Security News > 2020 > April > Apple Patches Two iOS Zero-Days Abused for Years
Researchers are reporting two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads.
Impacted are iOS 6 and iOS 13.4.1.
Both bugs are remotely exploitable by attackers who simply send an email to victims' default iOS Mail application on their iPhone or iPad. "The attack's scope consists of sending a specially crafted email to a victim's mailbox enabling it to trigger the vulnerability in the context of iOS MobileMail application on iOS 12 or maild on iOS 13," wrote researchers.
In simple terms, researchers said the attack occurs when an attacker sends a specially crafted email that, when received on an iOS device's Mail app, guzzled so much memory it created conditions ripe for a heap overflow attack.
"While Apple has issued fixes for these flaws in the beta version of iOS 13.4.5, devices are still vulnerable until the final version of iOS 13.4.5 is readily available to all iOS device owners. In the interim, the only mitigation for these flaws is to disable any email accounts that are connected to the iOS Mail application, and use an alternative application, such as Microsoft Outlook or Google's GMail," Narang wrote.
News URL
https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/
Related news
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)