TWO CRITICAL FLAWS
According to cybersecurity researchers at ZecOps, bugs were found in the Apple mail app which can allow RCE (Remote Code Execution), due to an out-of-bounds write bug and a heap overflow issue.
NO USER ACTION NEEDED
Both flaws in the application can be triggered while processing the content of an email, but the heap overflow can be exploited without the need of the user to take any action, also known as “zero-click” where no interaction is required from the targeted recipients.
ZecOps says that it has discovered evidence of the attacks being used in the wild and believes them to be “widely exploited.”
THE EXPLOIT HAS A FLAW
The good thing about the flaw in the application is that it requires a relatively large email, which may be blocked in some cases by certain email providers.
The full post from ZecOps can be found here.