Apple has found ‘no evidence in a report by cybersecurity company ZecOps that discovered two vulnerabilities in Apple iOS mail which they believed are widely exploited in the wild to target iPhone and iPad users. The security researchers at San Francisco-based ZecOps discovered the bugs in the default iOS and iPadOS Mail app. The bugs allows to run remote code in the context of MobileMail (iOS 12) or maild (iOS 13). Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails.
"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users," the tech giant said in a statement on Thursday.
The company added that the researcher identified three issues in Mail, "but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers".
ZecOps had said that "additional kernel vulnerability would provide full device access -- we suspect that these attackers had another vulnerability. It is currently under investigation".
What is more, on iOS 13, end-users do not require to perform any action for the exploitation to succeed. On iOS 12, the bug requires the victim to click on an email. If an attacker controls the mail server, the attack can be performed without any clicks on iOS 12 too, the researchers said.
iOS is vulnerable to these bugs at least since iOS 6 –September 2012, ZecOps said, adding that it did not check earlier versions. macOS is not vulnerable to these bugs, it added.
Apple said that these potential issues will be addressed in a software update soon. "We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance," the company said.