San Francisco-based cybersecurity company ZecOps says that iPhones and iPads may be vulnerable to a flaw involving the Mail app, the Wall Street Journal reported Wednesday.
Unlike most email-based phone hacks, which involve making someone click a link or visit a website, this exploit does not require victims to do anything other than download (although not necessarily open) an email. It nonetheless could let hackers install malicious software on their devices.
A ZecOps blog post on the topic says that the vulnerability has existed in Apple’s mobile software as far back as iOS 6.
ZecOps says that is has identified six targets for the attacks. They reportedly include employees of a telecommunications company in Japan, a large U.S. firm, tech companies in Israel and Saudi Arabia, an individual in Germany, and a European journalist. The cybersecurity firm has not been able to examine the malicious code. That’s because the emails used to launch it had been deleted from victims’ phones.
Apple is seemingly aware of the bug, and appears to have fixed it in its latest iOS beta. However, it is not fixed in the most recently publicly released iOS version, iOS 13.4.1. Presumably that will change next time Apple pushes out an update.
Apple works hard to fix bugs before they hit
Periodic bugs discovered by security researchers and others are one reason it’s always important to upgrade to the latest version of iOS and macOS. Yes, bugs can slip under the radar. But many of them are found and fixed by Apple long before we hear about them.
Apple offers up to $1.5 million to anyone who finds a security-challenging bug in a version of its software. That gives people an incentive to let Apple know about exploits that could otherwise be abused by nefarious hackers. As Apple notes on its Security Bounty webpage:
“We reward researchers who share with us critical issues and the techniques used to exploit them. We make it a priority to resolve confirmed issues as quickly as possible in order to best protect customers. Apple offers public recognition for those who submit valid reports. [We also] match donations of the bounty payment to qualifying charities.”
Have you ever been the victim of malware or hacking on an Apple device? Let us know your experiences in the comments below.
