Apple has found no evidence that recently discovered security flaws in the native iOS Mail app were exploited by hackers, the company said in a statement. “We have found no evidence they were used against customers,” the company said. It also cast doubt on whether the issues, which it admitted were present on both the iPhone and the iPad versions of its Mail app, were enough to bypass the two devices’ security protections.
Apple’s response directly contradicts the claims of security researchers at ZecOps, who said that they’d found evidence of the exploit being used against at least six high-profile targets. The flaws allowed a hacker to infect a device simply by sending it a specially-crafted email and for the victim to open it. At the time ZecOps said it had “high confidence” that the vulnerabilities had been exploited in the wild by “advanced threat operator(s).”
Apple said that the vulnerabilities, which ZecOps claimed date back as far as iOS 6, do not pose an immediate risk to its users and will be addressed in a forthcoming software update. When it originally disclosed the vulnerabilities, ZecOps said that Apple had already addressed the issues in the beta version of Apple Mail.
After the research company’s original report, some within the security community — including a researcher at Google’s Project Zero — questioned its claims that the issues had been exploited in the wild. ZecOps had said that unnamed targets included an executive at a mobile carrier in Japan and individuals from Fortune 500 companies in North America.
Apple’s full statement can be found below:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”