In a statement released today, Apple refutes claims made by a security firm that iOS suffers from a serious flaw that can allow bad actors to steal users’ files and data.
Earlier this week, reports broke out that the iOS Mail app contained a zero-day flaw, one that’d been around for eight years and actively exploited for at least two years. The claims came from ZecOps, a San Francisco-based security firm that said it had found evidence of hackers targeting high-profile individuals leveraging the bug to spy on them.
These high-profile targets allegedly included executives from a Fortune 500 organization in North America, executive from a Japanese telecoms company, a Germany-based VIP, several figures in Saudi Arabia and Israel, an executive from a Swiss enterprise and a journalist in Europe.
While some cybersecurity experts found ZecOps’s claims compelling, others were not so sure their analysis held water. Today, Apple sides with the latter group claiming it too has found no evidence that the flaw is being actively exploited by hackers. Of note, Apple doesn’t dispute the existence of the flaw. Rather, it claims there is no evidence it has been leveraged in hacks on its customer base.
The company’s full statement on the matter, released to selected media outlets today, is available below:
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
Apple has reportedly included fixes for the controversial bugs in its upcoming iOS 13.4.5, a copy of which is currently in the hands of enrolled Apple developers worldwide in the form of a beta.
The final, public version of the software will reach userland in a few weeks, according to reports. Despite Apple downplaying the dangers of ZecOps’s findings, installing the update is highly recommended when it becomes available. A confirmed vulnerability will eventually get weaponized by hackers if left unpatched for too long, especially on iOS where critical bugs are scarce.