13.

In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said.

Apple on Thursday denied the severity of the situation in a statement to Bloomberg's Mark Gurman, who subsequently shared the company's official response in a tweet.

Apple take all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.

Apple went on to say it values input from independent security researchers who help make iOS safe and will in the future credit the person who discovered the vulnerability. The company typically issues a security update with each software release to detail patched bugs and identify the security researchers or research groups who discovered them.

According to ZecOps, Apple's latest iOS 13.4.5 beta release patches the reported vulnerabilities.

Rayz2016 · April 24, 2020 6:00AM

So If Apple is saying that there is no immediate threat, then they’re also saying that this part:

In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said

is false?

Since this is the second time this bug has shown up, this will now be like a bandaged elbow on a WCW wrestler: somewhere to focus your attack, except that WCW wrestling is more of a pantomime than a sport, so a bandaged elbow isn’t really … anyway that metaphor’s dead in the water so let’s just leave it there.

digitol · April 24, 2020 6:22AM

Apple's response to this is pure baby caca! It is super insulting how stupid Apple thinks its customers are. Shameful. #Weak #Lies #WetPaperBagSecurity #Shameful.

tommy65 · April 24, 2020 7:57AM

Strange if you check Reuter’s. They say the following:” Apple on Wednesday acknowledged the vulnerability existed in its software for email on iPhones and iPads, known as the Mail app, and said the company had developed a fix that will be introduced in a forthcoming update to millions of devices it has sold globally”.

Why would Apple patch this vulnerability if it doesn’t exists today?

Link to source:
https://www.reuters.com/article/apple-cyber-idUSL2N2CC04D

sirlance99 · April 24, 2020 8:37AM

Man, I love Apple but they always skirt around when they fuck up and NEVER admit to it. It’s always something with them and trying to miss direct. I’d like them a whole ton better if, when they fuck up, they’d just say they fucked it and say they are going to make it better.

Rayz2016 · April 24, 2020 9:23AM

tommy65 said:

Strange if you check Reuter’s. They say the following:” Apple on Wednesday acknowledged the vulnerability existed in its software for email on iPhones and iPads, known as the Mail app, and said the company had developed a fix that will be introduced in a forthcoming update to millions of devices it has sold globally”.

Why would Apple patch this vulnerability if it doesn’t exists today?

Link to source:
https://www.reuters.com/article/apple-cyber-idUSL2N2CC04D

Apple didn’t say there was no vulnerability. They said they found no evidence that the vulnerability had impacted users.

Anilu_777 · April 24, 2020 10:02AM

digitol said:

Apple's response to this is pure baby caca! It is super insulting how stupid Apple thinks its customers are. Shameful. #Weak #Lies #WetPaperBagSecurity #Shameful.

This isn’t Twitter. Cut with the lame hashtags.

fred1 · April 24, 2020 11:23AM

Have you or anyone you know been affected? Just curious. I found a strange e-mail in my junk folder on my iPhone last week and immediately deleted it without reading it. Could that have been one?

Rayz2016 · April 24, 2020 11:27AM

fred1 said:

Have you or anyone you know been affected? Just curious. I found a strange e-mail in my junk folder on my iPhone last week and immediately deleted it without reading it. Could that have been one?

It could’ve been anything 🤷🏾‍♂️

MplsP · April 24, 2020 12:31PM

I agree with the other comments here - we have a known, zero-day vulnerability that has been seen in the wild and has now been publicized so it is widely known. I'm happy that Apple is issuing a patch but am dumbfounded how they can say there is no risk to users. I also wonder why they haven't fixed it yet since they have known about it since February.

lkrupp · April 24, 2020 12:35PM

Rayz2016 said:

So If Apple is saying that there is no immediate threat, then they’re also saying that this part:

In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said

is false?

Since this is the second time this bug has shown up, this will now be like a bandaged elbow on a WCW wrestler: somewhere to focus your attack, except that WCW wrestling is more of a pantomime than a sport, so a bandaged elbow isn’t really … anyway that metaphor’s dead in the water so let’s just leave it there.

Hey troll! Professional wrestling is the only true sport left in America, period. All those other supposed ‘sports’ like baseball, basketball, hockey, football, tennis, are scripted and fake just like that reality show ‘Naked and Afraid’. How do I know this for a fact? Hulk Hogan told me and the Hulkster doesn’t lie to his Hulkamaniacs. So there.

tommy65 · April 24, 2020 12:41PM

Rayz2016 said:

tommy65 said:

Strange if you check Reuter’s. They say the following:” Apple on Wednesday acknowledged the vulnerability existed in its software for email on iPhones and iPads, known as the Mail app, and said the company had developed a fix that will be introduced in a forthcoming update to millions of devices it has sold globally”.

Why would Apple patch this vulnerability if it doesn’t exists today?

Link to source:
https://www.reuters.com/article/apple-cyber-idUSL2N2CC04D

Apple didn’t say there was no vulnerability. They said they found no evidence that the vulnerability had impacted users.

tommy65 said:
Agree but if I would hide chocolate Easter eggs and Apples and Pears cannot find any that does not mean there are none. What if someone else has found the Easter eggs but is keeping the eggs in their own basket without informing Apples and Pears. Apples and Pears might be eating chocolate without knowing they are.

lkrupp · April 24, 2020 1:00PM

Why can’t we delete a post?

