Apple disputes recent iOS zero-day claim

Apple says it "thoroughly investigated" a recent report about three iOS Mail bugs but "found no evidence they were used against customers."

Apple logo

Image: Laurenz Heymann

In a statement today, Apple said it "thoroughly investigated" a recent report about hackers exploiting three iOS vulnerabilities but "found no evidence they were used against customers."

Apple's statement comes after on Wednesday, cyber-security firm ZecOps published a report detailing three iOS vulnerabilities that impacted the Apple Mail client.

ZecOps said it found evidence of the bugs being used in the wild against a list of high-profile targets that included the likes of:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan 
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

However, in a report published today, Apple said that based on the details shared by ZecOps in its report, it could not reach the same conclusion -- that the bug was exploited in the wild. Apple's full statement is below:

"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance."

The ZecOps research had sparked some dissenting opinions on Twitter[1, 2, 3, 4], where several iOS security researchers had questioned the conclusion that the bugs were exploited in the real world.

The original research was basing its assumption of the existence of in-the-wild exploitation on crash logs found on the device.

These crash logs were interpreted as attempts to trigger the bug.

ZecOps said the failed exploitation left an empty email and a crash log on the device. During subsequent or successful exploitation, ZecOps said the attacker would delete the empty emails in order to hide the attacks from the user.

apple-mail-exploit.jpg

Image: ZecOps

However, security researchers pointed out that if the attacker would delete the emails, they would most likely have deleted the crash logs as well.

The counterpoint to ZecOps' original research and conclusion appears to be that the cyber-security firm was merely seeing malformed emails triggering a benign bug, rather than malicious attacks against iOS users, and that Apple needed additional evidence to classify these crash bugs as active attacks.

zecops-comments.png

Responding to a Reuters report today, ZecOps issued a statement promising to release more information on the bug once a patch is available to the entire iOS userbase.

The bugs have been patched in iOS 13.4.5 beta, and the fix is expected to reach the general iOS stable channel in the coming weeks.

The full ZecOps statement is below:

"According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we're looking forward to updating our devices once it's available. ZecOps will release more information and POCs once a patch is available."

The "existence" of the bugs was never questioned, neither by Apple or the security community, and installing the iOS 13.4.5 release is recommended when it comes out.

In its statement, Apple wanted to make it clear that it values bug reports from the cyber-security community, in which the company has invested considerable resources and attention in recent years, but said the conclusion of this particular report couldn't be verified from its side, at least for the time being and with the information it received.