Security News > 2020 > April > Apple Patches Two iOS Zero-Days Abused for Years
Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads.
Impacted are iOS 6 and iOS 13.4.1.
Both bugs are remotely exploitable by attackers who simply send an email to victims' default iOS Mail application on their iPhone or iPad. "The attack's scope consists of sending a specially crafted email to a victim's mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13," wrote researchers.
In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device's Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.
"While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google's GMail," Narang wrote.
News URL
https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/
Related news
- Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update (source)
- Apple fixes this year’s first actively exploited zero-day bug (source)
- Apple Patches Actively Exploited Zero-Day Affecting iPhones, Macs, and More (source)
- Apple plugs security hole in its iThings that's already been exploited in iOS (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)