Researchers have discovered two zero-day vulnerabilities on iOS affecting the Mail application on iPhones and iPads. An Apple spokesperson told Reuters a fix would be included in upcoming software updates.

The security of iOS was compromised by researchers from the ZecOps who discovered two zero-day vulnerabilities in the Mail application. The latter is not trivial because they have been exploited by an "APT operator" since 2018. Besides, these flaws would have been present for at least 8 years from IOS 6 released in 2012 until iOS 13.

The two vulnerabilities can be exploited remotely by attackers using a simple email. As explained by the researchers of ZecOps, the email sent is specifically designed to trigger the vulnerability within the MobileMail application on iOS 12 or Maild on iOS 13. According to them, the use of these breaches can also give attackers the ability to access messages associated with the Mail application.


In detail, the first flaw concerns the OOB (Out of Bounds) writing. The affected function is [MFMutableData appendBytes: length:] located into /System/Library/PrivateFrameworks/MIME.framework/MIME library. The latter does not check the error for the ftruncate() system call, which leads to writing Out-Of-Bounds, specifies the researchers.

The second flaw corresponds to a Heap Overflow, also called a buffer overflow and it can also be triggered remotely. The OOB writing bug and the Heap Overflow writing bug are both due to the same problem, which is an incorrect handling of return values ​​from system calls. Successful exploitation of these flaws would allow the attacker to read, modify, and delete emails. Furthermore, if an additional kernel vulnerability were found, this would provide attackers with full access to the terminal.

As stated on the report published on Wednesday by ZecOps researchers, the main impact and keys details are :

  • The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory.
  • The vulnerability does not necessarily require a large email, a regular email which can consume enough RAM would be sufficient.
  • There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods.

Two zero day flaws in iOS Mail threaten billions of iPhone and iPad


The report notes that the attacks on iOS 13 would not require any victim interaction when the Mail app is open and running in the background. For iOS 12, the user must click the email before the attack can be launched. However, to exploit these flaws, attackers must work hard, explains ZecOps. Behind the recent attacks, the groups are probably backed by some governments. These vulnerabilities can also be suspected of having left the lucrative zero-day market. Breaches on iOS are priced very expensive on platforms like Zerodium.


Apple has been notified of the discovery of the two critical flaws and has released fixes in the iOS 13.4.5 beta release. But the devices will remain vulnerable until the final version of iOS 13.4.5 is released to everyone. In the meantime to mitigate the risks, it's highly recommended to deactivate the accounts that are connected to the iOS Mail application and use other applications such as Microsoft Outlook or Google Gmail.