Mail app

German government urges iOS users to fix critical flaws in Mail app

Germany’s federal cybersecurity agency today urged iOS users to immediately install the iOS and iPadOS security updates released by Apple on May 20 to fix two actively exploited no-click security vulnerabilities affecting the iOS app. default email.

“Due to the criticality of the vulnerabilities, the BSI recommends that the corresponding security update be installed immediately on all affected systems,” said the BSI (Bundesamt für Sicherheit in der Informationstechnik).

Cybersecurity startup ZecOps disclosed the bugs (zero-days at the time of disclosure) after discovering ongoing attacks that had targeted iOS users since at least January 2018.

Attacks abusing both bugs targeted high-profile targets

The two no-click vulnerabilities are a memory consumption issue tracked as CVE-2020-9819 which may lead to heap corruption and an out-of-bounds write issue tracked as CVE-2020-9818 which may lead to modification unexpected loss of memory or application termination. , both triggered after the Mail app processed a maliciously crafted email message.

MailDemon’s security vulnerabilities were patched by Apple with the release of iOS 13.5 and iPadOS 13.5, which come with better memory management and limit checking.

“We believe these attacks are correlative to at least one nation-state or nation-state threat operator who purchased the exploit from a third-party researcher in a Proof of Concept (POC) category and used “such whatever” or with minor modifications,” ZecOps said at the time.

Fortunately, the attacks mentioned by ZecOps were against high-profile targets, which means that regular users won’t be directly targeted until exploits for both bugs fall into the hands of threat actors with lesser goals. ambitious.

Bugs affect devices running iOS 3.1.3 and later

According to iOS 13.5 security release notes, vulnerabilities found by ZecOps affect iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod 7th generation touch.

Based on ZecOps’ analysis of the two bugs, all devices running iOS 3.1.3 through 13.4.1 are at risk of potential attacks that would allow remote code execution on compromised iPhone and iPad devices. and to provide access, leak, edit and delete emails.

As Founder and CEO of ZecOps share“These vulnerabilities also existed since the first iPhone (iPhone 1 / iPhone 2G) and since at least iOS 3.1.3.”

iOS zero days
Source: ZecOps

In an official statement shared after ZecOps disclosed its findings, Apple disputed the researchers’ claims regarding the ongoing attacks:

Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded that these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but on their own they are insufficient to circumvent iPhone and iPad security protections, and we found no evidence that they were used against customers . These potential issues will soon be resolved in a software update. We appreciate our collaboration with security researchers to help keep our users safe and we will thank the researcher for their assistance.

ZecOps responded with the following:

According to data from ZecOps, there were triggers in the wild for this vulnerability on a few organizations. We would like to thank Apple for working on a fix and we look forward to updating our devices once it is available. ZecOps will release more information and POC once a fix is ​​available.