We use Apple’s Mail app all day, every single day for dealing with work and private electronic mail, together with a plentiful provide of very welcome Bare Safety feedback, questions, article concepts, typo reviews, podcast options and way more.
(Hold ’em coming – we get much more optimistic and helpful messages that we get trolls, and we’ve like to maintain it that manner: suggestions@sophos.com is how you can attain us.)
We’ve at all times discovered the Mail app to be a really helpful workhorse that fits us nicely: it’s not particularly fancy; it’s not filled with options we by no means use; it’s visually easy; and (to date anyway), it’s been doggedly dependable.
However there will need to have been a significant issue brewing within the newest model of the app, as a result of Apple simply pushed out a one-bug safety patch for iOS 16, taking the model quantity to iOS 16.0.3, and fixing a vulnerability particular to Mail:
One and just one bug is listed:
Affect: Processing a maliciously crafted electronic mail message might result in a denial-of-service Description: An enter validation situation was addressed with improved enter validation. CVE-2022-22658
“One-bug” bulletins
In our expertise, “one-bug” safety bulletins from Apple, or a minimum of N-bug bulletins for small N, are the exception reasonably than the rule, and sometimes appear to reach when there’s a transparent and current hazard corresponding to a jailbreakable zero-day exploit or exploit sequence.
Maybe the very best identified latest emergency replace of this type was a double zero-day repair in August 2022 that patched towards a two-barrelled assault consisting of a distant code execution gap in WebKit (a manner in) adopted by a neighborhood code execution gap within the kernel itself (a approach to take over fully):
These bugs had been formally listed not solely as identified to outsiders, but in addition as being underneath lively abuse, presumably for implanting some kind of malware that might maintain tabs on every part you probably did, corresponding to snooping on all of your knowledge, taking secret screenshots, listening in to telephone calls, and snapping photographs along with your digicam.
About two weeks later, Apple even slipped out an sudden replace for iOS 12, an outdated model that the majority of us assumed was successfully “abandonware”, having been conspicuously absent from Apple’s official safety updates for nearly a 12 months earlier than that:
(Apparently, iOS 12 was affected by the WebKit bug, however not by the follow-on kernel gap that made the assault chain a lot worse on newer Apple merchandise.)
This time, nonetheless, there’s no point out that the bug patched within the replace to iOS 16.0.3 was reported by anybody outdoors Apple, or else we’d anticipate to see the finder named within the bulletin, even when solely as “an nameless researcher”.
There’s additionally no suggestion that the bug may already be identified to attackers and subsequently already getting used for mischief or worse…
…however Apple nonetheless appears to assume that it’s a vulnerability value issuing a safety bulletin about.
You’ve acquired mail, acquired mail, acquired mail…
So-called denial-of-service (DoS) or crash-me-at-will bugs are sometimes considered the lightweights of the vulnerability scene, as a result of they typically don’t present a pathway for attackers to retrieve knowledge they’re not imagined to see, or to amass entry privileges they shouldn’t have, or to run malicious code of their very own selecting.
However any DoS bug can rapidly flip right into a significant issue, particularly if it retains occurring again and again as soon as it’s triggered for the primary time.
That scenario can simply come up in messaging apps if merely accessing a booby-trapped message crashes the app, since you usually want to make use of the app to delete the troublesome message…
…and if the crash occurs rapidly sufficient, you by no means fairly get sufficient time to click on on the trash-can icon or to swipe-delete the offending message earlier than the app crashes once more, and once more, and once more.
Quite a few tales have appeared over time about iPhone “text-of-death” eventualities of this type, together with:
After all, the opposite drawback with what we jokingly check with as CRASH: GOTO CRASH bugs in messaging apps is that different folks get to decide on when to message you, and what to place within the message…
…and even should you use some type of automated filtering rule within the app to dam messages from unknown or untrusted senders, the app will usually have to course of your messages to resolve which of them to eliminate.
(Be aware that this bug report explicitly refers to a crash on account of “processing a maliciously crafted electronic mail message”.)
Due to this fact the app might crash anyway, and should maintain crashing each time it restarts because it tries to deal with the messages it didn’t handle to take care of final time.
What to do?
Whether or not you’ve acquired computerized updates turned on or not, go to Settings > Common > Software program Replace to verify for (and, if wanted, to put in) the repair.
The model you wish to see after the replace is iOS 16.0.3 or later.
Provided that Apple has pushed out a safety patch for this one DoS bug alone, we’re guessing that one thing disruptive may be at stake if an attacker had been to determine this one out.
For instance, you would find yourself with a barely usable system that you’d have to wipe fully and reflash into order to revive it to wholesome operation…
LEARN MORE ABOUT VULNERABILITIES
Click on-and-drag on the soundwaves beneath to skip to any level. You too can pay attention immediately on Soundcloud.
