Apple has said a recently discovered iOS Mail vulnerability poses no immediate threat and a fix is coming soon.
As previously covered, security firm ZecOps discovered a flaw in iOS Mail, affecting both iPhones and iPads. The flaw involved a blank email being sent to a device, an email that would cause a crash and reset. The reset created an opportunity for a hacker to steal data from the device. ZecOps believes the vulnerability was being exploited as far back as 2018, and was working with a client they believed was targeted using this vulnerability in late 2019.
In spite of that, Apple reached out to Bloomberg reporter Mark Gurman to issue a statement, which Gurman tweeted:
Apple responds to ZecOps report on Mail app vulnerabilities, says it doesn’t pose immediate risk and software update coming.
”Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
— Mark Gurman (@markgurman) 4/23/20
Apple’s response is good news, although it still leaves a number of questions, not the least of which is what did ZecOps find in the way of vulnerabilities being exploited over the last two years?