dshanah · April 24, 2020 1:12PM

As I understand it the Mail bugs by themselves are not enough to give a remote attacker control of the iPhone, enable them to install malware/spyware on it, etc. But, if combined with another exploit, likely a zero day kernel vulnerability, the attacker can then compromise the device. And it seems that there may be one or more zero day iOS kernel vulns out there that some attacker(s) are using, along with these Mail bugs, against specific targets — these are the "in the wild" attacks ZecOps came across and are talking about. The attacks are probably being conducted by nation state actors, think NSA, China, NK, Saudi Arabia, etc. Problem is ZecOps apparently don't know the details of the kernel vuln(s) these attacks used, just the Mail vulns that the attacks use to start the process, and Apple likely don't know the details of the other vulns either. Yet. So both parties are telling the truth, but only part of it — ZecOps have found targeted attacks on individuals that use these Mail vulns as part of the process, but all they could tell Apple the details of was the Mail bugs. And Apple are correctly stating that by themselves these Mail vulns are not sufficient to threaten iOS users security. What Apple don't want to admit publicly is that there may be one or more other, unknown, bugs out there that when combined with these Mail bugs do threaten users security. I guess it's even possible that the kernel vuln(s) the ZecOps attacks used have already been patched in a recent(ish) iOS update but were used against targets who had not installed the patched version for whatever reason (we've no idea when these victims were attacked, maybe before the patch was available?)

lkrupp · April 24, 2020 1:16PM

Rayz2016 said:

So If Apple is saying that there is no immediate threat, then they’re also saying that this part:

In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said

is false?

Since this is the second time this bug has shown up, this will now be like a bandaged elbow on a WCW wrestler: somewhere to focus your attack, except that WCW wrestling is more of a pantomime than a sport, so a bandaged elbow isn’t really … anyway that metaphor’s dead in the water so let’s just leave it there.

Yes, Apple is saying that this ZecOps outfit is wrong, not about the existence of the vulnerabilities, but about whether they have actually been exploited. So who do you choose to believe?

How about AppleInsider hire a security researcher to create one of these ‘specially crafted emails’ and test it. It should be easy to do now that the details have been released and the entire universe of hackers is actively exploiting the flaws as we speak? Even better, why doesn’t one of the myriad of security experts who call AI home do this as a service to the AI community? Then we’ll know who is lying, right?

apple_badger · April 24, 2020 2:24PM

It's probably a good idea to read the original release from ZecOps (https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/) or at least their FAQ for this (https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/#post-faq). They lay out their case for why they think there's been exploitation and also explain that this is, by itself, not enough to fully take over the phone.

Speaking as someone who works in IT security, I'm going to make two observations:

1. Gaining control of an email account can have catastrophic consequences, both for the individuals and organizations.

2. Whenever some locally exploitable bug is reported on here, there is always a chorus of people who disclaim it based on the fact that you need access to the device or to be running software on the device in order to exploit it, and they only get their software from the App Store, or some such thing. This is the other half of the exploit chain that makes local vulnerabilities so dangerous; this is the kind of thing that makes local vulnerabilities into remote ones.

command_f · April 24, 2020 4:55PM

dshanah said:

As I understand it the Mail bugs by themselves are not enough to give a remote attacker control of the iPhone, enable them to install malware/spyware on it, etc. But, if combined with another exploit, likely a zero day kernel vulnerability, the attacker can then compromise the device. And it seems that there may be one or more zero day iOS kernel vulns out there that some attacker(s) are using, along with these Mail bugs, against specific targets — these are the "in the wild" attacks ZecOps came across and are talking about. The attacks are probably being conducted by nation state actors, think NSA, China, NK, Saudi Arabia, etc. Problem is ZecOps apparently don't know the details of the kernel vuln(s) these attacks used, just the Mail vulns that the attacks use to start the process, and Apple likely don't know the details of the other vulns either. Yet. So both parties are telling the truth, but only part of it — ZecOps have found targeted attacks on individuals that use these Mail vulns as part of the process, but all they could tell Apple the details of was the Mail bugs. And Apple are correctly stating that by themselves these Mail vulns are not sufficient to threaten iOS users security. What Apple don't want to admit publicly is that there may be one or more other, unknown, bugs out there that when combined with these Mail bugs do threaten users security. I guess it's even possible that the kernel vuln(s) the ZecOps attacks used have already been patched in a recent(ish) iOS update but were used against targets who had not installed the patched version for whatever reason (we've no idea when these victims were attacked, maybe before the patch was available?)

That's how I understand it too. The Mail issue allows code execution by the attacker, if that code is a kernel vulnerability then they're in.

dysamoria · April 24, 2020 4:58PM

Why does AI continue to post company statements without sign of quotation? No quotation marks, no quote formatting...

tommy65 · April 24, 2020 9:34PM

lkrupp said:

Rayz2016 said:

So If Apple is saying that there is no immediate threat, then they’re also saying that this part:

In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said

is false?

Since this is the second time this bug has shown up, this will now be like a bandaged elbow on a WCW wrestler: somewhere to focus your attack, except that WCW wrestling is more of a pantomime than a sport, so a bandaged elbow isn’t really … anyway that metaphor’s dead in the water so let’s just leave it there.

Yes, Apple is saying that this ZecOps outfit is wrong, not about the existence of the vulnerabilities, but about whether they have actually been exploited. So who do you choose to believe?

How about AppleInsider hire a security researcher to create one of these ‘specially crafted emails’ and test it. It should be easy to do now that the details have been released and the entire universe of hackers is actively exploiting the flaws as we speak? Even better, why doesn’t one of the myriad of security experts who call AI home do this as a service to the AI community? Then we’ll know who is lying, right? Yes

If user’s information is breached via mail does Apple care to investigate? I remember something similar from the past with another BIG corporate company. They said:” Not within the scope of our software...”.

Apple says iOS Mail vulnerabilities do not pose immediate threat, patch coming

Comments