Apple Inc. is working on a fix for a newly disclosed iOS vulnerability that has been actively used by hackers to launch cyberattacks.

The flaw was detailed today by San Francisco-based threat detection startup ZecOps Inc., which tipped off the iPhone maker on Feb. 19. ZecOps researchers came across the vulnerability after detecting that hackers were using it in attacks against customers. 

The vulnerability is a zero-day exploit, or a security issue not already known to the cybersecurity community. Zero-day exploits pose an especially big risk to users because they’re difficult to detect and by definition there’s no patch available. The one that ZecOps’ researchers spotted in iOS is particularly severe because it enables hackers to target an Apple device without having to trick the user into performing any special action, such as clicking an infected link. 

Hackers have been exploiting the vulnerability using malicious emails. The modus operandi is that an attacker sends a malware-laden message to the victim that, when received by the Apple Mail app on the user’s device, overrides a part of the memory Apple Mail uses. That allows the attacker to gain control of the app in order to view, modify or delete emails. 

“Besides a temporary slowdown of mobile mail application, users should not observe any other anomalous behavior,” ZecOps researchers cautioned in a technical overview of the issue released today. “Failed attacks would not be noticeable on iOS 13 if another attack is carried afterwards and deletes the email.”

The exploit relies on a data handling component in MIME, a library Apple Mail uses to format emails, that Apple has implemented without certain error-checking mechanisms. The lack of these safeguards allows hackers to insert data into parts of the device memory that are otherwise inaccessible. On its own, the vulnerability doesn’t enable access to any other apps, but ZecOps warned that a sophisticated attacker could combine it with a second vulnerability to take over a victim’s entire device. 

The vulnerability has been “widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target VIPs, executive management across multiple industries, individuals from Fortune 2000 companies, as well as smaller organizations such as MSSPs,” the startup’s researchers wrote.

Apple released a patch on April 15 for the beta release of iOS 13.4.5, the next version of its operating system. The update is slated to roll out to general availability in the near future. In the meantime, users are advised to switch from Apple Mail to Gmail or Outlook, which are believed to be unaffected by the exploit.  

Photo: Unsplash