Apple's mailing app that is pre-installed on all iPhones and iPads is reported to be vulnerable to two critical flaws which attackers have been exploiting in the wild, for at least, the last two years to spy on targeted victims.
While the flaws are remote code execution vulnerability that resides in the MIME library of Apple's mail app, which owing to an out-of-bounds write bug, results to a heap overflow issue.
The flaws could allow remote attackers to secretly take control of Apple devices by simply sending a malicious email to a targeted user who is logged-in to the vulnerable email app.
How the cybersecurity researchers at ZecOps discovered the flaws
The researchers at ZecOps reported that various models of iPhone and iPad from the last 8 years starting with the release of iOS 6 and the current iOS 13.4.1, were affected as no patch has yet been made available for the affected devices.
Although the exploit emails were received and processed by victims' devices, the corresponding emails which should have been received and saved on the mail-server were reportedly missing. And therefore, it is assumed that these emails were intentionally deleted as part of the attacker's strategy to remain undetected.
The most worrisome part is that multiple groups of attackers are already exploiting the flaws in the wild for about 2 years now as zero-days to target individuals from organizations in Saudi Arabia and Israel, and also journalists in Europe.
How to guard against the attacks since No Patch is yet Available
The researchers promptly reported the flaws to Apple security team about two months ago, still no patch was issued to protect users against the mail app bug. Albeit, the beta 13.4.5 version of iOS, which was released only last week, contains the security patches for both zero-day vulnerabilities.
Therefore, Apple users are advised to refrain from using the default mail app on their devices, and to switch to any other third-party provider like Gmail app, until the patch is made available.
And the good news is that a software patch will soon be available with the release of the upcoming iOS update, so that millions of iPhone and iPad users, can return to using their favorite email app.