It has been reported that a new potentially serious software vulnerability has been discovered in iOS 13 that works via the default Mail app on iPhone and iPad. ZecOps detailed its findings in a blog post, with the most serious vulnerability of the two affecting the latest iOS 13 public release. According to the researchers, these vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organisations.
The recent disclosure that multiple zero-days in the Apple iOS Mail application were exploited in the wild is significant and noteworthy. One of the flaws can be exploited without user interaction (also known as zero click) on iOS 13. The vulnerabilities also affect iOS 12, though interaction is required in most cases.
Exploitation of these flaws would allow an attacker to leak, modify or delete emails within the Mail application. However, the researchers note that combining these flaws with an unpatched kernel vulnerability would provide an attacker with full device access, though that information has not been identified as of yet.
While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google’s GMail.