Apple has always thumped its back when it comes to the security it offers in its devices. However, today, security researchers have discovered two new zero-day flaws in the default mailing app in more than 1 billion iPhones and iPads.
Security researchers at ZecOps have revealed two zero-click, zero-day flaws that could have been used by hackers to compromise high-profile iPhone users simply by sending an email to them. The first vulnerability is an out-of-bounds write bug, whereas the second flaw is a heap overflow issue as per a report by the researchers.
To exploit the bugs, an attacker needs to send a specially crafted email that consumes a significant amount of memory, forcing the app to crash and rest. The attacker then could take control of the target iOS device remotely to steal information.
Notably, the second bug is a zero-click bug, meaning that hackers can target a victim without requiring any user interaction. This makes it even easier to exploit. Moreover, the user won’t notice any suspicious behavior while the flaw is being exploited.
Security researchers further said that they have found the flaws affecting even older iOS versions, as old as iOS 6. The flaws have been actively exploited in the wild to target VIP users including:
- Employees of Fortune 500 companies in North America
- A journalist in Europe
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- An executive working at Japan’s carrier company
- An executive working at a Swiss company
Apple has been informed about the critical zero-day flaws, and the iPhone maker company is already testing an iOS beta update containing the fix. The company is expected to roll out the fix for stable version users in the next iOS update vis-a-vis iOS 13.4.5.