U.S. security company ZecOps has found a serious vulnerability in iOS standard mail function that allows remote decoding to be executed without user clicking, and there was evidence that it was used in a zero-day attack. It calls for serious attention.
ZecOps regularly surveys iOS security for individuals including North American Fortune 500 companies, executives in Japanese carriers, VIPs in Germany, MSSPs in Saudi Arabia and Israel, journalists in Europe, and executives in Swiss companies. The target was able to detect multiple triggers for this vulnerability over time.
The attack involves sending specially crafted email that triggers a vulnerability in the context of the iOS MobileMail application on iOS 12 and Maild on iOS 13. Vulnerabilities may exist in all versions of iOS after iOS 6 and are also present in the latest iOS 13.4.1.
Specifically, there is a problem in the implementation method of the function- [MFMutableData appendBytes: length:] in “MFMutableData” of the MIME library in iOS, and the error check of the system call ftruncate () is missing, which leads to out-of-bounds writing. Say.
We also found that ZecOps can trigger out-of-bounds writes with MFMutableData and heap overflows that can be triggered remotely without waiting for this ftrucate () failure. Both bugs are due to improper handling of system call return values.
Regarding the bug that can be triggered remotely, it happens even while downloading the email, so the email is not completely downloaded to the device.
When abused on iOS 12, the email app temporarily slows down and suddenly crashes regardless of success or failure. On the other hand, iOS 13 isn’t noticed except for a temporary slowdown, and if the attack fails, another attack will be done and the user will not notice if the email is deleted.
It is known that this vulnerability has been fixed in iOS 13.4.5 beta, and it can be avoided by using other applications such as Outlook and Gmail until distribution.
April 23, 2020
| iPhone Apps news