Security researchers recently disclosed two zero-day vulnerabilities that have been present in the stock Mail app for iPhone and iPad for years. Both vulnerabilities let hackers execute remote attacks using emails laced with malicious code—and you might not even have to do anything to be affected.
The severity of these bugs depends on the version of iOS your device runs. iOS 12 users can only be hit with an attack if they open an infected email in the Mail app, while iOS 13 is vulnerable to “unassisted attacks” that run without the user ever needing to interact with the email or its contents.
Luckily, despite how scary these bugs might sound, Apple has a fix on the way. It’s also pretty easy for most users to keep themselves safe in the meantime.
Apple’s incoming iOS 13.4.5 patches both bugs. It’s available in beta right now, if you feel like using a potentially buggier version of iOS, but the update could be released to everyone within a few more days. If you want to block any chance of getting hit with this attack, you can also unlink your email accounts from Apple’s Mail app and swap to a third-party email app in the meantime. (Odds are good that you’ll probably be OK just waiting for the patch.)
While both iOS mail bugs have been successfully used by hackers, confirmed attacks have been limited to Fortune 500 organisations in the U.S., high-profile business targets in Japan and Europe, and at least one European journalist. So unless you’re a business executive or have a high-profile public persona, you’re probably not going to receive any malicious emails. Either way, iOS 13.4.5 should be publicly available and rolling out to your iPhone soon.