Mikey Campbell
Apple on Thursday responded to reports concerning the discovery of two zero-day vulnerabilities found in its Mail app for iOS, saying the unpatched flaws do not pose an immediate threat to users.
On Wednesday, security firm ZecOps published a report claiming the discovery of two previously unknown Mail vulnerabilities that, if exploited, allow attackers to remotely access, modify or delete user emails.
As detailed by ZecOps, attackers can exploit the iOS bug by sending specially crafted emails that trigger faults, enabling them to run remote code. While the attack requires a user to click on the malicious email in iOS 12, it becomes a zero-click, or unassisted, vector when Mail is opened in the background in iOS 13.
In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said.
Apple on Thursday denied the severity of the situation in a statement to Bloomberg's Mark Gurman, who subsequently shared the company's official response in a tweet.
Apple take all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.
Apple went on to say it values input from independent security researchers who help make iOS safe and will in the future credit the person who discovered the vulnerability. The company typically issues a security update with each software release to detail patched bugs and identify the security researchers or research groups who discovered them.
According to ZecOps, Apple's latest iOS 13.4.5 beta release patches the reported vulnerabilities.
Charles Martin
Christine McKee
Wesley Hilliard
Malcolm Owen
Andrew Orr
William Gallagher
Sponsored Content
18 Comments
So If Apple is saying that there is no immediate threat, then they’re also saying that this part:
Since this is the second time this bug has shown up, this will now be like a bandaged elbow on a WCW wrestler: somewhere to focus your attack, except that WCW wrestling is more of a pantomime than a sport, so a bandaged elbow isn’t really … anyway that metaphor’s dead in the water so let’s just leave it there.
Apple's response to this is pure baby caca! It is super insulting how stupid Apple thinks its customers are. Shameful. #Weak #Lies #WetPaperBagSecurity #Shameful.
Strange if you check Reuter’s. They say the following:” Apple on Wednesday acknowledged the vulnerability existed in its software for email on iPhones and iPads, known as the Mail app, and said the company had developed a fix that will be introduced in a forthcoming update to millions of devices it has sold globally”.
Why would Apple patch this vulnerability if it doesn’t exists today?
Link to source:
https://www.reuters.com/article/apple-cyber-idUSL2N2CC04D
Man, I love Apple but they always skirt around when they fuck up and NEVER admit to it. It’s always something with them and trying to miss direct. I’d like them a whole ton better if, when they fuck up, they’d just say they fucked it and say they are going to make it better.