The standard mail app installed on the iPhone and iPad has been found vulnerable to two critical vulnerabilities that could quietly allow remote hackers to take over control of Apple devices just by sending an email to targeted users.

Vulnerabilities were discovered by cyber security firm ZecOps.

According to ZecOps, the vulnerabilities at issue are out-of-bound writing and remote heap overflow problems, one of which is a critical ‘zero-click’ vulnerability that can be exploited without the targeted recipients needing any interaction.

Both remote code execution vulnerabilities exist in the mail app’s MIME library which can be caused when email data is being processed. These deficiencies have existed for the last 8 years since iOS 6 was released.
Several organizations of criminals are already exploiting these vulnerabilities to threaten users from different industries and entities for at least 2 years as zero-days in the wild.

Unfortunately, Apple users cannot find out if they have been targeted as part of such cyber-attacks as it turns out that attackers would remove the malicious email immediately after remote access to the computer of the victims.

On the positive side, ZecOps did mention “Besides a temporary slowdown of a mobile mail application, users should not observe any other anomalous behavior.”

The vulnerability runs malicious code in the MobileMail program, allowing attackers to “leak, edit, and remove emails.” However, to take complete control of the system remotely, hackers need to combine it with a different vulnerability in the kernel.


These bugs and in-the-wild-attacks were found by ZecOps nearly two months ago and disclosed to the Apple security team.


Only the beta 13.4.5 update of iOS issued last week at the time of writing includes security fixes for both vulnerabilities that are zero-day. A security patch will eventually be available for all iPhone and iPad users in an upcoming iOS update

For more technical details on this vulnerablity take a look at the link below:

Source: https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/