A security company which discovered iPhone Mail vulnerabilities claimed that they have been ‘widely exploited’ in real-world attacks. Apple has now denied this claim, stating that it could find ‘no evidence’ that the exploits have been used.

Additionally, it says that the vulnerabilities in question cannot bypass iPhone and iPad security safeguards …

Background on iPhone Mail vulnerabilities

Apple has acknowledged the three issues discovered by security group ZecOps, and has patched these in the iOS 13.4.5 beta which should be released to the public soon.

However, ZecOps went on to claim that real-world attacks have been carried out by exploiting these vulnerabilities as far back as January 2018 (in iOS 11.2.2). It went so far as to give examples of specific individuals it believes were targeted using the exploit.

Based on ZecOps Research and Threat Intelligence,we surmise with high confidence that these vulnerabilities – in particular, the remote heap overflow – are widely exploited in the wild in targeted attacks by an advanced threat operator(s).

The suspected targets included:

  • Individuals from a Fortune 500 organization in North America
  • An executive from a carrier in Japan
  • A VIP from Germany
  • MSSPs from Saudi Arabia and Israel
  • A Journalist in Europe
  • Suspected: An executive from a Swiss enterprise

Apple’s denial

Bloomberg reports that Apple not only says it can find no evidence to support this claim, but that the vulnerabilities are not sufficient to allow the reported attacks to succeed.

The U.S. company is countering assertions by cybersecurity company ZecOps Inc. that software flaws may have allowed hackers to infiltrate iPhones and other iOS devices for more than a year. Apple launched an investigation and said in a statement the mail issues were insufficient by themselves to allow cyber-attackers to bypass built-in security, adding it will issue a fix soon.

“We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users,” the Cupertino, California company said. “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.”

The denial is not a complete refutation of the claim. It may be the case that the specific vulnerabilities alone cannot bypass security safeguards, but that they can be combined with existing exploits in order to do so. However, the denial is strongly-worded, suggesting the Cupertino company does genuinely believe that no real-world attacks have taken place.

FTC: We use income earning auto affiliate links. More.

Intego Mac Security X9 50% off

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear