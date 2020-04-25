Image: Laurenz Heymann

In a statement today, Apple said it was “thoroughly investigating” a recent report on hackers exploiting three iOS vulnerabilities, but “found no evidence to be used against customers.”

Apple’s statement comes after on Wednesday, cybersecurity company ZecOps released a report detailing three iOS vulnerabilities that affected the Apple Mail client.

ZecOps said it found evidence of bugs being used in the wild against a list of high-profile targets that included the following tastes:

Individuals from a Fortune 500 organization in North America

An executive of a company in Japan

A VIP from Germany

MSSPs of Saudi Arabia and Israel

Journalist in Europe

Suspected: an executive of a Swiss company

However, in a report released today, Apple said that based on the details shared by ZecOps in its report, it could not come to the same conclusion: that the error was exploited in the wild. Apple’s full statement is below:

“Apple takes all reports of security threats seriously. We have thoroughly investigated the investigator’s report and, based on the information provided, have concluded that these issues do not pose an immediate risk to our users. researcher has identified three issues in Mail, but they alone are insufficient to circumvent the security protections of iPhone and iPad and we have found no evidence to be used against customers.These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and they will be accrediting the researcher for their assistance. “

The ZecOps investigation had sparked some dissenting opinions on Twitter [1, 2, 3], where several iOS security researchers had questioned the conclusion that insects were exploited in the real world.

The original investigation based its assumption of the existence of exploitation in the wild on the accident records found on the device.

These error logs were interpreted as attempts to trigger the error.

ZecOps said the failed operation left an empty email and a crash log on the device. During subsequent or successful exploitation, ZecOps said the attacker would delete empty emails to hide user attacks.

Image: ZecOps

However, security investigators noted that if the attacker removed the emails, they would most likely have deleted the crash logs as well.

The counterpoint to ZecOps’ original research and conclusion seems to be that the cybersecurity firm only saw malformed emails triggering a benign error, rather than malicious attacks on iOS users, and that Apple needed additional evidence to classify these errors as active attacks. . .

In response to a Reuters report today, ZecOps issued a statement promising to post more information about the bug once the patch is available to the entire iOS user base.

Bugs have been patched in iOS 13.4.5 beta and the fix is ​​expected to hit the general stable iOS channel in the coming weeks.

The full ZecOps statement is as follows:

“According to ZecOps data, there were wild triggers for this vulnerability in some organizations. We want to thank Apple for working on a patch and hope to update our devices once it’s available. ZecOps will post more information and POC once a patch is available. “

The existence of bugs was never questioned, neither by Apple nor by the security community, and it is recommended to install iOS version 13.4.5 when it comes out.

In its statement, Apple wanted to make it clear that it values ​​bug reports from the cybersecurity community, in which the company has invested considerable resources and attention in recent years, but stated that the conclusion of this particular report does not can be verified. his side, at least for the time being and with the information he received.