Thursday, April 30, 2020

Apple Mail Security Issue

Apple always took a firm stance on user security and reliability when it comes to their iPhone series. The iOS operating system is known as one of the most secure operating systems in the market. However, 2 major vulnerabilities have been recently discovered that have existed for years and are actively being exploited in the wild.

Researchers at security firm ZecOps were conducting a routine Digital Forensics and Incident Response (DFIR) investigation when they ran into some abnormalities with some iPhones. This led to the discovery of 2 vulnerabilities in the default Apple Mail app – an out-of-bounds write and a heap-overflow. These vulnerabilities can lead to remote code execution and total takeover of the device. The alarming part is how long these vulnerabilities have been around – researchers say they have existed at least since iOS 6, which was released in September of 2012.

The first attacks in the wild that they could find were from January 2018; that’s over 2 years of exploitation. Some suspected targets include Managed Security Service Providers from the Middle East, journalists in Europe, corporate executives from Japan and Sweden, as well as individuals at a Fortune 500 organization in North America.

The 2 vulnerabilities stem from a common issue: how the application handles return values from system calls. The vulnerability can be exploited by sending a large e-mail, or at least one large enough to consume enough RAM to cause the overflow and bounds issues. In iOS 13, the exploit can work even without user interaction, while in iOS 12 the user has to click on the e-mail, but the attack can take place before the content is rendered. Users may notice a slight delay in the mail app on iOS 13 for a short time, but other than that there is no other noticeable abnormal behavior. In iOS 12, the exploit has been known to cause the mail app to occasionally crash. Part of the attacker’s routine is to remove the e-mail from the victim’s phone, showing operational security awareness in cleaning their tracks.

    Apple has released a publicly-available beta of version 13.4.5 with a fix for both vulnerabilities, but the patch has not made it to stable release yet. Until that happens, it is recommended to disable the Apple Mail app and switch to Outlook or Gmail if updating to the beta isn’t possible. Also, make sure to log out of the Apple Mail app as well.