Update regarding the Apple iOS Mail App Vulnerability

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
August 28, 2024
Written by
Maxime Cartier
Fact checked by

Apple just recently confirmed the most significant vulnerability in iOS history after ZecOps made a public announcement about their discovery of a security flaw. We reported about the issue recently. It was speculated that the problem was affecting millions of iPhone users, but after Apple’s announcement, it seems like the issue is more significant than one could imagine.

Since 2010, every iPhone has been affected

Ever since iOS 3.1.3 released in 2010, every iPhone has been vulnerable to a possible remote attack of the iOS mail app. If you own an iPhone, iPad, or an Apple Watch, keep reading.

No patch for the ‘MailDemon’ vulnerability

This vulnerability, publicly also referred to as ‘MailDemon’, can be used for Remote Code Execution for a ‘zero-click exploit’. This means that users can get in trouble even without interacting with the email they receive through their iOS Mail app.According to ZecOps, Apple hasn’t yet released a patch.

Apple to fix this vulnerability

According to some news, Apple has promised to fix the vulnerability with the release of iOS 13.5. This is great news for owners of the iPhone 6S and newer. It’s yet to be seen whether Apple will release a patch for older devices that do not support the new iOS update.

When can we expect the next update?

Apple initially released the iOS 13.4 version on the second-generation iPhone SE on March 24, 2020. On May 2nd, 2020, Apple released the iOS 13.5 beta to developers and public beta users, and the update will include major changes – nevertheless, the update regarding the upcoming changes does not include the fix for the mail vulnerability, instead, it focuses on updates regarding the COVID-19 situation.

What can you do as an iPhone user?

Disable or delete the iOS Mail app on your phone.

delete ios mail app

You can find instructions on how to delete built-in Apple apps from your iOS12, iOS13, iPadOS, or Apple Watch devices from Apple's website. Start using an alternative, such as Outlook or Gmail apps. Both of these are secure to use.

Do you want to see how ‘MailDemon’ works in more detail?    

ZecOps released an excellent article on the technique and triggers, and they call people for a bounty in case they experienced the symptoms. They explain the rules of the bounty in more detail at the end of the post.

And finally, remember to practice safe email habits!

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this