ZecOps, a San Francisco-based mobile security forensics company, has discovered a pair of zero-day vulnerabilities in the Mail app on iPhone, iPads that hackers are abusing in the wild, at least, from the last two years to target individuals from various industries and organizations.
In a report published on Wednesday, ZecOps said it found evidence that both the vulnerabilities have been actively exploited by an “advanced threat operator” since 2018.
According to the researchers, both the vulnerabilities can be remotely exploited by the attackers by simply sending an email to victims’ default iOS Mail application on their iPhone or iPad.
Both flaws mainly affect the latest iPhone software, iOS 13.4.1, though ZecOps says the vulnerability has existed since at least iOS 6, which was released in September 2012.
“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.
When the user attempted to open the email message it would crash the iPhone allowing hackers to gain entry into the device giving them access to confidential information. In some versions of iOS, the hack can be triggered when the Mail app automatically downloads a message’s data, without the recipient having to click on anything for their devices to be infected.
The bugs in question are remote code execution flaws that reside in the MIME library of Apple’s mail app.
The first vulnerability is out-of-bounds (OOB) write bug vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function “[MFMutableData appendBytes:length:]”
“[The] the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” the researchers said.
The second flaw, a heap-overflow issue, can also be triggered remotely.
“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” the researchers wrote.
“The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”
According to the researchers, both bugs have been exploited in the wild. However, they believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”
The vulnerabilities were discovered by ZecOps while exploring a sophisticated cyberattack against a client that took place in late 2019. According to Zuk Avraham, founder, and CEO of ZecOps, the vulnerabilities were exploited in at least six cybersecurity break-ins.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,” the researchers said.
“While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.”
ZecOps was able to identify several targets in the attacks (given below):
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- Suspected: An executive from a Swiss enterprise
ZecOps notified the Apple security team about the vulnerabilities in February. Last week, Apple released the beta 13.4.5 version of iOS that contained security patches for both zero-day vulnerabilities. A fix for millions of iPhone and iPad users is set to arrive in the next publicly available iOS update in iOS and iPadOS 13.4.5.
Apple INC. said it has found no evidence that hackers are exploiting this vulnerability.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.” Apple said.
In the meantime, we strongly recommend Apple users to not use the default Mail app on their smartphones and instead switch to Outlook or Gmail apps until the iOS update is released.