After a security firm uncovered a flaw in Apple’s iOS Mail app that “allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory,” Apple is assuring users that it doesn’t pose an immediate risk.
In a statement late Thursday, Apple assured users that the protections in place on iPhones and iPads are strong enough to mitigate any potential risk. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections.”
In its findings, security researcher ZecOps said the flaws “would allow the attacker to leak, modify, and delete emails.” Users who were the recipient of “failed attacks” might see emails displaying the fairly common, “This message has content” warning. Affected users wouldn’t notice any changes on their device other than “a temporary slowdown” of the Mail app, ZecOps said. The flaws existed since iOS 6, the company says.
While the flaws were “triggered in-the-wild,” according to ZecOps, it said the bugs alone “cannot cause harm to iOS users – since the attackers would require an additional infoleak bug & a kernel bug afterwards for full control over the targeted device.” In its statement, Apple said it has “found no evidence they were used against customers.”
Apple said the vulnerabilities will be addressed in an upcoming software update and has already provided a beta patch in IOS 13.4.5 that ZecOps confirms fixes the issue. If you want to install the patch before its public release, you can join Apple’s iOS Public Beta program.