A vulnerability in the Mail app for iOS has been in the wild since at least 2018 was just revealed by security researchers at ZecOps this week. Apple has yet to release a patch addressing the flaw.
The zero-day exploit is particularly nasty as it requires minimal to no interaction with the infected emails from the user and, once in place, hackers are able to read, modify and delete messages found in the Mail app. In some cases, they can take full control of devices, according to the researchers (via Patently Apple).
- Is Apple customer service good? 2020 rating
- Apple iPad Pro (12.9-inch, 2020) review
- New AirPods coming this year, but AirPods Pro get left out (report)
Apple has patched the flaw in the latest 13.4.5 public beta release for iOS, but it has not made it to a general public release yet, meaning anyone using the default Mail app on a recent version of iOS is at risk.
On iOS 13, in particular, the only noticeable sign of an attack would be a brief device slowdown. The nature of the attack is that it uses device memory then creates a buffer overflow and ultimately injects malicious code. The attackers, in some cases, are able to take advantage of a separate bug in order to take control of the device, otherwise, they are limited to manipulating the Mail app.
The researchers made the vulnerability public knowledge ahead of the release of a full patch. This goes against standard practice because the exploit is known to have been used against a number of high-value targets within six organizations around the world and there is a serious concern that it could extend further.
Until Apple releases a general patch for all iOS devices (something that is expected soon), the only way to prevent the exploit is to stop using the default Mail app for iOS or to install the current public iOS 13.4.5 beta.