Apple on Thursday responded to reports concerning the discovery of two zero-day vulnerabilities found in its Mail app for iOS, saying the unpatched flaws do not pose an immediate threat to users.
On Wednesday, security firm ZecOps published a report claiming the discovery of two previously unknown Mail vulnerabilities that, if exploited, allow attackers to remotely access, modify or delete user emails.
As detailed by ZecOps, attackers can exploit the iOS bug by sending specially crafted emails that trigger faults, enabling them to run remote code. While the attack requires a user to click on the malicious email in iOS 12, it becomes a zero-click, or unassisted, vector when Mail is opened in the background in iOS 13.
In existence since iOS 6, the flaws have been triggered in the wild as part of targeted attacks, including individuals from a Fortune 500 company, an executive in Japan, a VIP in Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist, ZecOps said.
Apple on Thursday denied the severity of the situation in a statement to Bloomberg's Mark Gurman, who subsequently shared the company's official response in a tweet.
Apple take all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.
Apple went on to say it values input from independent security researchers who help make iOS safe and will in the future credit the person who discovered the vulnerability. The company typically issues a security update with each software release to detail patched bugs and identify the security researchers or research groups who discovered them.
According to ZecOps, Apple's latest iOS 13.4.5 beta release patches the reported vulnerabilities.