Security News > 2020 > April > Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets.
Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.
While there is right now no official standalone patch for the reported bugs, we're told the freshly released beta version of iOS 13.4.5 fixes both flaws, so a non-beta update from Apple should be arriving soon.
In the context of iOS, arbitrary code execution flaws are often exploited either intentionally by the user to jailbreak their devices, or covertly by miscreants to put surveillance software and other malware on devices.
Interestingly, the researchers note that exploits for both flaws can be carried out before the full message has been loaded, meaning snoops could potentially cover their tracks by deleting the poisoned messages before the user is even aware what happened.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/22/apple_ios_mail_zeroday/
Related news
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Global Pressure Mounts for Apple as Brazilian Court Demands iOS Sideloading Within 90 Days (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices (source)
- Apple backports zero-day patches to older iPhones and Macs (source)