If you can determine which versions of iOS (and if possible which versions of the Mail app) are vulnerable, please publish here.
I’m still using my old trusty 5c with 10.3.3 and no option to upgrade anything about it any more. I’m holding my breath for the upcoming re-release of the model SE. :-). But in the meantime....
Near as I can tell, there’s no there, there. The claim that it does not require opening the email, just receipt of the email is enough, according to ZecOp to activate their claimed potential “exploit” alone tells me they’re blowing smoke. That simply is not possible. It apparently may be something that might “crash” the iPhone, but I doubt even that. It may crash the app via a data overflow being allowed somewhere in the email header (I’ve noticed lately that Mail allows longer Subject lines), but the email body itself is loaded into a non-executable, sandboxed, memory location and nothing, such as scripts, are auto-executed within mail itself, nor can anything but specifically constrained HTML codes be displayed.
A vulnerability from a data overflow in the header may result in locking the screen, requiring a reboot to return to operational status, but it’s not going to spill out into giving access to secure data for other apps, such as contacts other than perhaps email addresses of those who have been received from or sent to in Mail App, with the same being limited to photos in the mail app. It would ALSO result in ZecOp having the offending email in hand to analyze the weaponized code that attacked the device. That is NOT what ZecOp claimed they did. Instead, Avraham stated ZecOp had to RECONSTRUCT a suitable attack vector to re-create the reports they saw in the error logs. WHY? Would it not be much easier to just reconstruct the attack from the code in the email?
Where is the offending email? Nowhere does ZecOp report the attack deleted the attacking email to cover it’s tracks. Nope. The VAST majority of email on Apple devices are handled by IMAP type accounts, which are kept on the server regardless if they are deleted on the device. This is especially true of Fortune 500 companies which require archiving of correspondence for legal purposes. Ergo, there is no malignant email attack because were there one, it would be easily retrieved for analysis. That never happened, so it doesn’t exist. Nothing.
Nor has any other security firm been able to duplicate the attack on this vulnerability. That is extremely suspicious to me. A REAL exploit has to be duplicatable to be a threat, yet an equally expert security firm, although agreeing it “sounds credible,” could not duplicate ZecOp’s crash results, even with guidance of their paper on how to do it. That’s says loads.
Is there a vulnerability? Oh, yes, very likely. Everything can have some vulnerabilities. They are created by people. People are fallible. Are they exploitable? Conceivably. Easily? Not necessarily. Perhaps, if a chain of events occur just exactly correctly, or wrongly, then possibly they can be.
ZecOp has a throw-away line in their report that states that the attacker “could” exploit this vulnerability only if the attacker controlled the email server. Say what???!!! That’s an important prerequisite, but they just toss it out there as if it were of no, or minimal, consequence!
This tells me that attacking vector has to be injected immediately prior to being sent to the target device, that it most likely cannot survive passage through multiple ISPs, where it would either crash the servers or be stripped out due to being detected as being an impermissible data overflow by validation checks. In other words, this is only exploitable as a targeted attack from someone who has first hijacked the target’s email server. If so, that attack target already has a much more severe problem than an attack on their personal portable devices.
To me, it seems obvious that Apple does not consider this an exploitable vulnerability requiring a stand alone security update for all versions of iOS since iOS 11.3. It’s not, given the parameters you can read between in the reports. It’s a minor glitch easily handled in a major update when it’s due to be released. ZecOp did not like that time line so they jumped the gun and made a press release to get credit beyond what is earned for minor vulnerabilities. This is not ZecOP’s first foray with this approach to getting attention.
By the way, the iPhone SE is being released right now. It was announced on Monday and I posted an article on it, but the Admin Mods deemed it an advertisement and zapped it. It was a legitimate article, one of numerous ones in the press.