The remote code execution (RCE) vulnerability in Apple’s default email app is known to Hornetsecurity’s Security Lab. Right now the Security Lab is in discovery mode. In first analyses the vulnerabilty could not be detected in any email from the last six months received through Hornetsecurity’s globally distributed honeypots.
We assume that these vulnerabilities are being used in very targeted, small-scale and highly individual attacks because attackers must know that their victims are using iOS devices. Often these kind of zero day vulnerabilitoes are too valuable for abusers to be distributed in large scale and easy to detect malicious spam campaigns.
Nonetheless, the Security Lab deployed a detection system towards active abusers of the vulnerability which streams collected data into a threat prediction and classification engine. If any anomaly is observed, customers are protected.
In addition there are certain limitations already active which lower the risk for Hornetsecurity’s customers even more. PoCs required very large emails (several GB) to reproduce the RCE, however, Hornetsecurity accepts a maximum email size of 100MB.
Security researchers are assuming that certain MIME multi-part or RTF structures may also be used to trigger the vulnerability. Hornetsecurity’s spam and malware protection natively scans email structures and classifies anomalies in the structure as spam.