iPhone users are at risk of falling victim to a serious bug that could let hackers take control of their devices.
A newly discovered bug inside Apple's Mail app on the iPhone lets hackers install malware without the user's knowledge, The Wall Street Journal reported on Wednesday. The bug, which was discovered by security researcher ZecOps, requires the hackers to send users a specific e-mail. Once the iPhone automatically downloads the message to a user's device the payload can be deployed and malware downloaded--even if the user doesn't open the e-mail.
If the report is confirmed, this bug is a decidedly scary revelation. In many hacks, malicious hackers need to send a tainted e-mail to a user who then downloads the message and clicks on a link to activate a download. Such risks can often be mitigated by not clicking on links from unknown senders.
What makes the bug ZecOps discovered scary, however, is that users can be infected without doing anything or even knowing that they're infected. Most often, Apple's Mail readily downloads messages from the server to give users quick access. That process, which requires no user input, may be enough to cause trouble.
What's worse, it appears the bug has already been exploited.
According to the Journal report, ZecOps found that a telecommunications company in Japan, a North American company, and tech companies in Saudi Arabia and Israel, among others, have already been targeted.
Oddly enough, Apple seems to have knowledge of the flaw. According to the Journal report, the bug ZecOps discovered has been squashed in a beta version of Apple's next iOS update, but it hasn't been patched in stable, public versions of iOS.
That's good news for iPhone owners, but may not necessarily mean the end is near for the hackers exploiting the bug. Apple has done a generally good job of moving iPhone owners to its latest software versions, but it's by no means perfect. As of this writing, about 30 percent of iPhone and iPad owners still aren't running the latest version of iOS.
Until Apple releases the software update, there isn't much users can do, other than turn off automatic fetching of e-mails from the mail server. They'll also need to log in to their e-mails in the cloud and try to find and eliminate strange, potentially malicious messages there before they're downloaded to the iPhone.
Needless to say, this is a bit of a mess for iPhone owners. And once the patch is released, be sure to update your iPhones.