Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works

[MacRumors]

Apple has responded to a recent report on vulnerabilities discovered in its iOS Mail app, claiming the issues do not pose an immediate risk to users.

Earlier this week, San Francisco-based cybersecurity company ZecOps said it had uncovered two zero-day security vulnerabilities affecting Apple's stock Mail app for iPhones and iPads.

One of the vulnerabilities was said to enable an attacker to remotely infect an iOS device by sending emails that consume a large amount of memory. Another could allow remote code execution capabilities. Successful exploitation of the vulnerabilities could potentially allow an attacker to leak, modify, or delete a user's emails, claimed ZecOps.

However, Apple has downplayed the severity of the issues in the following statement, which was given to several media outlets.

"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance."

The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1. ZecOps said that Apple has patched the vulnerabilities in the latest beta of iOS 13.4.5, which should be publicly released within the coming weeks. Until then, ZecOps recommends using a third-party email app like Gmail or Outlook, which are apparently not impacted.

Article Link: Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works

 

[Macman8472]

Recently my Mac OS Mail app keeps on crashing when I delete Trash or Junk folders. Am I the only one? Been sending reports to Apple when the app crashes. No virus detected on my Mac.

 

[miniyou64]

The bugs in Mail are still immediately extremely annoying

 

[otternonsense]

I'm pretty sure Apple will have prioritised some irrelevant pleasantry like Memoji barf physics in iOS 14 than getting Mail, FaceTime or personal hotspot straightened out.

As for this patch.. not holding my breath it will be the last one.

 

[MandiMac]

I'm pretty sure Apple will have prioritised some irrelevant pleasantry like Memoji barf physics in iOS 14 than getting Mail, FaceTime or personal hotspot straightened out.

As for this patch.. not holding my breath it will be the last one.

Yeah, it's good we actually receive patches and updates, no?

 

[otternonsense]

Yeah, it's good we actually receive patches and updates, no?

Of course it's good. The amount of patches we are receiving though, addressing issues evidenced by third parties and made public, doesn't inspire a lot of trust in Apple's own iOS and macOS QA for proactive bug fixing. At least they're pushing those patches relatively fast.

 

[MandiMac]

Of course it's good. The amount of patches we are receiving though, addressing issues evidenced by third parties and made public, doesn't inspire a lot of trust in Apple's own iOS and macOS QA for proactive bug fixing. At least they're pushing those patches relatively fast.

I‘d rather nitpick about the amount of patches we are receiving than having security problems without a patch in sight. It‘s the lesser evil, really.

 

[otternonsense]

I‘d rather nitpick about the amount of patches we are receiving than having security problems without a patch in sight. It‘s the lesser evil, really.

Nitpicking about the something so basic that shouldn't be broken in the first place. After 13 versions and untold number of patches of iOS, Apple still can't figure out how to make Mail watertight? To the point that "ZecOps recommends using a third-party email app like Gmail or Outlook"?? That's the bigger evil IMHO.

 

[MandiMac]

Nitpicking about the something so basic that shouldn't be broken in the first place. After 13 versions and untold number of patches of iOS, Apple still can't figure out how to make Mail watertight? To the point that "ZecOps recommends using a third-party email app like Gmail or Outlook"?? That's the bigger evil IMHO.

Of course it is inconvenient. But since we know that iOS 14 will be a „Snow Leopard“ release focussing on getting things right again, don‘t you believe that Apple management is very, very aware of it? Lessons have been learned.

 

[otternonsense]

Of course it is inconvenient. But since we know that iOS 14 will be a „Snow Leopard“ release focussing on getting things right again, don‘t you believe that Apple management is very, very aware of it? Lessons have been learned.

We don't know anything about that. Only rumours. And Apple's management is the last place I'd seek for awareness of user issues, given their track record since iOS 11 and the train wreck in slow motion that is Catalina. If their lessons were learned, they'd be announcing a replacement to Federighi already.

 

[MandiMac]

We don't know anything about that. Only rumours. And Apple's management is the last place I'd seek for awareness of user issues, given their track record since iOS 11 and the train wreck that is Catalina. If their lessons were learned, they'd be announcing a replacement to Federighi already.

Jon Prosser said among others that the upper management is keeping a very close eye to sites like this. And what would giving Federighi the boot actually change? It‘s not like he‘s the one introducing the bugs. Chill a bit, nobody of us is personally affected, and bugs do happen. Not a single system is perfectly safe. Again, we can be happy that we‘re getting a patch so fast with 13.4.5 - everything else is getting worked up and blood pressure over nothing.

 

[gnasher729]

I'm pretty sure Apple will have prioritised some irrelevant pleasantry like Memoji barf physics in iOS 14 than getting Mail, FaceTime or personal hotspot straightened out.

What makes you think the same people would work on these things? There's one graphics designer who creates new emojis who is very good and drawing emojis but doesn't have the slightest clue how to fix bugs in Mail.

 

[[AUT] Thomas]

Mail is such a mess, can't even put proper headers on reply emails (only when forwarding)... Sorry, but that app is, if at all, only fit for the most basic needs.

IMHO it's a shame that Apple can't write a proper mail client...

 

[gnasher729]

Nitpicking about the something so basic that shouldn't be broken in the first place. After 13 versions and untold number of patches of iOS, Apple still can't figure out how to make Mail watertight? To the point that "ZecOps recommends using a third-party email app like Gmail or Outlook"?? That's the bigger evil IMHO.

ZecOps wants to sound important, that is the whole reason for their existence. "There's a bug in Mail but it's safe to use" doesn't get them headlines, right?

