Cybersecurity researchers spot two zero-day iOS exploits, security patch with fix coming soon [Update: Apple Statement]


Update: April 24, 2020 – Apple has released an official statement regarding the issue in Mail and said that it has not found any evidence that they were used against customers. This will be fixed in software update soon.

Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.

Earlier: Researchers at a cybersecurity startup, ZecOps have reportedly found not one, but two zero day exploits for Apple’s iOS, of which, one could be triggered remotely while the other requires an additional vulnerability to be triggered remotely. Apple has acknowledged the exploits and will be a pushing a security patch for iOS 13 in a few days.

Zero-day exploits are those bugs in hardware or software that are not known to the manufacturer, making it easy for hackers to attack a target. Zero-day exploits are extremely rare to be spotted as it depends on the public and the manufacturer to not find out, lest they be fixed. iPhone zero-day exploits are especially rare to be reported, considering how many people have iPhones and how many are on the same version of iOS.

The software involved for these exploits was the iPhone’s default mail app. A hacker would send an email to the target, which would then use the exploit to execute code in the app. Some targets that were identified for this exploits VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, etc.

Apple has stated that the ZecOps zero-day exploits have already been patched in the latest iOS beta release, with iOS public version getting the patch in a few days. To check out ZecOps complete report on the exploits click  here.

Source