Apple Patches Two iOS Zero-Days Abused for Years

Researchers revealed two zero-day security vulnerabilities affecting Apple’s stock Mail app on iOS devices.


Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads. Impacted are iOS 6 and iOS 13.4.1. Apple patched both vulnerabilities in iOS 13.4.5 beta, released last week. A final release of iOS 13.4.5 is expected soon.

Both vulnerabilities are are believed to have been actively exploited by an “advanced threat operator” since 2018, according to researchers at ZecOps that publicly disclosed the bugs in a research report published Wednesday.

Both bugs are remotely exploitable by attackers who simply send an email to victims’ default iOS Mail application on their iPhone or iPad.

“The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13,” wrote researchers.

According ZecOps, the vulnerability allows hackers to remotely access data from targeted iPhones running the most recent iOS version. They add, the flaw can also give adversaries access to messages associated with Apple’s default Mail app.

“Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet,” wrote Satnam Narang, principal research engineer with Tenable in a statement.

The first vulnerability is out-of-bounds (OOB) write vulnerability. Researchers said affected library is “/System/Library/PrivateFrameworks/MIME.framework/MIME” with the vulnerable function  “[MFMutableData appendBytes:length:]”

“[The] the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate,” researchers said.

The second flaw, a heap-overflow, can also be triggered remotely.

“Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly,” researchers wrote. “The remote bug can be triggered while processing the downloaded email, in such scenario, the email won’t get fully downloaded to the device as a result.”

Researchers said both bugs have been exploited in the wild, however researchers believe “the first vulnerability (OOB Write) was triggered accidentally, and the main goal was to trigger the second vulnerability (Remote Heap Overflow).”

In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device’s Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.

“The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods,” researchers wrote.

The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device, researchers said.

ZecOps reported that attacks on iOS 13 would require no interaction by the victim when the “Mail application is opened in the background.” Attacks on iOS 12 does require a user to click on the email. “The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself,” they said.

One caveat to the “unassisted attack” on iOS 12 devices is the vulnerability can only be triggered (aka zero clicks) if the attacker controls the mail server. “Both vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released,” ZecOps said.

Targeted in the attacks, according to researchers, were “individuals from a Fortune 500 organization in North America” along with executives from a Japanese-based “carrier”. Others targeted by attacks include; a VIP from Germany, managed security service providers from Saudi Arabia and Israel and a journalist in Europe. An executive from a Swiss enterprise is also suspected to be targeted.

“While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail,” Narang wrote. 

Researchers said they first identified suspicious behavior associated with the vulnerabilities in Feb. 19, 2020. After working closely with an impacted customer of theirs, on March 23 the identified the first out-of-bounds (OOB) write vulnerability. On March 31, researchers identified the second bug, a remote heap overflow vulnerability. The same day it shared its research with Apple. Over April 15 and 16, Apple began making a patch available to mitigate the security flaws in its publicly available beta software. On April 22, researchers publicly disclosed their findings.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

(This article was updated 4/22 at 4:30 pm EST with commentary from security analysts)

Suggested articles