Apple Confirms 0-Day iPhone Mail App Security Exploit, Denies That Customers Were In Danger

by Brandon Hill — Friday, April 24, 2020, 09:53 AM EDT

Earlier this week, it was reported that a zero-day exploit has been running in the wild that targets the iOS Mail app. First discovered by the researchers at ZecOps, the vulnerability has been labeled as "zero-click" because it allegedly needs no intervention from the user to attack an iPhone or iPad running even the most recent versions of iOS 13.

A total of two vulnerabilities were found by ZecOps, which included the possibility for remote code execution. Now, Apple is responding, and it is trying to throw some cold water on the severity of these exploits. The company released the following statement to news organizations on Friday:

Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.

According to ZecOps, the vulnerabilities that it found affect devices running iOS 6 through iOS 13.4.1. However, the security firm claims that the vulnerabilities weren't actively exploited until January 2018, once iOS 11.2.2 was released.

But according to Apple's above statement, it claims that no customers were put in danger by the vulnerabilities, which seems to contradict ZecOps' rather detailed findings. In fact, ZecOps claims that suspected targets included:

Individuals from a Fortune 500 organization in North America
An executive from a carrier in Japan
A VIP from Germany
MSSPs from Saudi Arabia and Israel
A Journalist in Europe
Suspected: An executive from a Swiss enterprise

No matter who's right or wrong in this case, Apple says that it is working on a software update that will address these outstanding issues. More specifically, it's suspected that the holes will be closed with the iOS 13.4.5 that is currently in beta.

Tags: Apple, iPhone, security, ipad, Zero-Day, (NASDAQ:AAPL), ios 13

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now