As of Monday, a report released by research team ZecOps brought to light a disturbing find its team uncovered when analyzing iOS for bugs. A vulnerability allows for remote code execution through a malformed email message sent to a device and affecting Apple’s default email client, Mail.app on iOS. A deep-dive analysis of the vulnerability found that all versions of iOS going as far back as 6 to as recent as 13.4.1 are affected.
More alarming is the fact that there are roughly 1.5 billion devices in use worldwide, according to Apple’s usage estimates. And further worse news is that an attack against Apple’s latest version of iOS 13.x can occur while the app is open in the background and does not require interaction by the user to execute the code and compromise your device. For users who are still on iOS 12.x the attack requires the user to open the email before the malicious code will execute in most cases.
SEE: Apple iPad Pro 2020: Cheat sheet (free PDF) (TechRepublic)
While this issue should be considered a high-risk threat, Apple does not yet have a publicly available patch. Those running iOS 13.4.5 have reported that the flaw is indeed patched in the beta versions of the update, which Apple is fast-tracking to release as soon as possible. In the meantime, there is guidance below on how to minimize your exposure to this attack, with some steps to take to mitigate this threat until a solution is made publicly available.
Note: The vulnerability only affects Mail.app on iOS-based devices, including iPhone and iPad. Third-party email clients, such as Microsoft Outlook or Gmail, are not affected by this.
Minimizing threat to personal devices
Users who rely on Mail.app to handle emails should stop using the app until Apple releases the official 13.4.5 update to patch the vulnerability. Since the attack can still occur without user intervention, users should delete the Mail app from their iOS devices by tapping and holding the app’s icon until the context menu appears, then select Delete App (Figure A).
The iPad will prompt to confirm the app deletion, so tap the Delete button to confirm its removal. Note that deleting the app will delete all access to the email from that app only. Your emails will still safely reside on the email server for the account setup (Figure B).
Users can set up their email accounts from a third-party client to be able to access their emails until the finalized patch is made available.
Minimizing the threat to company devices
While the steps listed above for personal devices apply to company-owned devices as well, many companies use an MDM solution to manage their iOS devices remotely. If your organization does, there are two solutions available to remove Mail.app: One manual, the other zero-touch.
Removing the app
Allow users to manually remove Mail.app by deleting, as instructed above with personal devices. One caveat to this method is that users will only be able to reinstall the app if they have access to the App Store. Depending on your organization’s setup, access to the App Store may or may not be restricted making restoring access later difficult.
SEE: iPhone 11: A cheat sheet (free PDF) (TechRepublic)
Restricting the app
A feature many MDM platforms support is App Restriction. While the steps to accomplish this task my differ from vendor to vendor, the aim is to configure the restriction policy to disallow access only to Mail.app, or its bundle ID com.apple.mobilemail, to effectively hide the app from the device and prevent it from being launched altogether. This method is most effective, easy to rollback, and zero-touch to implement and remove.