Vulnerabilities in iOS version 6 and later dating from September 2012 that are triggered via the iOS email app have been disclosed that if exploited allow remote code execution.

The problems were revealed by the security firm ZecOps, which has spotted the vulnerability being trigged in the wild on iOS 11.2.2 as far back as November 2018 and potentially even earlier. Apple was informed in February 2019 and the company released a beta patch in April correcting the issue. Only the iOS email app is vulnerable, not other third party variety’s like Gmail or Outlook.

“The vulnerability allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability. It is currently under investigation,” ZecOps reported.

What makes this bug extremely dangerous is that in some cases it can be launched by just opening the email app. ZecOps has witnessed this “zero click” situation in iOS 13. In iOS 12 the victim does have to click the email, but the attack takes place so quickly the email itself may not have fully rendered before the infection is set. There is a caveat to the iOS 12 situation, if the attacker controls the mail server then a zero click attack can be performed.

“ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely,” ZecOps said.

Device owners may have a hard time noticing if they have been hit. The outward signs include a general slowdown of the system and in some cases the mail app crashes.

“While this vulnerability has been fixed in the developer’s current beta versions, it is essential to get the patch out soon for end users to secure their devices from this exploit. Depending on the risk and confidentiality of an employee’s email, an organization will need to determine if they are to stop using the vulnerable application until the patch is released,” said James McQuiggan, Security Awareness Advocate, KnowBe4

The good news is the bugs alone cannot cause harm to iOS users because the attackers would require an additional infoleak bug and a kernel bug afterwards to take full control over the targeted device.

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel, said, the vulnerabilities have been exploited by nations states and professional hacking organizations which brings an extra level of danger to the situation.

“You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application.  These exploits are specially designed to go undetected by anti-virus, firewalls, or other front-line security controls.  They only way to defend against such attackers is to have a culture of security with defense in-depth capabilities including close monitoring of security logs and anomalous network traffic,” he said.