In context: Apple cultivates the image of a company that takes security and privacy very seriously, which is why it’s no surprise to see it downplaying every independent report that might suggest the software security protections on iPhone and iPad can’t keep hackers away 100 percent of the time.
Recently, news broke that the default Mail app on iOS has two severe vulnerabilities that have existed for eight years and make it easier for someone to get full control over your iPhone or iPad. The security research group that found them noted that there’s enough evidence to believe that hackers have been exploiting them for the past two years.
Apple has publicly acknowledged the existence of the two flaws, but is now trying to downplay their impact. The company strongly disagrees with the assessment that there’s any evidence about hackers using this against its customers, and noted that chaining the two vulnerabilities isn’t enough to bypass the security protections on iPhone and iPad.
The Cupertino giant told Bloomberg that after analyzing the ZecOps report, it performed an investigation into the proof of concept exploit, which they say is not enough to compromise an iPhone or iPad entirely. The company is still addressing the vulnerabilities in the iOS 13.4.5 update, which suggests that there’s at least some urgency to fixing the problem.
The flaws themselves may not be enough to get full access to someone’s iPhone or iPad, but that says nothing of the possibility that hackers may be able to incorporate them into more complex attacks. Consider that the vulnerabilities have been present in every iOS release since iOS 6. ZecOps explained that it’s possible to use them in conjunction with an info leak bug as well as a kernel bug to achieve full control over the target device.
We’ve seen this kind of reaction before from Apple when they accused Google’s Project Zero of creating unfounded fears over a different iPhone vulnerability. This time, the iPhone maker has been less confrontational while still downplaying its impact in real-life scenarios.
Ironically enough, Jann Horn who is a Google Project Zero researcher, was one of several security researchers to question the findings in the ZecOps report. If you deal with mission critical information it still may be safer to avoid using Mail until the update to iOS 13.4.5 arrives.