back to article Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Think senior executives, journalists, managed security service providers, and similar. ZecOps bods this week claimed the bugs are buried within the iOS …

  1. HildyJ Silver badge
    Big Brother

    It also bears repeating

    "It bears repeating that these reported attacks are limited in scope, and have been only aimed at a small set of high-value targets."

    The qualifier that El Reg left off is "as far as we know."

    Not to go all tinfoil hat but I would be surprised if the exploit was not known and used by Five Eyes and China. They've got teams of professional hackers looking for these sorts of holes.

    Be careful what's on your phone because if a major government player wants to see it they can.

    1. David Shaw

      Re: It also bears repeating

      Major government

      Yep, I stored(*) all my mailboxes from around ‘08 when I was accidentally a consultant at the European Defence Agency and years later the free Bitdefender macOS AV found all sorts of historic goodies, sorry baddies at play. One bunch, obviously from Gloucestershire even slipped a few lines of malware script into the emails from BBC’s “the Secret Show” on CBBC to my nine-year old youth.

      This was nicely confirmed by the BBC when I fairly recently complained to them about this alleged incident a decade earlier, targeting the family of a person of economic/scientific interest and my complaint was instantly treated as serious, escalated to a senior level of mismanagement and eventually analysed by their cyber security team & reported on, all highly unusual behaviour for our dear BBC.

      The gov’s never give up either, as last year a phish email was sent to an aged parent’s iDevice. It was an impressive nation-state spoof that led to a zero-day website, which was gone minutes after the malware was delivered. These attacks are “expensive”, so mystify me, If our KGB wishes to know anything then just phone me up, I know they have my number as they’ve phoned me twice over the last decade - once pretending to be an Intel(chip) trying to send me a .pdf of the latest CPUs[**] and once when I registered my ‘play’ website in Lichtenstein- a scary phone call{***}

      (* terrorbytes of Time Machine backups)

      [** attempt to penetrate my work networks by socially engineered malware containing blob being phoned thru’ for acceptance before deployment; I declined, but they were very plausible & multilingual - from a UK 0345 number!]

      {*** they have a job to do, hopefully some baddies are targeted, when they have the time/interest}

      I assume my iPhone is stuffed with bad stuff from all sorts of other autocratic governments

  2. redpawn Silver badge

    January 2018

    Glad they're getting it patched so soon. It makes me feel safe.

    1. Anonymous Coward
      Anonymous Coward

      Re: January 2018

      Perhaps they commanded not to?

      1. Anonymous Coward
        Anonymous Coward

        Re: January 2018

        For sure - "NSA is done with this hole now, so we can patch it"

    2. Doug_S

      Re: January 2018

      Nowhere does it say they reported it to Apple in January 2018. Or even that they discovered it then. They said they found triggers going back that far, which could mean they discovered it recently, and were able to go back over old information and find that they were being exploited at least that long ago.

  3. GreggS

    Buy Apple

    It has (in)security built-in!

    1. John Robson Silver badge

      Re: Buy Apple

      Because no other OS has ever had any security vulnerabilities.

      This is particularly bad, but then so are many others.

      1. GreggS

        Re: Buy Apple

        I'm not saying they haven't. It was sarcasm. But Apple use this on their advertising.

        No one is 100% secure so to say it is......

  4. wyatt
    Thumb Up

    Much as I'm not a fan of Apple, the list of devices they still support is very encouraging.

  5. BebopWeBop Silver badge

    Updates certainly appeard by this morning (23 April 2020)

    1. Michael Maxwell

      I got an update on 22 Apr to my iPhone to 13.4.1, but that is not the version said to have the fix--waiting for 13.4.5 for that (it's only out in beta now, and I don't get beta). I just checked now, and my phone tells me there's no update. So you might want to check whether yours was just the 13.4.1 (which doesn't help), or whether you got 13.4.5 sooner than I did.

      BTW, there apparently are no 13.4.2-13.4.4.

  6. My other car WAS an IAV Stryker Bronze badge
    Black Helicopters

    "use another client"

    Article: "...disable Mail on your iThing and use another client if possible."

    When I first started with iOS (an iPod Touch in 2012), that's what I did.

    I later made an email because for some reason, back then, backing up the Notes app required it.

    I never open the Mail app and never share that email address (can't even remember it now), but it's probably been hacked anyway.

    1. tip pc Silver badge

      Re: "use another client"

      you can use any email address for notes.

    2. Charlie Clark Silver badge

      Re: "use another client"

      Except, like browsers, Apple doesn't really like you using other e-mail clients on their darling devices.

      1. WolfFan Silver badge

        Re: "use another client"

        Bullshit. A check in the App Store shows multiple, two dozen when I stopped counting, other email clients, not least MS Outlook and Google Gmail client. I’ve never installed the Gmail client, Google got all huffy about that because Apple Mail and Outlook were ‘not as secure’ as Gmail. Yeah. Right. I have installed Outlook. And others.

  7. Cave-Homme

    Other fruits needed

    Blackberry, we need you back!

  8. EnviableOne Silver badge

    yet again

    Another reason iThings are not enterprise devices

  9. Anonymous Coward
    Anonymous Coward

    Use Gmail instead

    Quote from the Guardian - "Until the vulnerabilility is patched, ZecOps recommends that users “consider disabling the Mail application and use Outlook or Gmail” instead.".

    Would this be the Gmail which reads your emails so it can push adverts at you?

  10. Richard Boyce

    Kernal level exploit

    These bugs are used in conjunction with a kernal level expliot, but I see no mention of a fix for that level of vulnerability. That would seem to be very important. Does that require more work, or is there a problem with disclosing the nature of that?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020