Zero-Day Vulnerabilities in iOS

Published on 24 Apr 2020

Updated on 29 Apr 2020

UPDATED 29 Apr 2020: Update to include a Zero-Day Vulnerability (Sindhi / Italian Flag Text Bomb)

 

Sindhi / Italian Flag Text Bomb

Security researchers discovered a zero-day vulnerability in Apple devices running on the current iOS version 13.4.1. The researchers have detected that the vulnerability has been exploited in attacks.

The vulnerability exploits a weakness in the iOS failure to properly render a Unicode symbol used when writing in Sindhi, an Indo-Iranian language. The threat actor could exploit this vulnerability by sending any application notification containing characters in the Sindhi language and the Italian flag emoji. Successful exploitation could cause the device to crash and affect a large amount of users at the same time.

Apple is patching this vulnerability in iOS 13.4.5, but there is no release date at this point.

In the interim, for affected iOS users:

  • Turn off notifications for applications such as Messages or Whatsapp, to prevent the preview of message until the device is patched.
  • Do not open messages with the Sindhi characters or Italian flag emoji.

 

iOS Mail Application

Security researchers discovered two zero-day vulnerabilities in Apple's native iOS Mail application running on iOS versions 6 and above, including current iOS 13.4.1. The researchers have detected that these vulnerabilities have been exploited in attacks.

The vulnerabilities exploit a weakness in the Mail application’s memory management. A specially crafted email by the threat actor can trigger a memory overflow of the Mail application, and may lead to the device to crash. Successful exploitation could allow further attacks to be performed remotely, to gain access to, read, modify and delete emails.

Apple is patching these vulnerabilities in iOS 13.4.5, but there is no release date at this point.

In the interim,

  • For iOS Users – Consider switching temporarily to an alternative mail application until the patch is released. If you are not using the Mail application, delete it.
  • For Enterprises  –  Administrators of organisations using iOS Mail applications can mitigate the risk by managing the memory usage of the users' devices and reducing the number of unnecessary apps running in the background, and limiting the size of incoming e-mails.

More information is available at:
https://www.macworld.co.uk/news/iphone/sindhi-text-with-italian-flag-crashes-iphone-3786810/
https://www.zdnet.com/article/new-iphone-text-bomb-bug-just-receiving-this-sindhi-character-notification-crashes-iphones/  
https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/ 
https://www.bleepingcomputer.com/news/security/new-ios-zero-days-actively-used-against-high-profile-targets/