Earlier this week, ZecOps specialists reported about 0-day vulnerability in iOS, which, according to their data, hackers exploited since 2018 or even longer. However, Apple claims hackers did not use fresh iOS 0-day.
The researchers wrote that exploiting the vulnerability does not require any interaction with the user, and attackers simply need to send a malicious email to the victim. If the user receives mail or opens Apple Mail, the exploit will work. At the same time, for Gmail and other email clients, the attack is irrelevant.In their report, ZecOps experts reported that hackers have long exploited the vulnerability. In particular, researchers found attempts to attack individuals and Fortune 500 companies in North America, CEOs of a Japanese carrier company, a German provider of managed security services, a European journalist and so on. It was noted that the detected attacks fit well with the “profile” of one well-known government hack group, but its name was not disclosed, as experts nevertheless were afraid to make mistakes with attribution.
Now Apple experts have made an official statement regarding the ZecOps report. The company’s engineers write that they carefully studied the information about the problems found by the experts and claim that the experts were mistaken – the vulnerabilities were not used to attack users. At the same time, the company does not deny that the problem exists.
“Any Apple security risk message is taken seriously. We carefully studied the researchers report and, based on the information provided, concluded that these problems do not pose an immediate risk to our users. Researchers have identified three problems in [Apple] Mail, but they alone cannot be used to circumvent iPhone and iPad security features, and we have not found evidence that they were used against our customers. These potential problems will be fixed soon with a software update. We appreciate the participation of information security researchers, who are trying to help ensure the security of our users, and we will certainly thank them for their help and participation,” – write Apple experts.
It is worth saying that the statements published by ZecOps caused many doubts among information security experts. So, some experts wrote on Twitter that they doubt very much that the detected errors could be used against users in real life.
The fact is that ZecOps research was based on crash logs found on supposedly damaged devices. The data from these logs was interpreted as attempts to exploit the bug and attack the user. In particular, ZecOps experts wrote that unsuccessful attack attempts left empty letters and a crash log to the device. While successful attacks supposedly ended with the removal of empty emails to hide the attack from the user.
However, other information security experts noted that if attackers deleted empty emails to hide traces, most likely they would also delete crash logs from the affected devices. Therefore, many have concluded that ZecOps analysts found “spoiled” emails due to a common bug, rather than malicious attacks on iOS users. Now a fresh Apple statement confirms these findings.
In response, ZecOps specialists promised to publish additional information about vulnerabilities and PoC exploits as soon as the patch is available to all iOS users. Let me remind you that on April 15, 2020, Apple released a beta version of iOS 13.4.5, where the vulnerabilities were fixed, so now it remains to wait for the release of a stable version of iOS 13.4.5 in the next weeks.
Note that recently Google experts found 14 vulnerabilities in iOS that attackers used for several years.
User Review
( votes)
