UPDATE: In a statement released to the media, Apple refutes claims made by security researchers that bugs in the stock Mail app in the iOS operating system are actively being exploited. Details here.
Reports are coming in that the stock Mail application preloaded on iOS devices, including iPhones and iPads, contains a zero-day vulnerability that hackers may have been exploiting for years, exfiltrating data while flying under the radar. But before we get into the details, here’s a public service announcement:
Stop using the stock iOS Mail app now! Hackers are actively exploiting an unpatched bug to steal data from unsuspecting victims.
Now on to our story …
Although iOS typically excels at foiling hackers, Apple’s mobile operating system is not immune to attacks. When bugs do crop up, they are major, and they fetch millions from well-funded criminals eager to exploit them. And because these bad actors are good at keeping their mischief a secret, targeting only high-profile victims without leaving a trace, they can fly under the radar for as long as the flaw remains their dirty little secret.
Long story short
Yesterday evening, Reuters sounded the horn on a serious flaw in Apple’s mobile OS that has left more than half a billion iPhones vulnerable to hackers for at least two years. The flaw itself – in the MIME library of Apple’s mail app – has been hiding in the software for around eight years, researchers say.
ZecOps, the San Francisco-based company that discovered the vulnerability, said hackers are exploiting the flaw in combination with other kernel issues to deploy their attacks. Chief Executive Zuk Avraham reportedly found evidence the vulnerability has been exploited in at least six cybersecurity break-ins.
Avraham described one targeted client as a “Fortune 500 North American technology company.” Other potential victims include high-profile employees of companies in Japan, Germany, Saudi Arabia and Israel. The exec declined to name any of the victims.
According to the research, victims receive what appears to be a blank email message that, due to its underlying code, forces the Mail app to crash. During the crash-and-restart sequence, malicious code gets executed, granting hackers remote access to data available to the Mail app, including messages and photos. Researchers call it a ‘zero-click’ exploit, because the attack requires no input from the user.
“With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous,” the researchers said, adding that they are “aware that at least one ‘hackers-for-hire’ organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier.”
How to stay safe until Apple patches the bug
Apple has already deployed a patch in the latest iOS beta seeded to developers. The public release of Apple’s new iOS version has yet to be scheduled, but it should arrive soon, given the circumstances.
While the attacks leveraging this flaw are apparently being carried out against highly-targeted figures, it is worth putting the iOS Mail app aside until Apple patches the flaws. Use a different email client, like Outlook or Gmail in the meantime.
To make sure your Apple gizmos are safe from cyber-threats in general, consider installing a proven security solution on your shiny iDevice.
Bitdefender Mobile Security is designed to keep your sensitive data safe against prying eyes. It comes with a VPN that protects your online presence by encrypting all Internet traffic. Flip the switch to Web Protection so that it’s ON and we’ll block any dishonest pages going after your personal information such as your credit card details or social security number. Want to find out whether your email accounts have been leaked, or whether your accounts are still private? Simply validate your email address with the app and Bitdefender Mobile Security will run a check to discover if your privacy has been breached. We’ll show you what to do in case that ever happens.