Zero-day vulnerability in Apple iOS

Out-of-bounds write

Not patched

According to security researchers this vulnerability is being actively exploited since January 2018.

Vulnerability details

Advisory: SB2020042245 - Remote code execution in Apple iOS

Vulnerable component: Apple iOS

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C

CWE-ID: CWE-787 - Out-of-bounds write

Description:

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing email in the iOS MobileMail. A remote attacker can send a specially crafted email message, trigger an out-of-bounds write and execute arbitrary code on the target system. No user interaction is required to execute arbitrary code.

Note, this vulnerability is being actively exploited in the wild.

External links:

https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/