This Monday, a mobile security forensics company in San Francisco, ZecOps, publicly released a blockbuster report, saying that when investigating a customer cyberattack at the end of last year, it was discovered that there are two default mail applications Apple Mail that comes with iPhone and iPad. Serious loopholes exploited in the wild.
Using these two vulnerabilities, an attacker can remotely and secretly gain control of an Apple device, and it can be achieved by simply sending an email to a user device that has logged in to an email account. According to incomplete statistics, the scope of the incident will affect more than one billion Apple devices worldwide.
Specifically, these two key vulnerabilities are located in the MIME library used by Apple's mail application and will be triggered by mail extraction format problems, including: out-of-bounds read and write errors and heap overflow errors. The attacker can force any code execution on the target phone by sending a blank email, so as to arbitrarily access confidential information under the permission of the Mail mail application.
It can be said that both vulnerabilities are triggered in the wild. And the second loophole is more serious, because it can achieve "zero click" utilization without any user interaction. the information is as follows:
Vulnerability trigger on iOS 12: In this version of the system, the user needs to click on the email to trigger the vulnerability, but if the attacker controls the mail server, it can be triggered without clicking on the email;
Vulnerability trigger on iOS 13: Unassisted (zero click) attack on iOS 13 when opening the Mail app in the background.
Even more disturbing is that the attacker can also combine this set of vulnerabilities with other kernel-level vulnerabilities to expand access and control the entire iPhone.
In response, the former IDF security researcher Avraham also said that he suspected that this hacking technique was part of a series of malicious programs, and the rest of the programs were not discovered, which may give the attacker complete remote access.
As for the scope of the vulnerability, the news shows that at least when Apple released iOS 6 in 2012, it even affected the current iOS 13.4.1. It can be said that this group of vulnerabilities has existed for at least 8 years, and Affects almost all versions of Apple's iOS system. Unfortunately, except for a brief drop in the speed of mail usage, it is difficult for users to notice any anomalies.
In this regard, the researcher said: "It is difficult for Apple users themselves to realize the intrusion of hackers, because an attacker can delete malicious emails immediately after obtaining remote control from the user, or deleting emails is also part of the attack."
As of now, Apple has officially acknowledged the vulnerability, saying that it has developed a fix and will release a security update as soon as possible.
Although Apple has begun to develop a repair program, it is clear that the hacker group has been ahead of security experts. Just in this Monday's report, ZecOps said: Although no attackers were found behind the attack, they have learned that at least one "employment organization" is selling the exploit and use the email address as a unique identifier.
More importantly, ZecOps disclosed: There is evidence that at least since January 2018, hackers have been exploiting an iOS vulnerability, which appears to be part of the malicious email campaign to high-level iOS users. Relevant existing data shows that corporate executives in North America, Japan, Germany, Saudi Arabia, Israel and other countries bear the brunt. the information is as follows:
Multiple individuals from a Fortune 500 organization in North America
An executive of a Japanese operator
One German VIP
MSSPs in Saudi Arabia and Israel
A European journalist
Executive of a Swiss company suspected of being attacked
In addition, the company's researchers also said: "We believe that these attacks are related to countries where at least one country threatens the manipulators or purchases exploits from third-party researchers at the POC level and is used" as is "or with slight modifications.
As of now, Apple has not responded to the exploitation of this group of vulnerabilities.