Technology
iPhone vulnerability targets Apple’s iOS Mail app
A newly disclosed iPhone vulnerability gives hackers yet another reason to love email.
According to the San Francisco-based security firm ZecOps, bad actors have discovered a way to attack iOS devices via their default email app. And here’s the real kick to the guts: In some cases, you don’t even have to be tricked into opening the email. The damage is done simply by your phone downloading the malicious email in the background.
ZecOps published details of the vulnerability on Monday, claiming it has seen the attack “widely exploited in the wild.” In other words, ZecOps is saying this isn’t just some theoretical bug. Rather, people have actually used it in targeted attacks. The vulnerability affects, to some degree, every version of Apple’s operating system from iOS 6 and up.
“The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory,” explains ZecOps. “The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device.”
Phones running iOS 13 are particularly vulnerable, as they reportedly don’t even need to open the email for it to do its work. If you’re running iOS 12, you’re a tad bit better off — you have to click the email first, but your phone is ultimately still at risk if you do so.
We reached out to Apple to both confirm ZecOps report and to determine when, if ever, it plans to issue a patch. Apple confirmed that a vulnerability in Mail is patched in the iOS 13.4.5 beta, which is out now, and will be included in an upcoming software update.
This, reportedly, is what a failed attack looks like on an iPhone.
At present, assuming you’re not running a beta version of iOS, ZecOps says there is no way to prevent this attack other than to disable the default iOS mail app.
So, should you actually be worried about this? Well, that depends. Are you someone with valuable information that a nation-state might want a piece of? If so, then possibly.
Victims of this attack, claims ZecOps, include “individuals from a Fortune 500 organization in North America,” “an executive from a carrier in Japan,” “a VIP from Germany,” “[managed security service providers] from Saudi Arabia and Israel,” and “a Journalist in Europe.”
SEE ALSO: As coronavirus spreads, yet another company brags about tracking you
In other words, your average Joe doesn’t need to stress about this too much.
Still, it’s worth keeping in mind that no operating system is completely hack-proof. And yes, that even includes Apple’s. Oh yeah, and it also serves as a stark reminder that you should always make sure your phone is running the latest version of iOS — whether you’re an average Joe or not.
What’s on the far side of the moon? Not darkness.
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
Photo-sharing community EyeEm will license users’ photos to train AI if they don’t delete them
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
‘Challengers’ review: You’re not ready for Zendaya’s horny love-triangle drama
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
API startup Noname Security nears $500M deal to sell itself to Akamai
US think tank Heritage Foundation hit by cyberattack
NASA discovered bacteria that wouldn’t die. Now it’s boosting sunscreen.
How to watch ‘Argylle’: When and where is it streaming?
Tesla drops prices, Meta confirms Llama 3 release, and Apple allows emulators in the App Store
Tesla layoffs hit high performers, some departments slashed, sources say
TechCrunch Mobility: Cruise robotaxis return and Ford’s BlueCruise comes under scrutiny
Meta to close Threads in Turkey to comply with injunction prohibiting data-sharing with Instagram
Former top SpaceX exec Tom Ochinero sets up new VC firm, filings reveal
Consumer Financial Protection Bureau fines BloomTech for false claims
What’s on the far side of the moon? Not darkness.
How Rubrik’s IPO paid off big for Greylock VC Asheem Chandna
Photo-sharing community EyeEm will license users’ photos to train AI if they don’t delete them
Thoma Bravo to take UK cybersecurity company Darktrace private in $5B deal
‘Challengers’ review: You’re not ready for Zendaya’s horny love-triangle drama
Summer Movie Preview: From ‘Alien’ and ‘Furiosa’ to ‘Deadpool and Wolverine’
Zomato’s quick commerce unit Blinkit eclipses core food business in value, says Goldman Sachs
Monsta X’s I.M on making music, gaming, and being called ‘zaddy’
Petlibro’s new smart refrigerated wet food feeder is what your cat deserves
The books on your favorite creators’ TBR shelf
-
Business6 days agoTikTok Shop expands its secondhand luxury fashion offering to the UK
-
Business5 days agoUnitedHealth says Change hackers stole health data on ‘substantial proportion of people in America’
-
Business5 days agoMood.camera is an iOS app that feels like using a retro analog camera
-
Business4 days agoTesla’s new growth plan is centered around mysterious cheaper models
-
Business3 days agoXaira, an AI drug discovery startup, launches with a massive $1B, says it’s ‘ready’ to start developing drugs
-
Business4 days agoTwo widow founders launch DayNew, a social platform for people dealing with grief and trauma
-
Entertainment4 days agoTesla’s in trouble. Is Elon Musk the problem?
-
Entertainment5 days agoFurious Watcher fans are blasting it as ‘greedy’ over paid subscription service
