Updated Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Think senior executives, journalists, managed security service providers, and similar.
ZecOps bods this week claimed the bugs are buried within the iOS Mail application, and can be abused to achieve remote code execution without the victim ever needing to open a booby-trapped message. The device just has to receive and process the incoming email, specially crafted to exploit Apple's programming blunders, and malicious code embedded in the message will be executed, we're told. This code can then potentially snoop on and meddle with the victim's online activities.
"We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications," the ZecOps team said.
"While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier."
We're told the bugs have been present in iOS since version 6, released in 2012. ZecOps said it noticed hackers exploiting the weaknesses in January 2018 in version 11.2.2. Now they have determined iOS 13.4.1 and below are all vulnerable. iOS 13 is the latest major version officially available.
According to the infosec biz, the vulnerabilities are a pair of out-of-bounds write and heap-overflow errors triggered when a malformed email is fetched by Mail. While the flaws themselves only grant intruders limited access to the compromised device, they can be chained with exploits for kernel-level security holes that escalate access to the whole iThing, we're told. It is suspected the hackers used a kernel-level privilege-escalation exploit.
Here's the technical description:
ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely.
We are aware of remote triggers of both vulnerabilities in the wild.
Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly.
Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately. iOS 12 is slightly more secure, apparently, as the user would need to tap on the email to fetch it and trigger exploitation. Having said that, we're told: "If an attacker controls the mail server, the attack can be performed without any clicks on iOS 12 too."
Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permissionREAD MORE
While there is right now no official standalone patch for the reported bugs, we're told the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should be arriving soon. ZecOps said it alerted Apple to the holes last month after witnessing their exploitation in the wild, hence the appearance of a beta release that clears up the problem.
If you can't patch, ZecOps advises those worried of attack to use another email client and disable Mail.
It was noted by Google Project Zero's Jann Horn that ZecOps' publicly disclosed evidence of exploitation could have been mistaken base64-encoded zero bytes. ZecOps CEO Zuk Avraham insisted his team had uncovered evidence of successful exploitation.
In the context of iOS, arbitrary code execution flaws are often exploited either intentionally by the user to jailbreak their devices, or covertly by miscreants to put surveillance software and other malware on devices. Interestingly, the researchers note that exploits for both flaws can be carried out before the full message has been loaded, meaning snoops could potentially cover their tracks by deleting the poisoned messages before the user is even aware what happened.
"Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing," they explain. "Therefore, we infer that these emails were deleted intentionally as part of attack’s operational security cleanup measures."
It bears repeating that these reported attacks are limited in scope, and have been only aimed at a small set of high-value targets.
That said, it would be wise to keep an eye out for iOS updates over the next week or so, and promptly install them, as these sort of bugs will often draw copycat attacks from other cyber-crooks. And, as said above, if you're concerned, disable Mail on your iThing and use another client if possible. ®
Updated to add
Apple has played down the threat of the discovered vulnerabilities, though said it will release an official fix for the bugs in due course.