Message-Id: 202004231043
Time: since Apr 23rd, 2020
Affected: all iOS devices
Impact:  An attacker gains access to the entire system via this new vulnerability

Since Apr 23rd, 2020, the BSI has warned of a critical vulnerability in the Mail app of iOS

https://www.bsi.bund.de/EN/TheBSI/thebsi_node.html

This potentially affects all iPhone and iPad devices that use the Apple Mail app. An attacker can use this new vulnerability to gain access to the entire system without users noticing anything.

Up to now it is difficult to detect whether a device is already affected or not, only a clear “slow down” of the device can be a first indication.

Until then, the following rules will help to protect yourself:

Use Outlook Web Access (OWA) as an alternative mail access. To do this, open the Safari app on your iOS device and go to https://email.gwdg.de. There, enter your own e-mail address (under domain\username) and your password. Then you can tap on “Sign in”.

Please deactivate email data synchronization on your iPhone and/or iPad:
Step 1: Open “Passwords & Accounts” in Settings.
Step 2: Change to “Data Synchronization”.
Step 3: Deactivate the PUSH function and set Retrieval to “Manual” for all accounts.

After that, do not open the Apple Mail app any more, otherwise it will be retrieved manually and an attack would be successful again.

Alternatively, you can disable email retrieval on your iOS devices completely. However, this will delete all your email on the iOS device in question.

Apple has already announced a patch. Only then reset the changed settings on your iPhone / iPad to the normal operating mode.