Although the Apple is one of the companies that always emphasizes the importance it gives to the security of users, two new vulnerabilities zero-day discovered in the embedded e-mail application compromises more than 2 billion devices iPhone and iPad.
In order to take advantage of vulnerabilities, intruders must send a specially designed e-mail, which consumes a certain amount of memory, forcing the application to stop working. This way the intruders can then hack the devices iOS and take control remotely.
The second vulnerability is even zero-click, which means that the user does not need to do anything in order for the attacker to be able to take advantage of it. Another worrying point is that users have no indication that their devices have been attacked.
According to the researchers, the two vulnerabilities they discovered have been detected on various Apple devices in the last 8 years and seem to affect the latest version of iOS 13.4.1. The defects have been largely exploited by malicious agents targeting VIP users such as:
- Employees of Fortune 500 companies in North America
- A journalist in Europe
- A VIP from Germany
- MSSP from Saudi Arabia and Israel
- An executive working for a Japanese transport company
- An executive working for a Swiss company
The company has been notified of vulnerabilities and is already preparing a beta version that contains a fix for affected devices, which it is expected to present to users of the stable version in the next iOS 13.4.5 update.