The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume significant amount of memory
The vulnerability does not necessarily require a large email – a regular email which is able to consume enough RAM would be sufficient. There are many ways to achieve such resource exhaustion including RTF, multi-part, and other methods
Both vulnerabilities were triggered in-the-wild
The vulnerability can be triggered before the entire email is downloaded, hence the email content won’t necessarily remain on the device
We are not dismissing the possibility that attackers may have deleted remaining emails following a successful attack
Vulnerability trigger on iOS 13: Unassisted (/zero-click) attacks on iOS 13 when Mail application is opened in the background
Vulnerability trigger on iOS 12: The attack requires a click on the email. The attack will be triggered before rendering the content. The user won’t notice anything anomalous in the email itself
Unassisted attacks on iOS 12 can be triggered (aka zero click) if the attacker controls the mail server
The vulnerabilities exist at least since iOS 6 – (issue date: September 2012) – when iPhone 5 was released
The earliest triggers we have observed in the wild were on iOS 11.2.2 in January 2018