Tuesday, January 26, 02:41
Home security The German government urges iOS users to correct the critical ...

German government urges iOS users to fix critical Mail application flaws

The German federal cybersecurity service today urged iOS users to immediately install the iOS and iPadOS security updates released by Apple on May 20 to repair two zero-click security vulnerabilities that have been actively exploited by affecting the default email application.

"Due to the critical vulnerabilities, BSI recommends the immediate installation of the corresponding security update on all affected systems," BSI said.


Startup ZecOps has revealed the bugs after discovering ongoing attacks targeting iOS users since at least January 2018.

The two zero-click vulnerabilities are a memory consumption issue referred to as CVE-2020-9819 that could lead to "heap corruption" and an "out-of-bounds write" issue referred to as CVE-2020-9818, which may lead to unexpected modification of memory or application termination - both were activated after the Mail application was processing a malicious e-mail message.

MailDemon's security flaws have been addressed by Apple with the release of iOS 13.5 and iPadOS 13.5 coming with improved memory handling and border control.

"We believe that these attacks are linked to at least one nation-state threat or a nation-state that bought the exploitation by a third Proof of Concept (POC) researcher and was used "as is" or with minor modifications, ZecOps said at the time.

Fortunately, the attacks reported by ZecOps were aimed at high-profile targets, which means that regular users will not be targeted immediately until exploits for both errors fall into the hands of threatening bodies with less ambitious goals.

Errors affect devices running iOS 3.1.3 and later

According to iOS 13.5 security release notes, vulnerabilities detected by ZecOps affect the iPhone 6s and newer versions, the iPad Air 2 and later versions, the iPad mini 4 and later versions, and the 7th generation iPod touch.

Based on the analysis of the two ZecOps errors, all devices running iOS 3.1.3 to 13.4.1 are exposed to possible attacks that would make execution possible. remote code on broken devices iPhone and iPad and providing access to leaks, editing and deleting emails.

As ZecOps founder and CEO shared, "these vulnerabilities also existed from the first iPhone (iPhone 1 / iPhone 2G) and at least iOS 3.1.3."

In an official statement issued after the revelation of ZecOps 'findings, Apple disputed the researchers' allegations of ongoing attacks:

Apple takes all security threats seriously. We have thoroughly researched the researcher's report and, based on the information provided, we have concluded that these issues are not immediate. risk for our users. The researcher identified three issues in the Mail, but they alone are not enough to bypass the iPhone and iPad security protections and we did not find any data that was used against customers. These possible issues will soon be addressed in one software update. We value our cooperation with security researchers to keep our users safe and we will credit the researcher for his help.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.



COVID-19 vaccines: Ways to protect supply chains

The development of vaccines for COVID-19 in such a short period of time has created many challenges and these are not only related to ...

How do insurance companies "enhance" ransomware attacks?

Ransomware attacks have increased significantly, with experts warning that their victims should not pay ransom to hackers ....

Russia: "US may be planning retaliation for SolarWinds hack"!

The Russian government warns the country's organizations about possible cyber attacks that the US may carry out, as "retaliation" for the hack ...

iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...