By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Apple recently confirmed one of the longest-running vulnerabilities in iOS history, affecting millions of iPhone users. And now new information reveals it just got bigger. In April, Apple acknowledged that every iPhone released in the last eight years was vulnerable to remote attacks through the iOS Mail app. At the time, the company played down the severity of this saying it had seen ‘no evidence’ of exploits but now ZecOps, the security specialist which discovered the flaw, has contacted me with new information that not only is it being triggered in the wild but that the first potential triggers existed a decade ago and every iPhone ever made is vulnerable (Apple confirmed there are 900M active iPhone last year). 05/12 Update: Apple has responded to me saying it will be sticking to its original statement regarding this vulnerability (found here) and is crediting ZecOps for its discovery. As it stands, Apple is not commenting on ZecOps' additional discoveries of vulnerabilities and real-world triggers dating back to 2010. Apple will deliver a fix in iOS 13.5, but there is currently no commitment to patch previous versions of iOS to protect older iPhones. Needless to say, I will keep this post updated with further developments on both sides. As it stands, further developments appear inevitable. 05/13 Update: while Apple continues to play down this vulnerability, significant action is being taken elsewhere. For example, Germany's Federal Office for Information Security (BSI) has issued a statement recommending the removal of the iOS Mail app. BSI President Arne Schönbohm states: “The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Furthermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies, and government agencies. We are in contact with Apple and have asked the company to find a solution for the security of their products as soon as possible.” iOS 13.5 cannot arrive soon enough. "Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.” “We continued our research of the MailDemon vulnerability,” said ZecOps CEO Zuk Avraham. “We were able to prove that this vulnerability can be used for Remote Code Execution. Unfortunately, a patch is still not available.” For more visit OUR FORUM.

 

Translate