Apple Rushes to Patch iOS Zero-Day FlawsVulnerabilities Have Likely Been Exploited for Years, Researchers Warn
Apple is now preparing final patches for two zero-day vulnerabilities that a security firm says have been exploited by certain attackers to seize control of iPhone and iPad email apps, giving them access to users' messages.
Security researchers at ZecOps a San Francisco-based mobile security forensics company, say the vulnerabilities have been exploited in the wild, with several high-profile users among those targeted. Those include individuals at several Fortune 500 companies in North America, an executive with a Japanese wireless carrier and a journalist in Europe, according to a ZecOps report released Wednesday.
The vulnerabilities, which attackers can exploit to run remote code execution, are present in Apple's MobileMail email client in iOS 12 and the Mailid email app found in iOS 13, according to the ZecOps report.
Attackers apparently first exploited the flaws in January 2018, but these vulnerabilities could have been present in versions of iOS dating back to September 2012, ZecOps says.
The ZecOps researchers alerted Apple about the flaws, and the company released beta fixes for both zero-day vulnerabilities earlier this month, with full fixes for iOS 12 and iOS 13 expected soon, according to the Apple Insider blog.
Apple on Wednesday confirmed that the vulnerabilities exist in the default iOS mail app, and on Thursday confirmed that it has prepped a fix for the flaw that it will shortly distribute to its millions of iOS users worldwide. But the company disputed ZecOps' assertion that the flaw had been actively exploited in the wild.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” Apple says in a statement provided to Reuters. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”
Tracking Zero-Day Vulnerabilities
In their report, the ZecOps researchers note that they discovered these vulnerabilities during a routine digital forensics and incident response investigation. The researchers found a series of "suspicious events" within the default email application of iOS, which led to the discovery of the zero-day flaws.
Attackers can send a specially crafted email to the targeted iOS mail client that consumes a large portion of the device's RAM. Then, once the user opens the email application, it triggers the exploit, according to the report.
By exploiting the vulnerabilities, attackers can read or delete emails. The researchers warn, however, that when combined with another vulnerability in the operating system's kernel, hackers could gain greater control over the devices. It's not clear, however, if that scenario has played out yet.
One of the zero-day vulnerabilities is what the researchers call an “out-of-bounds write” vulnerability, which can affect certain files within the iOS email client. The other is a “heap-overflow” vulnerability, which an attacker can trigger remotely when a user opens the specially crafted email, according to the report.
The ZecOps researchers note in the report that they suspect these two zero-day vulnerabilities have been exploited by a nation-state actor, although the report does not contain specifics.
"We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a proof-of-concept grade and used 'as-is' or with minor modifications," the report states.
Christoph Hebeisen, director of security intelligence research at Lookout, a security firm, says it's not surprising that a nation-state actor would target mobile devices because they contain so much data.
"The rising prevalence of such attacks indicates that attackers are increasingly becoming aware of mobile devices as the most valuable targets for surveillance and spying," Hebeisen tells Information Security Media Group. "Not only do these devices offer access to documents, communications and cloud accounts of the user, but they can also act as a live surveillance tool by virtue of their sensors, such as microphone, camera and GPS devices."