 

[makitango]

How come iOS 5 and earlier users are free from that exploit?

 

[matt_and_187_like_this]

What about 13.4.2, .3 and .4?

 

[otternonsense]

Jon Prosser said among others that the upper management is keeping a very close eye to sites like this. And what would giving Federighi the boot actually change? It‘s not like he‘s the one introducing the bugs. Chill a bit, nobody of us is personally affected, and bugs do happen. Not a single system is perfectly safe. Again, we can be happy that we‘re getting a patch so fast with 13.4.5 - everything else is getting worked up and blood pressure over nothing.

OK here's what I don't get and please level with me here:

Bugs happen, sure, but when they've been happening so often and for such a long time, there has got to be a problem at the top. Forstall was booted for far less damage with Maps and it's not like he coded it himself. Why do you vindicate them constantly dropping the ball on essentials like iOS core apps that have been out for more than a decade?

Some of us might indeed be personally affected. You don't know that. E.g. our employer mandates that we use Apple's Mail on our work-provided phones and there's no way around that. Frankly it makes me nervous because I deal with a lot of confidential content daily.

Why do you prefer invalidating a genuine user concern because some twitter nobody blue checkmark like Jon Prosser said something else?

My blood pressure is fine, thank you.

[automerge]1587725547[/automerge]

What makes you think the same people would work on these things? There's one graphics designer who creates new emojis who is very good and drawing emojis but doesn't have the slightest clue how to fix bugs in Mail.

A graphic designer doesn't typically work on implementation. Indeed, I don't know how Apple manages their dev resources but the proof is in the pudding, no?

 

[I7guy]

I'm pretty sure Apple will have prioritised some irrelevant pleasantry like Memoji barf physics in iOS 14 than getting Mail, FaceTime or personal hotspot straightened out.

As for this patch.. not holding my breath it will be the last one.

Sure, Apple can only create emojis or fix software bugs. /s

 

[Blue Hawk]

They have to update their own apps through the app store. That's an another sign that this is the best choice.

 

[otternonsense]

They have to update their own apps through the app store. That's an another sign that this is the best choice.

Agree. That's one of the things I like about Android (even though I don't use it). Update standalone core apps without going through the full iOS update spiel. And while we're at it, also allow users to update on LTE too.

 

[andiwm2003]

What makes you think the same people would work on these things? There's one graphics designer who creates new emojis who is very good and drawing emojis but doesn't have the slightest clue how to fix bugs in Mail.

I guess that is what he meant: Why does Apple prioritize hiring graphic designers that are very good in the first place? I'd rather have them hiring more programmers and spend the money on testing than hiring that graphic designer. I'm perfectly happy with a more robust OS that looks overall a bit more crappy as long as the functionality and easy of use is still there. But that's just me and I'm known to have no taste for aesthetics

 

[MandiMac]

Bugs happen, sure, but when they've been happening so often and for such a long time, there has got to be a problem at the top. Forstall was booted for far less damage with Maps and it's not like he coded it himself. Why do you vindicate them constantly dropping the ball on essentials like iOS core apps that have been out for more than a decade?

I‘m not sure if Mail ever had a problem of this priority before today. You can‘t really believe that one team codes everything - there are a lot of small sub-teams responsible, and they need time to solve this. Easy as that. You‘re referring to the bug-fest that is iOS 13? Still makes no sense picking out one person and kicking it out.
As for Forstall, these were other times: He didn‘t own up to the mistakes he made and refused to sign the apology letter that went public. That‘s a whole other reason than „oh, Maps isn‘t doing so fine“.
And sorry to be that way, but I‘m generelly wary when I read that a malware is only good for specialised and very targeted attacks. I see your point about having to use Apple Mail, but then it is on the employer, not you, right?

 

[otternonsense]

Sure, Apple can only create emojis or fix software bugs. /s

On every project you prioritise what you want to deliver and resource/talent allocation is only part of that.

 

[I7guy]

I guess that is what he meant: Why does Apple prioritize hiring graphic designers that are very good in the first place? I'd rather have them hiring more programmers and spend the money on testing than hiring that graphic designer. I'm perfectly happy with a more robust OS that looks overall a bit more crappy as long as the functionality and easy of use is still there. But that's just me and I'm known to have no taste for aesthetics

Who said Apple would prioritize graphics designers? Seems both are important in the scheme of things.

 

[otternonsense]

I‘m not sure if Mail ever had a problem of this priority before today. You can‘t really believe that one team codes everything - there are a lot of small sub-teams responsible, and they need time to solve this. Easy as that. You‘re referring to the bug-fest that is iOS 13? Still makes no sense picking out one person and kicking it out.
As for Forstall, these were other times: He didn‘t own up to the mistakes he made and refused to sign the apology letter that went public. That‘s a whole other reason than „oh, Maps isn‘t doing so fine“.
And sorry to be that way, but I‘m generelly wary when I read that a malware is only good for specialised and very targeted attacks. I see your point about having to use Apple Mail, but then it is on the employer, not you, right?

Did Federighi ever own up to iOS 12-13 and Catalina releases being an absolute poopfest? Nobody bothered with an "apology letter" stunt again, because likely that was all a matter of kicking Forstall out of the ivory tower than honest amends making. Maps remains a weak offering to this day outside of the US.

I don't allude to one team or one dev coding everything: but the integrity of the deliverable and prioritisation of features fall to a very few product owners and project managers who (I presume) answer to Federighi. And at the end he should sign off the work as department lead. He's the one responsible for the final result.