The Apple issued a statement, stating that “thoroughly investigated” the recent report of ZecOps on hackers who exploited three iOS zero-day vulnerabilities, but “found no evidence to suggest that the vulnerabilities used against customers.”
The day before yesterday, a report was published by the security company ZecOps, which said in detail that three iOS vulnerabilities affected the Apple Mail client.
Also Read: GitHub is now free for all users
ZecOps said vulnerabilities were used by hackers to attack VIP targets:
- Employees of Fortune 500 companies in North America
- An executive of a transport company in Japan
- A VIP from Germany
- MSSP from Saudi Arabia and Israel
- A journalist in Europe
- And most likely, a director of a Swiss company
However, in a report published by Apple, it says that it examined the details announced by ZecOps in its report and did not come to the same conclusion, that is, vulnerabilities have been used by hackers.
Apple’s full statement is as follows:
“Apple is taking seriously all reports indicate threats to security. We have thoroughly researched the researchers’ report and, based on the information provided, we have concluded that these issues do not pose an immediate risk to our users. Researchers have identified three issues with Mail, but that alone is not enough to bypass the security features of the iPhone and iPad, and we have found no evidence that they have been used against our customers. These possible issues will soon be addressed with a software update. We value our cooperation with security researchers to keep our users safe and we thank the researchers for their help. “
The ZecOps survey provoked reactions not only from Apple but also from Twitter. Several iOS security researchers have challenged the conclusion that the errors were used in attacks.
Also Read: The last trick of hackers is the coronavirus
ZecOps researchers thought the vulnerabilities were being used by hackers because of the crash logs found on the device.
These crash logs have been interpreted as attempts to exploit vulnerabilities.
ZecOps said the failed operation left a blank email and a crash log on the device. According to the company, the successful operation leads to the deletion of blank emails to hide the attacks.
Security researchers have noted that if the intruder can delete emails, he or she may also delete crash logs.
The opposite view is that the researchers only saw problematic emails triggering an error (not malicious), and not malicious attacks against iOS users. Apple needs more data to classify these crash bugs as attacks.
Responding to a Reuters report today, ZecOps promised to release more information about the errors when Apple released an updated version of the code.
The bugs have been fixed in iOS 13.4.5 beta and the repair is expected to reach the iOS stable channel in the coming weeks.
ZecOps’ full statement is as follows:
“According to ZecOps, there have been attacks on some organizations due to these vulnerabilities. We want to thank Apple for working on a code update and look forward to updating our devices as soon as it’s available. ZecOps will release more information and POCs when the update is available. “
The existence of errors has never been disputed, neither by Apple nor by the security community. In addition, it is recommended to install iOS 13.4.5 when it is released.
In a statement, Apple wanted to make it clear that it was taking into account the researchers’ reports but said that the conclusion of this report could not be verified, at least for the time being.