Apple just recently confirmed the most significant vulnerability in iOS history after ZecOps made a public announcement about their discovery of a security flaw. We reported about the issue recently. It was speculated that the problem was affecting millions of iPhone users, but after Apple’s announcement, it seems like the issue is more significant than one could imagine.
Since 2010, every iPhone has been affected
Ever since iOS 3.1.3 released in 2010, every iPhone has been vulnerable to a possible remote attack of the iOS mail app. If you own an iPhone, iPad, or an Apple Watch, keep reading.
No patch for the ‘MailDemon’ vulnerability
This vulnerability, publicly also referred to as ‘MailDemon’, can be used for Remote Code Execution for a ‘zero-click exploit’. This means that users can get in trouble even without interacting with the email they receive through their iOS Mail app.According to ZecOps, Apple hasn’t yet released a patch.
Apple to fix this vulnerability
According to some news, Apple has promised to fix the vulnerability with the release of iOS 13.5. This is great news for owners of the iPhone 6S and newer. It’s yet to be seen whether Apple will release a patch for older devices that do not support the new iOS update.
When can we expect the next update?
Apple initially released the iOS 13.4 version on the second-generation iPhone SE on March 24, 2020. On May 2nd, 2020, Apple released the iOS 13.5 beta to developers and public beta users, and the update will include major changes – nevertheless, the update regarding the upcoming changes does not include the fix for the mail vulnerability, instead, it focuses on updates regarding the COVID-19 situation.
What can you do as an iPhone user?
Disable or delete the iOS Mail app on your phone.
You can find instructions on how to delete built-in Apple apps from your iOS12, iOS13, iPadOS, or Apple Watch devices from Apple's website. Start using an alternative, such as Outlook or Gmail apps. Both of these are secure to use.
Do you want to see how ‘MailDemon’ works in more detail?
ZecOps released an excellent article on the technique and triggers, and they call people for a bounty in case they experienced the symptoms. They explain the rules of the bounty in more detail at the end of the post.
And finally, remember to practice safe email habits!
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt