Apple iOS Zero-day Multiple Vulnerabilities
RISK: Extremely High Risk
TYPE: Operating Systems - Mobile & Apps
Multiple vulnerabilities have been identified in Apple iOS. A remote attacker can exploit these vulnerabilities to trigger remote code execution, denial of service, sensitive information disclosure and data manipulation in the context of the Mail app (such as MobileMail on iOS 12 or maild on iOS 13) on the targeted system.
Note:
- Beta version of the patch is available. Stable version of the patch is under development but no release date is officially announced.
- These vulnerabilities are reported to have been exploited in the wild.
- These vulnerabilities alone cannot allow the attacker to take full control over the targeted mobile device. The attackers would require an additional infoleak vulnerability and a kernel vulnerability to do so.
- Nevertheless, successful exploitation of these vulnerabilities would allow the attacker to leak, modify and delete emails via the compromised Mail app, or crash the Mail app.
Impact
- Denial of Service
- Remote Code Execution
- Information Disclosure
- Data Manipulation
System / Technologies affected
- iOS 13.4.1 and previous versions
Solutions
Note: Stable version of the patch is under development – only Beta version of the patch is available at the moment.
Workaround:
User may consider applying the latest beta version of the patch available. Please be aware that beta software is not fully tested for stability. User should conduct testing with care and backup data before applying.
User may also consider disabling Mail app and use one of the alternatives, if applicable:
- use other mail app (such as Outlook)
- use mail service official mobile app (such as Gmail)
- check email through web mail interface
Once succeed in compromising these vulnerabilities, attacker might use other vulnerabilities to further exploit the mobile device to take full control of iOS. So mobile security good practice should be enforced, including:
- Ensure that the latest patches of iOS and all other software on the mobile device are applied
- Install Anti-malware solutions and keep them up-to-date
- Do not open any suspicious emails or visit suspicious websites
- Do not store sensitive information on the mobile device
Vulnerability Identifier
- No CVE information is available
Source
Related Link
Share with