Two vulnerabilities have been discovered in iOS affecting the native Mail app on iPhones and iPads. The more severe of the two is an exploit that requires zero user interaction to carry out by sending emails that consume large amounts of memory resulting in a heap overflow.

This vulnerability affects all iOS versions from iOS 6 up to (and including) the latest version (iOS 13.4.1).

According to reports, the attacks are easier to perform on iOS 13 than older versions. With iOS 13, the attack can be triggered without any user interaction, the Mail app just needs to be open in the background. With iOS 12, an attacker requires the iPhone user to open a malicious email.

The vulnerabilities disclosed by ZecOps in April 2020 allow remote code execution capabilities and enable an attacker to initiate a series of exploits that could compromise the device. However, additional attacks are needed to successfully compromise application data.

In-network security policies (like those offered by Wandera) can be configured to block traffic associated with both command and control and data exfiltration, should a later stage in the kill chain be reached.

Due to tight integration between Apple’s Mail app and iOS, a proper fix will require an Operating System Update. Apple is currently testing a patch in the iOS 13.4.5 beta.

Wandera is monitoring the situation and will provide an update in our administrative portal when the new OS is available.

Advice for end-users

In the interim, there are really only two steps you can take, as a user, to reduce your risk exposure:

  • Delete the Mail app – On versions higher than iOS 10 it is possible to delete native applications like Mail just like any other app. Apple provides instructions for deleting and restoring native apps here
  • Use an alternative email client such as Outlook or Gmail which have both been confirmed as safe from this vulnerability on iOS

Advice for IT admins

For IT admins who have access to a security solution like Wandera, you have more options to reduce the risk posed to your users and your corporate data until the patch is released:

  • Identify affected devices/users – this will be all iPhone and iPad users until the update is available. Once the update becomes available, you will want to be able to run an exportable report to view those devices running older versions
  • Arrange for users to retrieve their email using a different application: (a) Use Apple’s iCloud Mail or your email provider’s equivalent webmail interface, or (b) Use a different email app such as Outlook or Gmail
  • Use a blacklist feature (like that offered by Wandera) to block access to email servers – This will prevent the Mail app from retrieving potentially corrupt messages. Be sure to arrange a different form of communication for users while email is unavailable due to vulnerability
  • Provide guidance on what indicators of compromise users should look for so they can notify their IT departments. Unfortunately, the only real clue of a successful attack is as a temporary slowdown or crash of the mail application. In an unsuccessful attack, an email will appear that says “This message has no content.”
  • Enable conditional access policies that restrict corporate email privileges when specific threats are present, such as this vulnerable iOS version