The default mailing app pre-installed on millions of iPhones and iPads has been found vulnerable to two critical flaws that attackers are exploiting in the wild, at least, from the last two years to spy on high-profile victims.
The flaws could eventually let remote hackers secretly take complete control over Apple devices just by sending an email to any targeted individual with his email account logged-in to the vulnerable app.
According to cybersecurity researchers at ZecOps, the bugs in question are remote code execution flaws that reside in the MIME library of Apple's mail app—first, due to an out-of-bounds write bug and second, is a heap overflow issue.
Though both flaws get triggered while processing the content of an email, the second flaw is more dangerous because it can be exploited with 'zero-click,' where no interaction is required from the targeted recipients.
8-Years-Old Apple Zero-Days Exploited in the Wild
According to the researchers, both flaws existed in various models of iPhone and iPad for the last 8 years since the release of iOS 6 and, unfortunately, also affect the current iOS 13.4.1 with no patch yet update available for the regular versions.
What's more worrisome is that multiple groups of attackers are already exploiting these flaws—for at least 2 years as zero-days in the wild—to target individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel, and journalists in Europe.
"With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous," the researchers said.
"While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one 'hackers-for-hire' organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier."
According to the researchers, it could be tough for Apple users to know if they were targeted as part of these cyber-attacks because it turns out that attackers delete the malicious email immediately after gaining remote access to the victims' device.
"Noteworthy, although the data confirms that the exploit emails were received and processed by victims' iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of an attack's operational security cleanup measures," the researchers said.
"Besides a temporary slowdown of a mobile mail application, users should not observe any other anomalous behavior."
To be noted, on successful exploitation, the vulnerability runs malicious code in the context of the MobileMail or maild application, allowing attackers "to leak, modify, and delete emails."
However, to remotely take full control over the device, attackers need to chain it together with a separate kernel vulnerability.
Though ZecOps hasn't mentioned any detail on what kind of malware attackers have been using to target users, it did believe that attackers are exploiting the flaws in combination with other kernel issues to successfully spy on their victims.
Beware! No Patch Yet Available
Researchers spotted in-the-wild-attacks and discovered the related flaws almost two months ago and reported it to the Apple security team.
At the time of writing, only the beta 13.4.5 version of iOS, released just last week, contains security patches for both zero-day vulnerabilities.
For millions of iPhone and iPad users, a public software patch will soon be available with the release of the upcoming iOS update.
Meanwhile, Apple users are strongly advised to do not to use their smartphones' built-in mail application; instead, temporarily switch to Outlook or Gmail apps.
In a piece of separate news, we today reported about another in-the-wild iPhone hacking campaign where Chinese hackers have been caught targeting Uyghur Muslims with exploit iOS chains and spyware apps.