0-day Exploits in iOS Mail

[German]Security researchers have found two 0-day exploits in virtually all iOS versions (iOS 6 through 13) that allow remote code execution (RCE) via mail. The vulnerabilities are likely to be actively exploited.


The 0-day vulnerability was found by the startup ZecOps, who disclosed this in this blog post. I became aware of that yesterday through various reports, including the following tweet.

The vulnerabilities can be exploited via the iOS mail functions burid within the OS and there are known cases where this has been exploited. Therefore the security researchers have published the information although no patch has been released by Apple yet.

The vulnerabilities

Following a routine iOS Digital Forensics and Incident Response (DFIR) investigation, ZecOps security researchers discovered a number of suspicious events. These concern the standard mail application in iOS and date back to January 2018. ZecOps analyzed these events and discovered an exploitable vulnerability affecting Apple's iPhones and iPads. ZecOps then discovered that these vulnerabilities had been exploited in the wild over an extended period of time to attack corporate users, VIPs etc.

These are two vulnerabilities that allow remote code execution (RCE) through a sent, prepared email when opened in the iOS Mail app. The prepared mail will then probably use a lot of memory, resulting in a memory leak that can be exploited. The researchers reveal details in their blog post and write that it doesn't have to be a huge email, as there are many ways to achieve resource exhaustion to exploit the vulnerability.


Affected iOS versions

Security researchers write that all tested iOS versions, including iOS 13.4.1, are vulnerable. Based on the data available to the security researchers, these bugs have been actively exploited in iOS 11.2.2 since January 2018 and possibly earlier.

The researchers write that iOS 6 (released in 2012) and higher are vulnerable. Versions prior to iOS 6 may also be vulnerable, but earlier versions have not been audited. At the time iOS 6 was released, iPhone 5 was on the market.

Known attacks in the wild

The security researchers claim to know of several attacks in the wild that have taken place under iOS 11.2.2 since January 2018. Among the presumably attacked targets were

  • Individuals from a Fortune 500 organization in North America
  • An airline executive in Japan
  • A VIP from Germany
  • IT service providers (MSSPs) from Saudi Arabia and Israel
  • A journalist in Europe
  • Suspected: An executive from a Swiss company

It is likely that the same actors are currently actively exploiting these weaknesses. Security researchers speculate that the attackers have even exploited this vulnerability earlier

How to recognize, what can you do?

Apple is currently working on a security update, and has patched both vulnerabilities in iOS 13.4.5 beta, although I am not sure which iOS versions will be updated. The current advice is to avoid using iOS mail at this time.

The problem is that the victims can hardly recognize the attack. Apart from a temporary slowdown of the mobile mail application, users should not see any other abnormal behavior. After an exploit attempt (both successful and unsuccessful) on iOS 12 – users may observe a sudden crash of the mail application.

On iOS13, security researchers say that an attack would not be noticeable except for a temporary slowdown. Failed attacks are not noticeable on iOS 13 because another attack can be performed to delete the mail. The only indication of a failed attack would be an email saying "This message has no content". For further details, please refer to the article published by the security researchers.

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *