Mail Protection: SMTP, POP3, Antispam and Antivirus iOS Mail vulnerability - can Sophos detect and block these mails ?

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
+2 person also asked this people also asked this
Locked Locked
Replies 9 replies
Subscribers 4 subscribers
Views 2399 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS Mail vulnerability - can Sophos detect and block these mails ?

AndiS over 4 years ago

Everyone has heard of the 0-day bug in the apple mail app.

Can Sophos recognize and block the emails ? we have not been able to use the mail app for days

This thread was automatically locked due to age.

Parents

0 BAlfson over 4 years ago

Hallo Andi,

If there's a particular MIME type, then that could be blocked, but I saw nothing in the two articles I read that gave any clues. Have you started a case with Sophos Support?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

0 JasmineMaier over 4 years ago in reply to BAlfson

The guy who found it explains quite in detail at https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/

Should not be too difficult to search for those strings in Mails before delivering....

Indicators of Compromise

#	Type of indicator	Purpose	IOC
1	String in raw email	Part of the malicious email sent	`AAAAAAAA` AND `AAAAATEy` AND `EA\r\nAABI` AND `"$\x0e\xce\xa0\xd4\xc7\xcb\x08"` AND `T8hlGOo9` AND `OKl2N\r\nC` (updated)
3	String in raw email	Part of the malicious email sent	`3r0TRZfh` AND `AAAAAAAAAAAAAAAA` AND `\x0041\x0041\x0041\x0041` (unicode AAAA) (updated)
4	String in raw email	Part of the malicious email sent	`\n/s1Caa6` AND `J1Ls9RWH`
5	String in raw email	Part of the malicious email sent	`://44449`
6	String in raw email	Part of the malicious email sent	`://84371`
7	String in raw email	Part of the malicious email sent	`://87756`
8	String in raw email	Part of the malicious email sent	`://94654`

0 AndiS over 4 years ago in reply to JasmineMaier

We have to initiate support through our partner because we have no support contract for direct communication with Sophos.

I became concerned that there is no official statement from Sophos regarding the detection.

On April 23, the BSI as the Federal Cyber Security Authority warned of the use of the app and recommends:
Delete the "Mail" app or deactivate the synchronization.

Two weeks later we have neither a solution from Apple, nor any information from Sophos as to whether there is a detection.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 AndiS over 4 years ago in reply to JasmineMaier

We have to initiate support through our partner because we have no support contract for direct communication with Sophos.

I became concerned that there is no official statement from Sophos regarding the detection.

On April 23, the BSI as the Federal Cyber Security Authority warned of the use of the app and recommends:
Delete the "Mail" app or deactivate the synchronization.

Two weeks later we have neither a solution from Apple, nor any information from Sophos as to whether there is a detection.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 JasmineMaier over 4 years ago in reply to AndiS

It is funny.

You have to pay for a license to use Email-Security, but If you want to get any information about the thing you pay for, you need to pay again.....

I think Andi and me are not the only peoble having Astaro Sohpos and IPhones. Can somebody file a request ?

And for Sophos it would be good marketing if they coudl say: Our clients using Iphones are safe.
Cancel
Vote Up 0 Vote Down

Cancel
0 AndiS over 4 years ago in reply to JasmineMaier

Hi Jasmine,

we run also Sonicwall NSA firewall systems where we can contact the support directly. We have to use the Sophos support of the partner, who only forwards the request anyway, but then sends us an invoice for the service.

UTM Standard Support:
Is included with every Network, Web, Mail, Wireless or Web Application Security subscription
with a run time of 1, 3 or 5 years and offers a 24 hour bring in hardware replacement,
automatic software updates as well as technical 10*5 support via Sophos partners.

UTM Premium Support:
Can be purchased as an optional upgrade to the UTM Standard Support for 1, 3 or
5 years and offers a 24 hour up front hardware replacement, automatic software
updates as well as technical 24*7 support via Sophos support engineers.

Andreas
Cancel
Vote Up 0 Vote Down

Cancel