According to ZecOps, there are two vulnerabilities that were firstly triggered in October 2010 and are still affecting all devices running iOS. Recently, a series of ongoing remote attacks were seen targeting iOS users using these two zero-click security vulnerabilities, affecting iPhone and iPad devices since at least January 2018.
Attacks abused the two bugs and targeted high-profile targets
The two vulnerabilities, a heap-based buffer-overflow issue (CVE-2020-9819) and an out-of-bounds write issue (CVE-2020-9818), could be triggered after the default mail application processes a maliciously crafted mail message.
- These vulnerabilities targeted individuals from a Fortune 500 organization in North America, an executive from a carrier in Japan, a VIP from Germany, MSSPs from Saudi Arabia and Israel, a Journalist in Europe, and also an executive from a Swiss enterprise.
- These remote attacks can allow an attacker to send a specially crafted malicious email to a victim’s mailbox, enabling it to trigger the vulnerability on iOS to compromise iPhone and iPad devices allowing them to gain access to, leak, modify, and delete emails.
Bugs affect iOS devices
These attacks are believed to be associated with at least one nation-state threat operator or a nation-state.
- iPhones and iPad iOS 6 or above were found vulnerable to these bugs. But these vulnerabilities even affected the first iPhone (iPhone 1 / iPhone 2G) and have been impacting iOS 3.1.3 onwards, up to 13.4.1.
- The vulnerabilities affected iPhone 6s, iPad Air 2, iPad mini 4, iPod Touch 7th generation, and corresponding later versions. The vulnerabilities were triggered in the context of some specific apps, namely ‘MobileMail’ application on iOS 12 or the ‘maild’ application on iOS 13.
Warning by the German authorities
- The German Federal Office for Information Security (BSI) had warned the users against the use of the mail application for iOS. BSI had recommended users to uninstall the app or alternatively deactivate the accounts associated with this app until the release of patches.
- On May 27, the BSI urged iOS users to install the respective security updates (that were released by the vendor) on all affected systems immediately.
Apple has addressed the MailDemon security flaws with the release of iOS 13.5 and iPadOS 13.5. Users should update their devices - iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation against heap corruption and memory modification or application termination.