Author Topic: 900 Million iPhones Affected By Updated Apple iOS Warning  (Read 429 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35122
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
900 Million iPhones Affected By Updated Apple iOS Warning
« on: May 14, 2020, 10:19:13 PM »
05/13 Update below. This post was originally published on May 10

Apple recently confirmed one of the longest-running vulnerabilities in iOS history, affecting millions of iPhone users. And now new information reveals it just got bigger.

In April, Apple acknowledged that every iPhone released in the last eight years was vulnerable to remote attacks through the iOS Mail app. At the time, the company played down the severity of this saying it had seen ‘no evidence’ of exploits but now ZecOps, the security specialist which discovered the flaw, has contacted me with new information that not only is it being triggered in the wild but that the first potential triggers existed a decade ago and every iPhone ever made is vulnerable (Apple confirmed there are 900M active iPhone last year).

05/12 Update: Apple has responded to me saying it will be sticking to its original statement regarding this vulnerability (found here) and is crediting ZecOps for its discovery. As it stands, Apple is not commenting on ZecOps' additional discoveries of vulnerabilities and real-world triggers dating back to 2010. Apple will deliver a fix in iOS 13.5, but there is currently no commitment to patch previous versions of iOS to protect older iPhones. Needless to say, I will keep this post updated with further developments on both sides. As it stands, further developments appear inevitable.

05/13 Update: while Apple continues to play down this vulnerability, significant action is being taken elsewhere. For example, Germany's Federal Office for Information Security (BSI) has issued a statement recommending the removal of the iOS Mail app. BSI President Arne Schönbohm states: “The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Furthermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies, and government agencies. We are in contact with Apple and have asked the company to find a solution for the security of their products as soon as possible.” iOS 13.5 cannot arrive soon enough.

"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

“We continued our research of the MailDemon vulnerability,” said ZecOps CEO Zuk Avraham. “We were able to prove that this vulnerability can be used for Remote Code Execution. Unfortunately, a patch is still not available.”


ZecOps' infographic highlighting this decade-long iPhone vulnerability
DevOps has broken down its findings in detail in a new blog post, where it explains both the vulnerability and triggers, which it reports date all the way back to October 22, 2010, on an original 2G iPhone running iOS 3.1.3. “One thing is certain, there were triggers in the wild for this vulnerability since 2010” the company explains.

To its credit, Apple has promised to fix this vulnerability in its upcoming iOS 13.5 release which is great news for owners of the iPhone 6S and newer. But the bigger question is whether Apple will release a patch for previous iOS versions to protect older devices still in use. After all, the iPhone 6 is the biggest selling iPhone in the company’s history and was still being sold through Apple partners as recently as last year.

I have contacted Apple and will update this post when I have more information (edit: response above). Until then, ZecOps states that the safest course of action is to disable the iOS Mail app (Apple guide here) and switch to Gmail or Outlook, neither of which are vulnerable.

We already know that in September, Apple will launch its most exciting new iPhone range in years. But the big question for the company now concerns the past. How far will it go to protect owners of older models and what will it do to plug the gaps which allowed this vulnerability to sit unfixed for a decade?

Potential iPhone 12 owners will be watching.

source