The¬†Apple¬†issued a statement, stating that “thoroughly investigated” the recent report of¬†ZecOps¬†on¬†hackers¬†who exploited three¬†iOS¬†zero-day¬†vulnerabilities, but “found no¬†evidence¬†to suggest that the vulnerabilities used against customers.”

The day before yesterday, a report was published by the security company ZecOps, which said in detail that three iOS vulnerabilities affected the Apple Mail client.

Also Read: GitHub is now free for all users

ZecOps said vulnerabilities were used by hackers to attack VIP targets:

  • Employees of Fortune 500 companies in North America
  • An executive of a transport company in Japan
  • A VIP from Germany
  • MSSP from Saudi Arabia and Israel
  • A journalist in Europe
  • And most likely, a director of a Swiss company

However, in a report published by Apple, it says that it examined the details announced by ZecOps in its report and did not come to the same conclusion, that is, vulnerabilities have been used by hackers.

Apple’s full statement is as follows:

“Apple is taking seriously all reports indicate¬†threats¬†to security.¬†We have thoroughly researched the researchers’ report and, based on the information provided,¬†we have concluded that these issues do not pose an immediate¬†risk¬†to our¬†users.¬†Researchers have identified three issues with Mail, but that alone is¬†not enough to bypass the security features of the¬†iPhone¬†and iPad,¬†and we have found¬†no¬†evidence that they have been used against our customers.¬†These possible issues will soon be addressed with a¬†software update.¬†We value our cooperation with security researchers to keep our users safe and we thank the researchers for their help. “

The ZecOps survey provoked reactions not only from Apple but also from Twitter. Several iOS security researchers have challenged the conclusion that the errors were used in attacks.

Also Read: The last trick of hackers is the coronavirus

ZecOps researchers thought the vulnerabilities were being used by hackers because of the crash logs found on the device.

These crash logs have been interpreted as attempts to exploit vulnerabilities.

ZecOps said the failed operation left a blank email and a crash log on the device. According to the company, the successful operation leads to the deletion of blank emails to hide the attacks.

iOs

Security researchers have noted that if the intruder can delete emails, he or she may also delete crash logs.

The opposite view is that the researchers only saw problematic emails triggering an error (not malicious), and not malicious attacks against iOS users. Apple needs more data to classify these crash bugs as attacks.

ZecOps

Responding to a Reuters report today, ZecOps promised to release more information about the errors when Apple released an updated version of the code.

The bugs have been fixed in iOS 13.4.5 beta and the repair is expected to reach the iOS stable channel in the coming weeks.

ZecOps’ full statement is as follows:

“According to ZecOps, there have been¬†attacks¬†on some organizations due to these vulnerabilities.¬†We want to thank Apple for working on a code update and look forward to updating our devices as soon as it’s available.¬†ZecOps will release more information and POCs when the update is available. “

Also Read: Caution: False websites sell masks for coronavirus

The existence of errors has never been disputed, neither by Apple nor by the security community. In addition, it is recommended to install iOS 13.4.5 when it is released.

In a statement, Apple wanted to make it clear that it was taking into account the researchers’ reports but said that the conclusion of this report could not be verified, at least for the time being.

Leave a Reply