After a thorough examination, Apple has found “no evidence” that a vulnerability discovered in its Mail app for iPhone and iPad has been used against customers. Moreover, Apple is convinced that the Mail flaw “does not pose an immediate risk to our users”.
As both Motherboard and The Wall Street Journal reported earlier in the week, and iDownloadBlog relayed. researchers at San Francisco-based cybersecurity company ZecOps have discovered a pair of security vulnerabilities in the stock Mail app for iOS devices.
The flaws, in existence since iOS 6, apparently don’t require the user does to open an attachment because accessing the malicious email message is enough to compromise your security, which is known as a remote zero-click attack. The Mail flaws may have affected more than half a billion iPhones in the wild, ZecOps argued in a report published Wednesday, leaving the devices vulnerable to hackers:
These vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs.
Apple is now saying that’s not the case at all, and has given an official statement on the matter to Bloomberg’s Mark Gurman, who shared it in a tweet.
Apple take all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users.
The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.
So, there you have it: the Mail app vulnerabilities don’t pose immediate risk and a software fix via an iOS software update is coming.
These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researchers for their assistance.
Some people have characterized Apple’s response as utter nonsense, let me explain.
ZecOps suspects six targeted attacks have been carried out based on the flaws, including people from a Fortune 500 company, a carrier executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel and a journalist in Europe.
Apple responds to ZecOps report on Mail app vulnerabilities, says it doesn’t pose immediate risk and software update coming. pic.twitter.com/z4ExrmVfK8
— Mark Gurman (@markgurman) April 24, 2020
So, if Apple is telling us the truth and the exploit itself isn’t critical, why the heck did the German authority for information security issue a warning?
The Federal Office for Information Security (BSI) said Wednesday the flaws are “particularly critical” because the bugs potentially permit the attacker to “to read, change and delete emails”.
Apple will close the vulnerabilities with iOS 13.4.5, which is currently in testing.