[German]Is the there anything wrong with the report about two 0-day vulnerabilities in iOS that allow iPhones and iPads to be ‘taken over’ by mail? At least Apple and Sophos have doubts about the report released this week by a security researcher.
What is the iOS mail bug about?
This week a report of the Startup ZecOps, which are active in the field of security, made the rounds. According to their blog post, there are two 0-day vulnerabilities in the mail functions of iOS 6 up to the current iOS 13.x version, which are supposed to take over devices like iPhone or iPad via mail. The user doesn’t notice anything of this attack and doesn’t need to click on anything, receiving an email is enough.
I had reported in the blog post 0-day Exploits in iOS Mail about the situation as it appears after the security researchers’ report. The security researchers stated that the vulnerabilities were exploited to attack people. A few hours ago I heard a warning about the vulnerability in today’s news and the BSI warns about these attacks. It is being circulated that the mail app should be uninstalled to prevent it from being taken over. Sounds dangerous.
Is the whole thing hyped up?
In the meantime, there are signs that the whole story cannot be as dramatic as the security researchers and the BSI have portrayed it. Instead of uninstalling the mail app, it should be sufficient to deactivate the mail accounts concerned in the iOS mail app. Then no more mails will arrive automatically, the iOS device can no longer be attacked automatically.
Security company Sophos has published the blog post iPhone zero day – don’t panic! Here’s what you need to know about the vulnerabilities The message: Yes, there are probably two vulnerabilities, as reported, that can cause memory overflows. Simply viewing or opening the email without clicking anything in the email itself could cause one of two different crashes in Apple’s mail application. And yes, the crashes are provoked by specially prepared email, which almost certainly is not accidental.
But it’s no reason to panic. According to Sophos, it is far from certain that these emails will allow an attacker to take over the iOS device unnoticed. The mechanisms used in iOS, such as address space layout randomisation (ASLR), make it difficult if not impossible for an attacker to selectively exploit the memory overflow to execute custom code.
— Ars Technica (@arstechnica) April 24, 2020
Now Ars Technica reports in the article linked in the above tweet that Apple disagrees with the reports that there is a 0-day-exploit that allows you to take over an iOS device via mail without user interaction. Apple declined to comment on the ZecOps article. But in the meantime Apple has published a statement on this issue:
Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.
Apple took the security researcher’s report and reviewed the matter. Based on the information provided, Apple specialists have concluded that these issues do not pose an immediate threat to users of iOS devices.
According to Apple, the researcher identified three problems in the Mail app. But these vulnerabilities alone are not sufficient to circumvent the security measures in iOS for iPhone and iPad. Apple states that they also found no evidence that the vulnerabilities were used against customers. Apple writes that these potential problems will be addressed in a software update soon.