Hello, welcome to the Thursday, April 23rd, 2020 edition of the Sansonet Stormsanders Stormcast. My name is Johannes Ulrich.

And then I'm recording from Jacksonville, Florida.

Well, we got some bad news for iOS users today. Israeli security company SecOps disclosed two vulnerabilities in iOS's

mail software that can trigger code execution. To make things worse, not only is there

no official patch for these vulnerabilities, there are also already some attacks going on that take advantage of

these vulnerabilities.

SecOps reports that they have seen several attacks in the wild, now targeted attacks,

so a lot of details have not been disclosed until today.

However, the blog post that SecOps published has an awful lot of detail about the vulnerability

that should make exploitation possible.

A couple of things here to sort of put this a little bit in perspective.

So first of all, this could be used to execute code within mail.

Now, iOS does isolate its different applications pretty well,

so this vulnerability by itself could not necessarily cause harm to the operating systems

or device or sort of any persistent damage without any additional vulnerabilities,

for example, approach escalation or sandbox escape or other kernel issues within iOS. So by itself,

these vulnerabilities aren't quite as bad as it may sound due to some of the other mitigation methods that iOS deploys.

There is, I say, no official patch.

Now, there is a patched version of iOS, and that's the current beta version of iOS.

So it hasn't been officially released yet, and of course, Apple typically doesn't pre-announce

their releases, but look out for it, certainly something that you want to apply quickly once

it's released. It affects iOS 13 as well as iOS 12. Now, the basic vulnerability has been present since iOS 6.

...