Security News > 2020 > April > Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets.
Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.
While there is right now no official standalone patch for the reported bugs, we're told the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should be arriving soon.
In the context of iOS, arbitrary code execution flaws are often exploited either intentionally by the user to jailbreak their devices, or covertly by miscreants to put surveillance software and other malware on devices.
Interestingly, the researchers note that exploits for both flaws can be carried out before the full message has been loaded, meaning snoops could potentially cover their tracks by deleting the poisoned messages before the user is even aware what happened.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/22/apple_ios_mail_zeroday/
Related news
- Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Apple fixes zero-day exploited in 'extremely sophisticated' attacks (source)
- Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Global Pressure Mounts for Apple as Brazilian Court Demands iOS Sideloading Within 90 Days (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)