TWO CRITICAL FLAWS
According to cybersecurity researchers at ZecOps, bugs were found in the Apple mail app which can allow RCE (Remote Code Execution), due to an out-of-bounds write bug and a heap overflow issue.
NO USER ACTION NEEDED
Both flaws in the application can be triggered while processing the content of an email, but the heap overflow can be exploited without the need of the user to take any action, also known as “zero-click” where no interaction is required from the targeted recipients.
The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory.
ZecOps says that it has discovered evidence of the attacks being used in the wild and believes them to be “widely exploited.”
The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13. Based on ZecOps Research and Threat Intelligence, we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).
THE EXPLOIT HAS A FLAW
The good thing about the flaw in the application is that it requires a relatively large email, which may be blocked in some cases by certain email providers.
The full post from ZecOps can be found here.
