Apple Patches Two Security Vulnerabilities Impacting Mail App in iOS 13.4.5 Beta

[MacRumors]

San Francisco-based cybersecurity company ZecOps today announced that it has uncovered two zero-day security vulnerabilities affecting Apple's stock Mail app on iOS devices, as noted by Motherboard and The Wall Street Journal.

ZecOps claims that one of the vulnerabilities enables an attacker to remotely infect an iOS device by sending emails that consume a significant amount of memory, while another could allow remote code execution capabilities. Successful exploitation of the vulnerabilities is said to allow an attacker to leak, modify, and delete a user's emails.

Targets of the vulnerabilities have apparently included corporate executives and government officials rather than average end users.

The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1. ZecOps said that Apple has patched the vulnerabilities in the latest beta of iOS 13.4.5, which should be publicly released within the coming weeks. In the meantime, ZecOps recommends using a third-party email app like Gmail or Outlook, which are apparently not impacted.

Article Link: Apple Patches Two Security Vulnerabilities Impacting Mail App in iOS 13.4.5 Beta

 

[H3LL5P4WN]

How considerate of them to tell Apple first and allow it to be patched before publicly disclosing it.

/s

 

[kylelerner]

ZecOps. What a sweet, sweet name.
Reminds me of Buzz Lightyear’s villain.

 

[Nimrad]

There are also some critical usability issues that need to fixed asap.

 

[Itada]

How considerate of them to tell Apple first and allow it to be patched before publicly disclosing it.

/s

Except that the cat was already out of the bag: they were already being exploited, for years. ZecOps found them by investigating the aftermath of successful attacks.

 

[weup togo]

The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1.

I guess everyone with devices that can't run iOS 13 need to just buy new hardware.

 

[Rigby]

How considerate of them to tell Apple first and allow it to be patched before publicly disclosing it.

/s

According to the original article they notified Apple on February 19, more than two months ago. The vulnerability was also hinted at in the release notes of Apple's most recent beta release. Given the potential severity of this vulnerability and the fact that it is being exploited in the wild, I think they did the right thing.

 

[I7guy]

I guess everyone with devices that can't run iOS 13 need to just buy new hardware.

My guess is Apple will roll this into ios 12, when ios 13.4.5 is released.

 

[Secondempire]

I guess everyone with devices that can't run iOS 13 need to just buy new hardware.

Perhaps not if you use iPhone 5S or 6. iOS 12 is still getting security updates, with the latest (12.4.6) being released at the same time as iOS 13.4, about a month ago.

And iOS 13 users might not have to wait for 13.4.5 for a security fix. Maybe a 13.4.2 update this week?

 

[JosephAW]

Maybe a 12.4.7 update for iOS 12 for my iPhone 6 which is working great.

 

[lkrupp]

Meanwhile everybody go and hide under your bed, bury your head in your hands, and pray the boogieman doesn’t come and get you. Or John Wick.

 

[macfacts]

So the notch is to let attackers know you run an iOS device.

 

[kylew1212]

What are the odds on email working correctly after this? Considering the email track record in iOS13... :/

Don't get me wrong I'm all for fixing vulnerabilities, just iOS 13 email has been rough.

 

[now i see it]

There's an answer to the iOS 13 abomination Apple Mail app.

Spark - Email App by Readdle

‎Spark Mail – Email by Readdle

‎Spark brings the best email experience for professionals and their teams. Effortless, beautiful, and collaborative. "Best of the App Store" – Apple "It's a combination of polish, simplicity, and depth" – FastCompany "You can create an email experience that works for you" – TechCrunch...

apps.apple.com

 

[Blue Hawk]

There's an answer to the iOS 13 abomination Apple Mail app.

Spark - Email App by Readdle by Readdle Inc.

