Apple has found no evidence that recently discovered security vulnerabilities in the native iOS Mail app have been exploited by hackers, the company said in a statement. “We found no evidence that they were used against customers,” said the company. He also cast doubt on the fact that the problems, which he admitted were present on the iPhone and iPad versions of his Mail app, were enough to circumvent the security protections of the two devices.
Apple’s response directly contradicts claims by ZecOps security researchers, who said they found evidence of the exploit being used against at least six high-level targets. The flaws allowed a hacker to infect a device by simply sending it a specially crafted email and having the victim open it. At the time, ZecOps said it was “highly confident” that the vulnerabilities had been exploited in the wild by “advanced threat operators”.
Apple has stated that the vulnerabilities, which ZecOps claims date back to iOS 6, do not pose an immediate risk to its users and will be addressed in a future software update. When it first exposed the vulnerabilities, ZecOps said that Apple had already fixed the beta version of Apple Mail issues.
After the research company’s initial report, some members of the security community – including a Google Project Zero researcher – questioned his claims that the problems had been exploited in the wild. ZecOps said that anonymous targets included a manager from a mobile operator in Japan and individuals from Fortune 500 companies in North America.
Apple’s full statement can be found below:
“Apple takes all reports of security threats seriously. We have thoroughly studied the researcher’s report and, based on the information provided, we have concluded that these problems do not pose an immediate risk to our users. The researcher identified three problems in Mail, but by themselves they are not enough to bypass iPhone and iPad security protections, and we found no evidence that they were used against clients . These potential issues will soon be addressed in a software update. We appreciate our collaboration with security researchers to help keep our users safe and we thank the researcher for his help. “