iOS Mail Bug Allows Remote, No-Click Attacks

ZecOps released a report mentioning vulnerabilities in the iOS Mail app. The vulnerabilities allow attackers to execute code within the app or the main process that assists the app. According to researchers, the latest 13.4.1 version is also vulnerable to attack.

The attack begins with the treat actors sending an email made to cause a buffer overflow in Mail. The bug allows the attack to happen when the threat actors fill a block of memory beyond capacity with junk data. The attackers then overwrite the code in adjoining memory for later execution in the vulnerable process.

The vulnerabilities cover a wide range of iOS versions

ZecOps's mentioned vulnerabilities could potentially allow attackers to use buffer overflow to attack iOS devices, all the way from iOS 6 to iOS 13.4.1. ZecOps didn't test the older versions, so it is currently unknown whether this approach would work. The attack works with nothing more than opening a malicious email message using the Mail app. There is no need for any interaction other than opening the email. iOS 13 sees an expansion of the dangers of the vulnerability.

The attack can be taken to the maild process running in the background, making it a zero-interaction vulnerability. iOS 13 sees no apparent signs of the infection, other than a temporary slowdown of the Mail app. There are some cases where there were messages with no content that could not be displayed, possible signs of a failed attack. Messages shared on the ZecOps blog were only visible for a short time, being allegedly deleted by the attackers once the attack is complete.

The ZecOps report shows that the attack can only work through the Mail app. The use of these vulnerabilities shows that attackers may use modify, delete, and capture emails. The attackers may also use Mail for other operations, sending messages, but that wasn't mentioned by ZecOps. For a full compromise, the attackers need to have one more vulnerability present. Version 13.4.1 requires a publically known one that restricts the attackers to the level of nation-state threat actors.

Why was the vulnerability disclosed now?

Responsible disclosure is usually done in a way that avoids leaking the vulnerability until it was patched and fixed or until the vendor doesn't fix it fast. Ethical reporting, in this case, allows the vendors to work on fixing the issues before threat actors can use them. Once hackers realize a vulnerability exists through a report, they may work on finding it themselves. ZecOps shared why they decided to disclose the current issue at this moment:

The disclosed vulnerabilities may not be used to compromise a device without additional vulnerabilities; thus, the risk is lower.

Apple released a beta of iOS 13.4.5, which addresses the issue being reported. The fix is in beta and not still in a public release state. If potential attackers analyze the changes in the beta, that may lead to finding the vulnerabilities, but the public was unaware of the disclosure.
More than six unnamed organizations were already under attack using these vulnerabilities, according to ZecOps.