‎Spark Mail – Email by Readdle

‎Spark brings the best email experience for professionals and their teams. Effortless, beautiful, and collaborative. "Best of the App Store" – Apple "It's a combination of polish, simplicity, and depth" – FastCompany "You can create an email experience that works for you" – TechCrunch...

apps.apple.com

No thanks. They don’t respect your privacy.

 

[I7guy]

So the notch is to let attackers know you run an iOS device.

You mean as opposed to the home button and bezels? So an "attacker" sees the notch on the street and then magically attacks the notch? Is that the premise of your post?

 

[fbr$]

ZecOps recommends using a third-party email app like Gmail

I stopped reading there...

 

[Rigby]

There's an answer to the iOS 13 abomination Apple Mail app.

Spark - Email App by Readdle

‎Spark Mail – Email by Readdle

‎Spark brings the best email experience for professionals and their teams. Effortless, beautiful, and collaborative. "Best of the App Store" – Apple "It's a combination of polish, simplicity, and depth" – FastCompany "You can create an email experience that works for you" – TechCrunch...

apps.apple.com

As long as you are OK with them storing your email account credentials on their servers. If they are breached, hackers not only get access to your email account, but can probably also take over many of your other accounts via password resets.

 

[otternonsense]

There's an answer to the iOS 13 abomination Apple Mail app.

Spark - Email App by Readdle

‎Spark Mail – Email by Readdle

‎Spark brings the best email experience for professionals and their teams. Effortless, beautiful, and collaborative. "Best of the App Store" – Apple "It's a combination of polish, simplicity, and depth" – FastCompany "You can create an email experience that works for you" – TechCrunch...

apps.apple.com

Spark is great and all, but on our work-provided iPhones we are forced to use the mail app, despite the consecutive bugs and security flaws.

 

[nt5672]

How considerate of them to tell Apple first and allow it to be patched before publicly disclosing it.

/s

And we know that Apple is basically brain dead, except for marketing issues, unless the media gets involved. So this is a good thing. I would rather know whether Apple wants to admit it or not.

 

[Analog Kid]

According to the original article they notified Apple on February 19, more than two months ago. The vulnerability was also hinted at in the release notes of Apple's most recent beta release. Given the potential severity of this vulnerability and the fact that it is being exploited in the wild, I think they did the right thing.

Yeah, if this is already being exploited then the responsible thing to do is publish it and let people decide if they want to continue using the app.

This is a place where sandboxing is insufficient. Generally the sandbox means a user breaching an app can only access data from that app, but if that apps data is all of my email that’s a freaking treasure trove.

This sounds like a pretty big bug to have been lurking through 7 versions of iOS...

 

[rodpascoe]

As long as you are OK with them storing your email account credentials on their servers. If they are breached, hackers not only get access to your email account, but can probably also take over many of your other accounts via password resets.

It's encrypted if you use IMAP etc and the other types of account need app specific passwords so no, they can't "take over your account vis password resets"

I've tried so many email clients over the years to find the best one and nothing comes even close to Spark.

 

[Rigby]

It's encrypted if you use IMAP etc

They store email account credentials on their servers. If anyone manages to steal them, they have full access to your emails.

the other types of account need app specific passwords so no, they can't "take over your account vis password resets"

Of course they can. There are many types of accounts that allow you to reset the password by sending a link to your registered email address. Hijacking an active email account is a treasure trove for blackhats. Not even mentioning the privacy implications of having all your stored emails exposed.

 

[tkukoc]

Wait wait.. an issue with the mail app.. surely not.

 

[Mick-Mac]

The ONE thing I like about Apple's Mail (on both the Mac and iOS) is that Apple demonstrably respect your privacy. Everybody else pretty much doesn't (except for paid services like proton mail). So I use Apple's Mail, however it is just a piece of junk compared to everything else out there. It's good that security bugs are found and fixed, but in the name of all things holy can somebody at Apple please dip their little finger into that hoard of cash they own and just FIX mail. Make it something they can take pride in and not be a magnet for endless frustration for their customers.