Apple has downplayed the danger of a Mail bug disclosed recently by a security firm, according to a tweet from analyst Rene Ritchie. According to ZecOps, the app has a zero-day exploit that could let attackers infect your iOS device even if you don’t click on links or take other actions. Furthermore, ZecOps said it had evidence that attackers had attempted to use the flaw for at least two years against six or more potential targets around the world.
Apple's comment on the ZecOps claim of a Mail .app exploit (full text in image description):
— Rene Ritchie (@reneritchie) April 24, 2020
TL;DR: "The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections." pic.twitter.com/hfE2xlzHUv
However, Apple told Ritchie that the issues discovered by ZecOps are “insufficient [alone] to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.” Apple added that “these issues do not pose an immediate risk to our users...these potential issues will be addressed in a software update soon.”
ZecOps originally said that it found its evidence through digital clues left behind in iOS, adding that it couldn’t obtain proof in the form of messages as they had been deleted from targets’ phones. In a response to Apple's statement, the company reiterated its stance that it had seen "triggers in-the-wild" for the exploit and that once the update has been pushed to users it will "release more information and POCs (proof of concepts)" to further clarify its original findings.
A security researcher from Jamf told the WSJ that the evidence of attacks was “compelling” but not authoritative. In any even, while Apple is now saying that the vulnerabilities weren’t exploited in the wild, they were clearly still serious enough to warrant a patch.