Security News > 2020 > April > Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets.

Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.

While there is right now no official standalone patch for the reported bugs, we're told the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should be arriving soon.

In the context of iOS, arbitrary code execution flaws are often exploited either intentionally by the user to jailbreak their devices, or covertly by miscreants to put surveillance software and other malware on devices.

Interestingly, the researchers note that exploits for both flaws can be carried out before the full message has been loaded, meaning snoops could potentially cover their tracks by deleting the poisoned messages before the user is even aware what happened.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/22/apple_ios_mail_zeroday/