If a tree were to fall and no one was there to hear it, did it really make a sound? That philosophical question could also apply to software security in asking that if a security flaw existed in a software program but was never exploited, then was it really a security flaw?
That appears to be the case for Apple as a new report published by San Francisco-based firm ZecOps has revealed information of a big vulnerability that has laid dormant in Apple’s Mail application since 2012. The flaw had not previously been disclosed to Apple, making it extremely valuable to a variety of bad factors. ZecOps says it believes “with high confidence that these vulnerabilities… are widely exploited in the wild in targeted attacks by an advanced threat operator(s)” though could not provide any evidence of any actual exploitation occurring.
The attack’s scope consists of sending a specially crafted email to a victim’s mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or mail on iOS 13.
What makes this particular exploit so dangerous, if true, is that it does not require the victim to download a file or visit a malware-infested website. All it requires to remotely execute code on a victim’s iOS device is for the Mail app to receive the email and for the victim to open the message.
The company has claimed to have reproduced the results of the hack and have sent their findings to the tech giant, with the company claiming that Apple will be making updates to their mail app in the near future. Apple has yet to officially respond on any of this information.
So, there may be a big security vulnerability in Apple’s mail application or there may not be. And given that it’s been there for so long, it’s hard to believe that if it has been exploited that Apple hasn’t been aware of it. Are you confused yet?
Last Updated: April 23, 2020
