Zimperium's Mobile Security Blog

Addressing Critical iOS “Zero-Click” Mail Vulnerabilities

Addressing Critical iOS “Zero-Click” Mail Vulnerabilities

Recently, two vulnerabilities were disclosed in the default iOS Mail application that have existed since 2012 (iOS 6). According to the disclosing company, ZecOps, both vulnerabilities allow remote code execution capabilities and enable an attacker to remotely infect a device.

ZecOps has also reported that both vulnerabilities were triggered in-the-wild against high-value targets. Apple confirmed that the zero-click vulnerabilities exist and that they have patched them in the latest iOS beta (13.4.5).

What Was The Disclosed Threat?

According to ZecOps, the primary exploit involves emails that are crafted to consume significant amounts of RAM. ZecOps found that the implementation of MFMutableData in the MIME library lacks error checking for system call ftruncate() which leads to the Out-Of-Bounds write. 

As a proof-of-concept, the company found a way to trigger the OOB-Write without waiting for the failure of the system call ftruncate. In addition, ZecOps found a heap-overflow that can be triggered remotely. Both the OOB Write bug, and the Heap-Overflow bug, occurred due to the same problem: not handling the return value of the system calls correctly. 

The vulnerability trigger on iOS 13 is unassisted (hence the “zero-click” term) and attacks when the Mail application is opened in the background. On iOS 12, the vulnerability trigger requires a click on an email. 

It is important to note that in order to compromise the entire device (e.g., by exploiting the kernel), the vulnerabilities would need to be exploited and the attacker create a way to exit the Mail app/ maild sandbox.

How Zimperium Helps Customers Today

Zimperium zIPS, powered by Zimperium’s machine learning-based engine, z9, helps protect customers by identifying at-risk devices and active threats trying to leverage the vulnerabilities.

  • At-risk Devices: Currently, the vulnerabilities have been patched in the beta release of iOS 13.4.5 and should be in the generally available patch when Apple releases it (but there is no firm date for that release yet). Administrators can use Zimperium zConsole to find all devices that are on vulnerable OS versions, or by specific CVE and trigger customer definable response actions.
  • Active Threats: If an exploit attempts to elevate privileges or further compromise the device, z9 would detect the attack. 

Zimperium & ZecOps Partner to Provide Advanced Mobile Incident Response Forensics

As Zimperium continues to lead and redefine the enterprise mobile security market, we are proud to announce that we have partnered with ZecOps to offer advanced mobile incident response forensic capabilities to our customers.

Zimperium protects mobile devices against risks and attacks on-device and in real-time. ZecOps compliments our offering by providing Digital Forensics Incident Response (DFIR) solutions that provide in-depth post attack forensic analysis for the mobile platform. Zimperium customers will now have the best of both worlds from one company.

Contact Us

Zimperium is here to protect you and your users against all forms of mobile risks and threats. Please contact us today so we can help.