Apple Mail iOS Vulnerability

Update: As of July 2020, Apple recommends using at least iOS 13.5 or greater. The issue has been fixed and you can use Apple Mail at the time of this update. 

Reports of a bug being actively exploited affecting the Apple Mail iOS application are making news. This bug may have been leveraged in the wild as early as January of 2018, according to sources. Apple has not confirmed that they have seen this attack being exploited against customers. However, it has confirmed that the bug isn’t happening in the beta of the latest (unreleased) iOS. Other security researchers have confirmed the “likelihood” of the legitimacy of this attack being used in the wild. If the vulnerability is truly being exploited, the risks are very real.

How does the Apple Mail iOS Vulnerability Work?

The unique (and dangerous) thing about this vulnerability is that users don’t need to click on a link or in some cases, even open an email to trigger it. This kind of attack is known as a “zero-click” exploit. The severity of these bugs depends on the version of iOS the device runs. With iOS 12, users can only be hit with an attack if they open an infected email in the Apple Mail iOS app. For iOS 13 users, there is vulnerability to “unassisted attacks” that run without the user interacting with the email or its contents. The Apple Mail iOS app downloads the malicious email, and an attack is initiated without the user even opening the message. Once they have access, an attacker could then alter, release or delete emails from the affected account.

The good news is that the attack doesn’t grant access to the entire device, only the information in the Apple Mail app (and associated emails). ADNET considers this a critical vulnerability, but there are steps you can take to protect yourself.

How to Protect Yourself from the Apple Mail iOS Vulnerability

At this time there is no patch available for the vulnerability. Although, Apple has said it is working on an update that will address this issue. Apple encourages all users to install the updated iOS 13.4.5 release as soon as it is available.

In the meantime, to protect yourself from this vulnerability, you should stop using Apple Mail on iPhones and iPads. The vulnerability isn’t known to affect the Apple Mail desktop client for Macs – and disable associated accounts in Apple Mail. Given the fact that you don’t even need to take an action in your email to trigger these exploits, disabling the accounts is the safest choice, albeit inconvenient.

To disable an Email Account in Apple Mail:

  1. ​Go to Settings and select Passwords & Accounts. If you have an older version of iOS, you may need to go to Mail and then Accounts.
  2. Choose the email account to disable.
  3. Turn off the Mail toggle switch if visible or turn off ​Account​.

It’s important to note that disabling the email account or deleting it from the Apple Mail iOS app will not affect your ability to send or receive emails from those accounts. It will only change how you access them. You’re just limiting the application’s ability to sync your messages and send mail. You won’t lose your emails or account history, but you’ll need to use another app (such as Microsoft Outlook or Gmail), or access your email from your web browser for now.

Bottom Line: How Serious is the Apple Mail iOS Vulnerability?

While this is absolutely something to be concerned about, it’s important to balance that fear with the fact that there are steps you can take to limit your risk. Disabling the app is one of them – or deleting if you want to take a more extreme approach.

There are still many questions and unknowns with this, so while ADNET can’t confirm with 100% certainty this is a valid threat, due to the potential impact it still warrants PROACTIVE mitigation efforts. As time passes, surely more details will come to light. We’ll provide an update and patching information as soon as it’s available. A patch is expected in the coming weeks. For now, ADNET recommends not using your Apple Mail iOS app, and disabling accounts when appropriate.

If you have any questions or concerns about this vulnerability, don’t hesitate to reach out to us. We’re here to help.