Tuesday, July 7, 00:35
Home security The German government urges iOS users to correct the critical ...

German government urges iOS users to fix critical Mail application flaws

The German federal cybersecurity service today urged iOS users to immediately install the iOS and iPadOS security updates released by Apple on May 20 to repair two zero-click security vulnerabilities that have been actively exploited by affecting the default email application.

"Due to the critical importance of vulnerabilities, the BSI recommends the immediate installation of the corresponding security update on all affected systems," the BSI said.


Startup ZecOps has revealed the bugs after discovering ongoing attacks targeting iOS users since at least January 2018.

The two zero-click vulnerabilities are a memory consuming issue referred to as CVE-2020-9819 that can lead to "heap corruption" and an "out-of-bounds write" issue referred to as CVE-2020-9818, which can lead to unexpected modification of memory or application termination - both have been activated since the Mail application processes a malicious email.

MailDemon's security flaws have been addressed by Apple with the release of iOS 13.5 and iPadOS 13.5 coming with improved memory handling and border control.

"We believe that these attacks are related to at least one nation-state threat organization or one nation-state that bought exploitation by a third-party Proof of Concept (POC) researcher and used "as is" or with minor modifications, ZecOps said at the time.

Fortunately, the attacks reported by ZecOps were aimed at high-profile targets, which means that regular users will not be targeted immediately until exploits for both errors fall into the hands of threatening bodies with less ambitious goals.

Errors affect devices running iOS 3.1.3 and later

According to iOS 13.5 security release notes, vulnerabilities detected by ZecOps affect the iPhone 6s and newer versions, the iPad Air 2 and later versions, the iPad mini 4 and later versions, and the 7th generation iPod touch.

Based on the analysis of the two ZecOps errors, all devices running iOS 3.1.3 to 13.4.1 are exposed to possible attacks that would make execution possible. remote code on broken devices iPhone and iPad and providing access to leaks, editing and deleting emails.

As the founder and CEO of ZecOps shared, "these vulnerabilities have also existed since the first iPhone (iPhone 1 / iPhone 2G) and at least since iOS 3.1.3."

In an official statement issued after the revelation of ZecOps 'findings, Apple disputed the researchers' allegations of ongoing attacks:

Apple takes all security threats seriously. We have thoroughly researched the researcher's report and, based on the information provided, we have concluded that these issues are not immediate. risk for our users. The researcher identified three issues in the Mail, but they alone are not enough to bypass the iPhone and iPad security protections and we did not find any data that was used against customers. These possible issues will soon be addressed in one software update. We value our cooperation with security researchers to keep our users safe and we will credit the researcher for his help.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehchttps://www.secnews.gr
Be the limited edition.


Windows 10 2004: Unauthorized settings "block" the upgrade

Users report that they have a problem with Windows 10, since they are excluded from the application of the May 2020 update, when they manually attempt to ...

Lenovo is improving Linux ThinkPads but the problems remain

Last month, when Lenovo announced that it was going to certify the ThinkPad series for use with Linux operating systems, we thought directly ...

Nigerian accused of fraud against US companies

A Nigerian was taken to the federal court in Chicago on Friday, after being accused of coordinating an international cyber fraud system, which affected ...

Home routers display critical errors and run unpatched Linux

The German Fraunhofer Communication Institute (FKIE) conducted a survey that included 127 home routers from seven different brands, in an effort to ...

IPhone 12 release: Will we finally see it by the end of 2021?

New data on the release of the iPhone 12, which we all expect not to happen in September, say that it will only be delayed ...

MySQL: Replaces terms that reinforce racial discrimination

MySQL database developers have announced that they will be replacing terminology such as master, slave, blacklist, and whitelist.

The CEO of a cryptocurrency investment company was cheating

As reported by News24, Willie Breedt, the founder of VaultAge Solutions (cryptocurrency investment company), declared bankruptcy last week and the ...

United Kingdom: Will it exclude Huawei from its 5G networks?

The UK government has received an NCSC report on Huawei, which may change its policy ...

A Yahoo engineer is not in jail after hacking 6.000 accounts

A former Yahoo engineer has been sentenced to five years in prison for hacking into personal accounts ...

PoC exploits released for critical vulnerability on F5 BIG-IP devices

PoC exploits released for critical vulnerability on F5 BIG-IP devices Two days after the release of updates on critical vulnerability on F5 ...