[Update] iOS Serious Security Vulnerabilities With Zero User interaction Discovered To Being Actively Exploited In The Wild Inside Apple Mail App

Apple iOS, the operating system running on iPhones, is vulnerable to multiple new security vulnerabilities. It is concerning to note that the flaws need no user interaction.  The security vulnerabilities can be reportedly executed entirely without the user ever needing to perform any action, click any link, download any app, etc. Incidentally, this isn’t the first time such serious flaws inside iOS have been discovered.

Two new serious security vulnerabilities inside Apple iOS operating system were revealed today. Apparently, these flaws in iOS potentially allow attackers to gain access to an iOS-running iPhone device without any user action. More importantly, the remotely executed attack can also allow Remote Code Execution (RCE), which might include administrative control of the victim’s iPhone. Although yet to be officially corroborated, the newly discovered security vulnerabilities are being exploited in the wild. Apparently, Apple is aware of the security flaws and is expected to release an update to patch the same.

Apple iOS 6 Above iPhone Device Vulnerable To Newly Discovered And Actively Exploited Security Vulnerabilities:

The newly discovered security vulnerabilities in Apple iOS operating system allows an attacker to remotely strike the victim’s device. Moreover, the flaws allow attackers to gain access to an iOS device without any user action. The majority of attacks require some user action like clicking a link, installing some application, or opening a document for the attack to commence. However, in this case, the attacker can just send emails that consume a significant amount of memory and get remote code execution capabilities in the device.

The serious security vulnerabilities inside iOS with zero user interaction were discovered by security firm ZecOps. The researchers at the company claim attackers are already using these vulnerabilities in the wild. Without identifying the targets, the researchers claimed the newly discovered security flaws have been successfully used to target the following individuals:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

iOS is a completely closed-source operating system designed and developed by Apple. It is strictly controlled and regulated. The OS isn’t as open as Google Android. The latest iteration of iOS is iOS 13. However, all devices running iOS 6 and above are affected by these security flaws. Security researchers investigating the vulnerabilities have highlighted the ways attackers can compromise an Apple iOS running iPhone. In the recent iOS versions, the attack can be carried out by the below ways:

  • Attack on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
  • Attack on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
  • Unassisted attacks on iOS 12 can be triggered (aka zero-click) if the attacker controls the mail server

Apple To Patch Security Vulnerabilities In Upcoming Update:

Researchers claim Apple is aware of these security flaws in iOS. They added that Apple is expected to release an incremental update to iOS which will include a fix that will patch the vulnerabilities. However, until Apple does release an update, there is a way to avoid being targeted or becoming a victim of the security bugs.

Researchers advise completely avoiding Apple Mail App. It is the emailing platform that is designed, developed, and maintained by Apple. Incidentally, the mail app does support third-party email accounts like Gmail, Outlook, etc. Hence, until Apple releases an update to fix the bugs, users can depend on the Microsoft Outlook app or other similar email clients.

[Update] Apple has reportedly released an update to patch the two security vulnerabilities inside Apple Mail App.

Alap Naik Desai
A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.