We use Apple’s Mail app all day, daily for dealing with work and private e mail, together with a plentiful provide of very welcome Bare Safety feedback, questions, article concepts, typo reviews, podcast options and way more.
(Maintain ’em coming – we get way more constructive and helpful messages that we get trolls, and we’ve like to preserve it that approach: suggestions@sophos.com is methods to attain us.)
We’ve at all times discovered the Mail app to be a really helpful workhorse that fits us nicely: it’s not particularly fancy; it’s not filled with options we by no means use; it’s visually easy; and (to date anyway), it’s been doggedly dependable.
However there will need to have been a major problem brewing within the newest model of the app, as a result of Apple simply pushed out a one-bug safety patch for iOS 16, taking the model quantity to iOS 16.0.3, and fixing a vulnerability particular to Mail:
One and just one bug is listed:
Impression: Processing a maliciously crafted e mail message might result in a denial-of-service Description: An enter validation problem was addressed with improved enter validation. CVE-2022-22658
“One-bug” bulletins
In our expertise, “one-bug” safety bulletins from Apple, or no less than N-bug bulletins for small N, are the exception relatively than the rule, and sometimes appear to reach when there’s a transparent and current hazard comparable to a jailbreakable zero-day exploit or exploit sequence.
Maybe the most effective recognized current emergency replace of this type was a double zero-day repair in August 2022 that patched towards a two-barrelled assault consisting of a distant code execution gap in WebKit (a approach in) adopted by a neighborhood code execution gap within the kernel itself (a approach to take over utterly):
These bugs have been formally listed not solely as recognized to outsiders, but in addition as being underneath lively abuse, presumably for implanting some type of malware that might preserve tabs on every thing you probably did, comparable to snooping on all of your information, taking secret screenshots, listening in to cellphone calls, and snapping pictures together with your digital camera.
About two weeks later, Apple even slipped out an sudden replace for iOS 12, an previous model that almost all of us assumed was successfully “abandonware”, having been conspicuously absent from Apple’s official safety updates for nearly a 12 months earlier than that:
(Apparently, iOS 12 was affected by the WebKit bug, however not by the follow-on kernel gap that made the assault chain a lot worse on more moderen Apple merchandise.)
This time, nonetheless, there’s no point out that the bug patched within the replace to iOS 16.0.3 was reported by anybody exterior Apple, or else we’d anticipate to see the finder named within the bulletin, even when solely as “an nameless researcher”.
There’s additionally no suggestion that the bug would possibly already be recognized to attackers and due to this fact already getting used for mischief or worse…
…however Apple nonetheless appears to suppose that it’s a vulnerability price issuing a safety bulletin about.
You’ve acquired mail, acquired mail, acquired mail…
So-called denial-of-service (DoS) or crash-me-at-will bugs are sometimes thought to be the lightweights of the vulnerability scene, as a result of they typically don’t present a pathway for attackers to retrieve information they’re not presupposed to see, or to accumulate entry privileges they shouldn’t have, or to run malicious code of their very own selecting.
However any DoS bug can rapidly flip right into a major problem, particularly if it retains taking place time and again as soon as it’s triggered for the primary time.
That state of affairs can simply come up in messaging apps if merely accessing a booby-trapped message crashes the app, since you sometimes want to make use of the app to delete the troublesome message…
…and if the crash occurs rapidly sufficient, you by no means fairly get sufficient time to click on on the trash-can icon or to swipe-delete the offending message earlier than the app crashes once more, and once more, and once more.
Quite a few tales have appeared over time about iPhone “text-of-death” eventualities of this type, together with:
After all, the opposite downside with what we jokingly check with as CRASH: GOTO CRASH bugs in messaging apps is that different folks get to decide on when to message you, and what to place within the message…
…and even if you happen to use some sort of automated filtering rule within the app to dam messages from unknown or untrusted senders, the app will sometimes must course of your messages to resolve which of them to do away with.
(Word that this bug report explicitly refers to a crash as a consequence of “processing a maliciously crafted e mail message”.)
Due to this fact the app might crash anyway, and will preserve crashing each time it restarts because it tries to deal with the messages it didn’t handle to cope with final time.
What to do?
Whether or not you’ve acquired automated updates turned on or not, go to Settings > Normal > Software program Replace to test for (and, if wanted, to put in) the repair.
The model you need to see after the replace is iOS 16.0.3 or later.
On condition that Apple has pushed out a safety patch for this one DoS bug alone, we’re guessing that one thing disruptive may be at stake if an attacker have been to determine this one out.
For instance, you can find yourself with a barely usable system that you’d must wipe utterly and reflash into order to revive it to wholesome operation…
LEARN MORE ABOUT VULNERABILITIES
Click on-and-drag on the soundwaves beneath to skip to any level. You can too hear immediately on Soundcloud.
