We use Apple’s Mail app all day, daily for dealing with work and private e-mail, together with a plentiful provide of very welcome Bare Safety feedback, questions, article concepts, typo stories, podcast ideas and far more.
(Preserve ’em coming – we get much more constructive and helpful messages that we get trolls, and we’ve like to hold it that means: suggestions@sophos.com is the best way to attain us.)
We’ve at all times discovered the Mail app to be a really helpful workhorse that fits us nicely: it’s not particularly fancy; it’s not stuffed with options we by no means use; it’s visually easy; and (thus far anyway), it’s been doggedly dependable.
However there should have been a significant issue brewing within the newest model of the app, as a result of Apple simply pushed out a one-bug safety patch for iOS 16, taking the model quantity to iOS 16.0.3, and fixing a vulnerability particular to Mail:
One and just one bug is listed:
Affect: Processing a maliciously crafted e-mail message might result in a denial-of-service Description: An enter validation difficulty was addressed with improved enter validation. CVE-2022-22658
“One-bug” bulletins
In our expertise, “one-bug” safety bulletins from Apple, or not less than N-bug bulletins for small N, are the exception somewhat than the rule, and sometimes appear to reach when there’s a transparent and current hazard equivalent to a jailbreakable zero-day exploit or exploit sequence.
Maybe the very best identified current emergency replace of this kind was a double zero-day repair in August 2022 that patched in opposition to a two-barrelled assault consisting of a distant code execution gap in WebKit (a means in) adopted by a neighborhood code execution gap within the kernel itself (a technique to take over utterly):
These bugs had been formally listed not solely as identified to outsiders, but in addition as being underneath energetic abuse, presumably for implanting some kind of malware that might hold tabs on every thing you probably did, equivalent to snooping on all of your knowledge, taking secret screenshots, listening in to cellphone calls, and snapping photographs together with your digital camera.
About two weeks later, Apple even slipped out an sudden replace for iOS 12, an outdated model that the majority of us assumed was successfully “abandonware”, having been conspicuously absent from Apple’s official safety updates for nearly a 12 months earlier than that:
(Apparently, iOS 12 was affected by the WebKit bug, however not by the follow-on kernel gap that made the assault chain a lot worse on more moderen Apple merchandise.)
This time, nonetheless, there’s no point out that the bug patched within the replace to iOS 16.0.3 was reported by anybody exterior Apple, or else we’d count on to see the finder named within the bulletin, even when solely as “an nameless researcher”.
There’s additionally no suggestion that the bug may already be identified to attackers and due to this fact already getting used for mischief or worse…
…however Apple however appears to assume that it’s a vulnerability price issuing a safety bulletin about.
You’ve bought mail, bought mail, bought mail…
So-called denial-of-service (DoS) or crash-me-at-will bugs are sometimes considered the lightweights of the vulnerability scene, as a result of they typically don’t present a pathway for attackers to retrieve knowledge they’re not imagined to see, or to amass entry privileges they shouldn’t have, or to run malicious code of their very own selecting.
However any DoS bug can rapidly flip right into a significant issue, particularly if it retains occurring over and over as soon as it’s triggered for the primary time.
That state of affairs can simply come up in messaging apps if merely accessing a booby-trapped message crashes the app, since you sometimes want to make use of the app to delete the troublesome message…
…and if the crash occurs rapidly sufficient, you by no means fairly get sufficient time to click on on the trash-can icon or to swipe-delete the offending message earlier than the app crashes once more, and once more, and once more.
Quite a few tales have appeared through the years about iPhone “text-of-death” eventualities of this kind, together with:
In fact, the opposite downside with what we jokingly check with as CRASH: GOTO CRASH bugs in messaging apps is that different folks get to decide on when to message you, and what to place within the message…
…and even should you use some type of automated filtering rule within the app to dam messages from unknown or untrusted senders, the app will sometimes must course of your messages to resolve which of them to do away with.
(Observe that this bug report explicitly refers to a crash attributable to “processing a maliciously crafted e-mail message”.)
Subsequently the app might crash anyway, and should hold crashing each time it restarts because it tries to deal with the messages it didn’t handle to cope with final time.
What to do?
Whether or not you’ve bought automated updates turned on or not, go to Settings > Basic > Software program Replace to examine for (and, if wanted, to put in) the repair.
The model you need to see after the replace is iOS 16.0.3 or later.
On condition that Apple has pushed out a safety patch for this one DoS bug alone, we’re guessing that one thing disruptive is perhaps at stake if an attacker had been to determine this one out.
For instance, you possibly can find yourself with a barely usable system that you’d must wipe utterly and reflash into order to revive it to wholesome operation…
LEARN MORE ABOUT VULNERABILITIES
Click on-and-drag on the soundwaves beneath to skip to any level. You too can hear instantly on Soundcloud.