Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Senior execs, journos, managed security service providers among those targeted, we're told

Updated Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Think senior executives, journalists, managed security service providers, and similar.

ZecOps bods this week claimed the bugs are buried within the iOS Mail application, and can be abused to achieve remote code execution without the victim ever needing to open a booby-trapped message. The device just has to receive and process the incoming email, specially crafted to exploit Apple's programming blunders, and malicious code embedded in the message will be executed, we're told. This code can then potentially snoop on and meddle with the victim's online activities.

"We believe that these attacks are correlative with at least one nation-state threat operator or a nation-state that purchased the exploit from a third-party researcher in a Proof of Concept (POC) grade and used ‘as-is’ or with minor modifications," the ZecOps team said.

"While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as a main identifier."

We're told the bugs have been present in iOS since version 6, released in 2012. ZecOps said it noticed hackers exploiting the weaknesses in January 2018 in version 11.2.2. Now they have determined iOS 13.4.1 and below are all vulnerable. iOS 13 is the latest major version officially available.

According to the infosec biz, the vulnerabilities are a pair of out-of-bounds write and heap-overflow errors triggered when a malformed email is fetched by Mail. While the flaws themselves only grant intruders limited access to the compromised device, they can be chained with exploits for kernel-level security holes that escalate access to the whole iThing, we're told. It is suspected the hackers used a kernel-level privilege-escalation exploit.

Here's the technical description:

ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. We also found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, we found a heap-overflow that can be triggered remotely.

We are aware of remote triggers of both vulnerabilities in the wild.

Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly.

Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately. iOS 12 is slightly more secure, apparently, as the user would need to tap on the email to fetch it and trigger exploitation. Having said that, we're told: "If an attacker controls the mail server, the attack can be performed without any clicks on iOS 12 too."

Apple Safari icon

Flaw hunter bags $75,000 off Apple after duping Safari into spying through iPhone, Mac cameras without permission


While there is right now no official standalone patch for the reported bugs, we're told the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should be arriving soon. ZecOps said it alerted Apple to the holes last month after witnessing their exploitation in the wild, hence the appearance of a beta release that clears up the problem.

If you can't patch, ZecOps advises those worried of attack to use another email client and disable Mail.

It was noted by Google Project Zero's Jann Horn that ZecOps' publicly disclosed evidence of exploitation could have been mistaken base64-encoded zero bytes. ZecOps CEO Zuk Avraham insisted his team had uncovered evidence of successful exploitation.

In the context of iOS, arbitrary code execution flaws are often exploited either intentionally by the user to jailbreak their devices, or covertly by miscreants to put surveillance software and other malware on devices. Interestingly, the researchers note that exploits for both flaws can be carried out before the full message has been loaded, meaning snoops could potentially cover their tracks by deleting the poisoned messages before the user is even aware what happened.

"Noteworthy, although the data confirms that the exploit emails were received and processed by victims’ iOS devices, corresponding emails that should have been received and stored on the mail-server were missing," they explain. "Therefore, we infer that these emails were deleted intentionally as part of attack’s operational security cleanup measures."

It bears repeating that these reported attacks are limited in scope, and have been only aimed at a small set of high-value targets.

That said, it would be wise to keep an eye out for iOS updates over the next week or so, and promptly install them, as these sort of bugs will often draw copycat attacks from other cyber-crooks. And, as said above, if you're concerned, disable Mail on your iThing and use another client if possible. ®

Updated to add

Apple has played down the threat of the discovered vulnerabilities, though said it will release an official fix for the bugs in due course.

Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022