By now chances are you have already heard about the iOS Mail app’s 0-click vulnerability that is causing everyone to panic. If you haven’t then here’s a short explanation…
The iOS Mail app 0-click vulnerability allows an attacker with remote code execution capabilities to infect an iOS device by sending emails that consume a significant amount of memory on the device. An attacker can send an email with RTF, multi-party and other methods with content to consume large enough part of device’s RAM. The vulnerability can be triggered by an infected email with an Unassisted attack, meaning you don’t need to open the email for it to trigger.
On iOS 13 an infected email can attack the target device even when the Mail app is running in the background, that is where the term 0-click comes from. On iOS 12 things are slightly better as the vulnerability only trigger when the user opens the email by tapping on it, however user won’t be able to tell if the attack has taken place as it will happen even before the content of the email has been rendered. However in the case where the attacker also controls the Mail server, the attacks can also trigger Unassisted even on iOS 12 or earlier.
When a device has been successfully attacked, hackers can potentially install malware on the device and control user’s device without their knowledge. They can also steal data from the device.
This particular Mail app vulnerability has been around for a while and exists since iOS 6 released in September 2012.
For longer explanation we recommend reading ZecOps’s write up about this vulnerability.
How To Protect Yourself From iOS Mail Vulnerability
Apple has said that it is working on a patch and will release it soon. In the meantime experts are recommending that users disable the Mail app by removing their Mail accounts from settings, and use third-party mail apps like Gmail or Outlook, which are not vulnerable to this attack.
Jailbreak users can protect themselves by installing the MailMend tweak by developer Ryan Petrich. The tweak fixes the vulnerability in MobileMail’s MIME.framework and protects devices from these Mail app attacks. The tweak also notifies the user when it detects an attempt to exploit the vulnerability, which is neat.
You can download the MailMend tweak from Ryan Petrich’s repo (http://rpetrich.com/cydia/) where it is available as a free download.