Skip to main content

Apple confirms iOS Mail app flaw in millions of devices — promises fix 'soon'

(Image credit: Laptop Mag)

Apple has responded to reports that a bug in its Mail app is putting iPhone and iPad users at risk of attack. The company downplayed the threat, stating that it doesn't believe the flaw has been exploited in the wild, “We have found no evidence they were used against customers,” the company said.

For context, researchers at ZecOps found a devastating bug in the iOS Mail app that it believes was exploited by malicious programs as far back as January 2018. The zero-day attack would let bad actors infect emails from users, then read, modify and delete messages in the Mail app with minimal to no interaction from the user. In some cases, the cyber-criminals could take full control of devices.

In iOS 13, the only sign of attack would be a performance slowdown. The attack works by using device memory to create a buffer overflow and inject malicious code. In some cases, a separate bug can be exploited to take control of the device.

While admitting the flaw exists, Apple is refuting claims made by ZecOps that the exploit was used to attack at least six high-profile targets. In contrast, ZecOps wrote that it had "high confidence" the vulnerabilities were being taken advantage of by "advanced threat operators." 

Apple took it a step further, claiming the iOS threats "do not pose an immediate risk to users". 

"The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers," Apple wrote in a statement. 

Apple iOS vulnerability patch

Apple patched the flaw in the latest 13.4.5 public beta release for iOS, but has not rolled it out to the general public release yet. Until it does, the Mail app will remain vulnerable. 

Fortunately, Apple said these problems will be addressed in a software update "soon." It did not provide a more specific timeline. 

"We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance,” Apple wrote.

For now, we suggest you stop using the Mail app until the update gets pushed out, even if Apple is correct about the risk being small.