Apple has pushed back against claims that two zero-day bugs in its iPhone iOS have been exploited for years, saying it’s found no evidence to support such activity.
Apple officials made the statement in response to a widely disseminated report published Wednesday by ZecOps, which claimed that two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads already had been exploited in the wild since 2018 by an “advanced threat operator.”
“Both vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released,” ZecOps said in its report.
However, Apple said in a statement to Bloomberg’s Apple correspondent Mark Gurman that he posted on Twitter that this is just not true.
“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the company said in the statement.
According to ZecOps researchers, there were a number of targets in attacks exploiting the flaws. Among those affected were “individuals from a Fortune 500 organization in North America” along with executives from a Japanese-based “carrier.”
Others targeted by attacks include; a VIP from Germany, managed security service providers from Saudi Arabia and Israel and a journalist in Europe. An executive from a Swiss enterprise is also suspected to be targeted, researchers said.
ZecOps said they first identified suspicious behavior associated with the vulnerabilities in Feb. 19, 2020. After working closely with an impacted customer of theirs, on March 23 the identified the first out-of-bounds (OOB) write vulnerability that they outlined in the report.
On March 31, researchers identified the second bug, a remote heap overflow vulnerability. The same day it shared its research with Apple. Over April 15 and 16, Apple began making a patch available to mitigate the security flaws in its publicly available beta software. On April 22, researchers publicly disclosed their findings.
Apple already patched both vulnerabilities in iOS 13.4.5 beta, released last week, and said in its statement “these potential issues will be addressed in a software update soon, referring to the expected imminent release of iOS 13.4.5.
Apple did not address ZecOps claims that it worked with the company to identify the flaws, but did stress that it depends on its joint efforts with security researchers to identify flaws in its products to protect user security.
“We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance,” the company said in the statement.
ZecOps acknowledged that Apple had patched the bugs in the most recent iOS 13 beta release, but claimed that “devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners.”
“In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail,” Narang wrote.
As described by the ZecOps team, both bugs are remotely exploitable by attackers who simply send an email to victims’ default iOS Mail application on their iPhone or iPad, allowing hackers to remotely access data from targeted iPhones running the most recent iOS version.
The flaw can also give adversaries access to messages associated with Apple’s default Mail app and can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device, researchers said.
Further, the vulnerability allows hackers to remotely access data from targeted iPhones running the most recent iOS version, as well as giving threat actors access to messages associated with Apple’s default Mail app, they said.