The updated version of Apple would have fixed some critical iOS vulnerabilities that hackers, with the help of the government, use to spy on valuable targets. Think senior executives, journalists, managed security providers and others.
The ZecOps organizations said this week that bugs are buried in the iOS messaging application and can be used to perform an external code execution without the victim ever having to open a trap message. All the device has to do is receive and process the incoming email specifically designed to exploit the miscalculations in Apple’s software, and the malicious code contained in the message will be executed as we are told. This code can then spy on and disrupt the victim’s online activities.
We believe that these attacks are related to at least one national threat operator or government that has purchased a performance from a third party investigator in the proof-of-concept (POC) category and used it as it is or with minor modifications, said the ZecOps team.
Although ZecOps refrains from attributing these attacks to a specific attacker, we know that at least one on-demand hacker organization sells exploits that exploit vulnerabilities using email addresses as primary identifiers.
We have been informed that there are bugs in iOS from version 6, which will be released in 2012. ZecOps reported that in January 2018, in version 11.2.2, it discovered hackers who exploited its weaknesses. You have now identified iOS 13.4.1 and lower versions as all vulnerable. iOS 13 is the latest major version officially available.
According to infosec biz, vulnerabilities are a series of writing errors and file overflows that occur when an error message reaches a mailbox. Although the drawbacks in themselves give attackers limited access to the hacked device, at the kernel level they can be chained to security holes that make it difficult to access everything, we were told. Hackers are suspected of exploiting basic privileges by escalation.
Here’s the technical description:
More importantly, according to the researchers, iOS 13 can launch an attack when the mail automatically downloads messages in the background, which means no user interaction is required: Data is instantly retrieved, analyzed and errors are exploited. iOS 12 is a little more secure, apparently because the user has to click on the email to receive it and get started. When we said that, we were told that if an attacker is running a mail server, the attack can be carried out without clicking on iOS 12.
Apple’s faulty hunter handbags for $75,000 after getting Safari to spy on Mac iPhones and cameras without‘s permission.
Although there is currently no separate official patch for bug reports, we have been informed that the new beta version of iOS 13.4.5 fixes both bugs, so no Apple beta update is expected. ZecOps said it warned Apple last month not to have the bleachers after witnessing the operation of the bleachers in the wild, so a beta release was released to clarify the issue.
If you are unable to fix the error, ZecOps advises the persons involved to use another mail client and deactivate Mail.
Jann Horn of Google’s Project Zero noted that the published evidence for the operation of ZecOps may have been erroneously encoded in base64 over zero bytes. ZecOps General Manager Zuk Abraham insisted his team find proof of a successful operation.
In the context of iOS, code execution errors are often exploited at random, either intentionally by the user to lock devices or secretly by intruders to place monitoring and other malware on devices. Interestingly, the researchers discovered that exploits for both defects can be performed before the full message is downloaded, which means that snoopers are able to cover their tracks by removing poisoned messages before the user knows what happened.
Although the data confirms that the exploits were received and processed by the victims’ iOS devices, it explains that no corresponding messages should have been received and stored on the mail server. We conclude that these messages were deliberately deleted as part of the operational cleanup of the attack.
It should be recalled that these reported attacks are limited in scope and involve only a small group of high-value targets.
However, it would be wise to keep an eye out for iOS updates next week or so and install them quickly, as these bugs often attract imitators from other cyber circles. And as stated above, if you have any concerns, please turn off Mail on your iThing and use another customer if possible. ®
Updated to add
Apple underestimated the threat posed by the vulnerabilities identified, although it stated that it would release an official patch in due course.
Webcast : Build a new generation of your business in the public cloud.